83_FR_3450 83 FR 3433 - Supply Chain Risk Management Reliability Standards

83 FR 3433 - Supply Chain Risk Management Reliability Standards

DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission

Federal Register Volume 83, Issue 17 (January 25, 2018)

Page Range3433-3442
FR Document2018-01247

The Federal Energy Regulatory Commission (Commission) proposes to approve supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security--Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security--Configuration Change Management and Vulnerability Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, submitted the proposed Reliability Standards for Commission approval in response to a Commission directive. In addition, the Commission proposes that NERC develop and submit certain modifications to the supply chain risk management Reliability Standards.

Federal Register, Volume 83 Issue 17 (Thursday, January 25, 2018)
[Federal Register Volume 83, Number 17 (Thursday, January 25, 2018)]
[Proposed Rules]
[Pages 3433-3442]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-01247]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM17-13-000]


Supply Chain Risk Management Reliability Standards

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes 
to approve supply chain risk management Reliability Standards CIP-013-1 
(Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber 
Security--Electronic Security Perimeter(s)) and CIP-010-3 (Cyber 
Security--Configuration Change Management and Vulnerability

[[Page 3434]]

Assessments). The North American Electric Reliability Corporation 
(NERC), the Commission-certified Electric Reliability Organization, 
submitted the proposed Reliability Standards for Commission approval in 
response to a Commission directive. In addition, the Commission 
proposes that NERC develop and submit certain modifications to the 
supply chain risk management Reliability Standards.

DATES: Comments are due March 26, 2018.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways:
     Electronic Filing through http://www.ferc.gov. Documents 
created electronically using word processing software should be filed 
in native applications or print-to-PDF format and not in a scanned 
format.
     Mail/Hand Delivery: Those unable to file electronically 
may mail or hand-deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE, 
Washington, DC 20426.
    Instructions: For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the Comment 
Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT: 
Simon Slobodnik (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502-6707, [email protected].
Kevin Ryan (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE, Washington, DC 
20426, (202) 502-6840, [email protected].

SUPPLEMENTARY INFORMATION: 
    1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ 
the Commission proposes to approve supply chain risk management 
Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk 
Management), CIP-005-6 (Cyber Security--Electronic Security 
Perimeter(s)) and CIP-010-3 (Cyber Security--Configuration Change 
Management and Vulnerability Assessments). The North American Electric 
Reliability Corporation (NERC), the Commission-certified Electric 
Reliability Organization (ERO), submitted the proposed Reliability 
Standards for Commission approval in response to a Commission directive 
in Order No. 829.\2\ The proposed Reliability Standards are intended to 
augment the currently-effective CIP Reliability Standards to mitigate 
cybersecurity risks associated with the supply chain for BES Cyber 
Systems.\3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(d)(2).
    \2\ Revised Critical Infrastructure Protection Reliability 
Standards, Order No. 829, 156 FERC ] 61,050, at P 43 (2016).
    \3\ BES Cyber System is defined as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' Glossary of Terms 
Used in NERC Reliability Standards (NERC Glossary), http://www.nerc.com/files/glossary_of_terms.pdf. The acronym BES refers to 
the bulk electric system.
---------------------------------------------------------------------------

    2. As the Commission previously recognized, the global supply chain 
provides the opportunity for significant benefits to customers, 
including low cost, interoperability, rapid innovation, a variety of 
product features and choice.\4\ However, the global supply chain also 
enables opportunities for adversaries to directly or indirectly affect 
the management or operations of companies that may result in risks to 
end users. Supply chain risks may include the insertion of 
counterfeits, unauthorized production, tampering, theft, or insertion 
of malicious software, as well as poor manufacturing and development 
practices. We propose to determine that the supply chain risk 
management Reliability Standards submitted by NERC constitute 
substantial progress in addressing the supply chain cyber security 
risks identified by the Commission.
---------------------------------------------------------------------------

    \4\ Revised Critical Infrastructure Protection Reliability 
Standards, Notice of Proposed Rulemaking, 80 FR 43354 (July, 22, 
2015), 152 FERC ] 61,054, at PP 61-62 (2015).
---------------------------------------------------------------------------

    3. The Commission also proposes to approve the proposed Reliability 
Standards' associated violation risk factors and violation severity 
levels. With respect to the proposed Reliability Standards' 
implementation plan and effective date, the Commission proposes to 
reduce the implementation period from the first day of the first 
calendar quarter that is 18 months following the effective date of a 
Commission order approving the proposed Reliability Standards, as 
proposed by NERC, to the first day of the first calendar quarter that 
is 12 months following the effective date of a Commission order.
    4. While the Commission proposes to determine that the proposed 
Reliability Standards address most aspects of the Commission's 
directive in Order No. 829, there remains a significant cyber security 
risk associated with the supply chain for BES Cyber Systems because the 
proposed Reliability Standards exclude Electronic Access Control and 
Monitoring Systems (EACMS),\5\ Physical Access Control Systems 
(PACS),\6\ and Protected Cyber Assets (PCAs),\7\ with the exception of 
the modifications in proposed Reliability Standard CIP-005-6, which 
apply to PCAs. To address this gap, pursuant to section 215(d)(5) of 
the FPA,\8\ the Commission proposes to direct NERC to develop 
modifications to the CIP Reliability Standards to include EACMS 
associated with medium and high impact BES Cyber Systems within the 
scope of the supply chain risk management Reliability Standards.\9\ In 
addition, the Commission proposes to direct NERC to evaluate the cyber 
security supply chain risks presented by PACS and PCAs in the study of 
cyber security supply chain risks requested by the NERC Board of 
Trustees (BOT) in its resolutions of August 10, 2017.\10\ The 
Commission further proposes to direct NERC to file the BOT-requested 
study's interim and final reports with the Commission upon their 
completion.
---------------------------------------------------------------------------

    \5\ EACMS are defined as ``Cyber Assets that perform electronic 
access control or electronic access monitoring of the Electronic 
Security Perimeter(s) or BES Cyber Systems. This includes 
Intermediate Systems.'' NERC Glossary. Reliability Standard CIP-002-
5.1a (Cyber Security--BES Cyber System Categorization) states that 
examples of EACMS include ``Electronic Access Points, Intermediate 
Systems, authentication servers (e.g., RADIUS servers, Active 
Directory servers, Certificate Authorities), security event 
monitoring systems, and intrusion detection systems.'' Reliability 
Standard CIP-002-5.1a (Cyber Security--BES Cyber System 
Categorization) Section A.6 at 6.
    \6\ PACS are defined as ``Cyber Assets that control, alert, or 
log access to the Physical Security Perimeter(s), exclusive of 
locally mounted hardware or devices at the Physical Security 
Perimeter such as motion sensors, electronic lock control 
mechanisms, and badge readers.'' NERC Glossary. Reliability Standard 
CIP-002-5.1a states that examples include ``authentication servers, 
card systems, and badge control systems.'' Id.
    \7\ PCAs are defined as ``[o]ne or more Cyber Assets connected 
using a routable protocol within or on an Electronic Security 
Perimeter that is not part of the highest impact BES Cyber System 
within the same Electronic Security Perimeter. The impact rating of 
Protected Cyber Assets is equal to the highest rated BES Cyber 
System in the same [Electronic Security Perimeter].'' NERC Glossary. 
Reliability Standard CIP-002-5.1a states that examples include, to 
the extent they are within the Electronic Security Perimeter, ``file 
servers, ftp servers, time servers, LAN switches, networked 
printers, digital fault recorders, and emission monitoring 
systems.'' Id.
    \8\ 16 U.S.C. 824o(d)(5).
    \9\ Reliability Standard CIP-002-5.1a (Cyber Security System 
Categorization) provides a ``tiered'' approach to cybersecurity 
requirements, based on classifications of high, medium and low 
impact BES Cyber Systems.
    \10\ Proposed Additional Resolutions for Agenda Item 9.a: Cyber 
Security--Supply Chain Risk Management--CIP-005-6, CIP-010-3, and 
CIP-013-1 (August 10, 2017), http://www.nerc.com/gov/bot/Agenda%20highlights%20and%20Mintues%202013/Proposed%20Resolutions%20re%20Supply%20Chain%20Follow-Up%20v2.pdf.

---------------------------------------------------------------------------

[[Page 3435]]

I. Background

A. Section 215 and Mandatory Reliability Standards

    5. Section 215 of the FPA requires a Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Reliability Standards may be enforced 
by the ERO, subject to Commission oversight, or by the Commission 
independently.\11\ Pursuant to section 215 of the FPA, the Commission 
established a process to select and certify an ERO,\12\ and 
subsequently certified NERC.\13\
---------------------------------------------------------------------------

    \11\ 16 U.S.C. 824o(e).
    \12\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \13\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Order No. 829

    6. In Order No. 829, the Commission directed NERC to develop a new 
or modified Reliability Standard that addresses supply chain risk 
management for industrial control system hardware, software and 
computing and networking services associated with bulk electric system 
operations.\14\ Specifically, the Commission directed NERC to develop a 
forward-looking, objective-based Reliability Standard that would 
require responsible entities to develop and implement a plan with 
supply chain management security controls focused on four security 
objectives: (1) Software integrity and authenticity; (2) vendor remote 
access; (3) information system planning; and (4) vendor risk management 
and procurement controls.\15\
---------------------------------------------------------------------------

    \14\ Order No. 829, 156 FERC ] 61,050 at P 43.
    \15\ Id. P 45.
---------------------------------------------------------------------------

    7. The Commission explained that the first objective, verification 
of software integrity and authenticity, is intended to reduce the 
likelihood that an attacker could exploit legitimate vendor patch 
management processes to deliver compromised software updates or patches 
to a BES Cyber System.\16\
---------------------------------------------------------------------------

    \16\ Id. P 49.
---------------------------------------------------------------------------

    8. With respect to the second objective, vendor remote access, the 
Commission stated that the objective is intended to address the threat 
that vendor credentials could be stolen and used to access a BES Cyber 
System without the responsible entity's knowledge, as well as the 
threat that a compromise at a trusted vendor could traverse over an 
unmonitored connection into a responsible entity's BES Cyber 
System.\17\
---------------------------------------------------------------------------

    \17\ Id. P 52.
---------------------------------------------------------------------------

    9. For the third objective, information system planning, Order No. 
829 indicated that the objective is intended to address the risk that 
responsible entities could unintentionally plan to procure and install 
unsecure equipment or software within their information systems, or 
could unintentionally fail to anticipate security issues that may arise 
due to their network architecture or during technology and vendor 
transitions.\18\
---------------------------------------------------------------------------

    \18\ Id. P 57.
---------------------------------------------------------------------------

    10. Vendor risk management and procurement controls, the fourth 
objective, the Commission explained, are intended to address the risk 
that responsible entities could enter into contracts with vendors that 
pose significant risks to the responsible entities' information 
systems, as well as the risk that products procured by a responsible 
entity fail to meet minimum security criteria. This objective also 
addresses the risk that a compromised vendor would not provide adequate 
notice and related incident response to responsible entities with whom 
that vendor is connected.\19\
---------------------------------------------------------------------------

    \19\ Id. P 60.
---------------------------------------------------------------------------

    11. Order No. 829 stated that while responsible entities should be 
required to develop and implement a plan, the Commission did not 
require NERC to impose any specific controls or ``one-size-fits-all'' 
requirements.\20\ In addition, the Commission stated that NERC's 
response to the Order No. 829 directive should respect the Commission's 
jurisdiction under FPA section 215 by only addressing the obligations 
of responsible entities and not by directly imposing any obligations on 
non-jurisdictional suppliers, vendors or other entities that provide 
products or services to responsible entities.\21\
---------------------------------------------------------------------------

    \20\ Id. P 13.
    \21\ Id. P 21.
---------------------------------------------------------------------------

C. NERC Petition and Proposed Reliability Standards

    12. On September 26, 2017, NERC submitted for Commission approval 
proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 and 
their associated violation risk factors and violation severity levels, 
implementation plans, and effective dates.\22\ NERC states that the 
purpose of the proposed Reliability Standards is to enhance the 
cybersecurity posture of the electric industry by requiring responsible 
entities to take additional actions to address cybersecurity risks 
associated with the supply chain for BES Cyber Systems. NERC explains 
that the proposed Reliability Standards are designed to augment the 
existing controls required in the currently-effective CIP Reliability 
Standards that help mitigate supply chain risks, providing increased 
attention on minimizing the attack surfaces of information and 
communications technology products and services procured to support 
reliable bulk electric system operations, consistent with Order No. 
829. Each proposed Reliability Standard is summarized below.
---------------------------------------------------------------------------

    \22\ Proposed Reliability Standards CIP-013-1, CIP-005-6 and 
CIP-010-3 are not attached to this notice of proposed rulemaking 
(NOPR). The proposed Reliability Standards are available on the 
Commission's eLibrary document retrieval system in Docket No. RM17-
13-000 and on the NERC website, www.nerc.com.
---------------------------------------------------------------------------

    13. NERC states that the proposed Reliability Standards apply only 
to medium and high impact BES Cyber Systems. NERC explains that the 
goal of the CIP Reliability Standards is to ``focus[ ] industry 
resources on protecting those BES Cyber Systems with heightened risks 
to the [bulk electric system] . . . [and] that the requirements 
applicable to low impact BES Cyber Systems, given their lower risk 
profile, should not be overly burdensome to divert resources from the 
protection of medium and high impact BES Cyber Systems.'' \23\ NERC 
further maintains that the standard drafting team chose to apply the 
proposed Reliability Standards only to medium and high impact BES Cyber 
Systems because the proposed Reliability Standards are ``consistent 
with the type of existing CIP cybersecurity requirements applicable to 
high and medium impact BES Cyber Systems as opposed to those applicable 
to low impact BES Cyber Systems.'' \24\
---------------------------------------------------------------------------

    \23\ NERC Petition at 16-17.
    \24\ Id. at 18.
---------------------------------------------------------------------------

    14. NERC states that the standard drafting team also excluded 
EACMS, PACS, and PCAs from the scope of the proposed Reliability 
Standards, with the exception of the modifications in proposed 
Reliability Standard CIP-005-6, which apply to PCAs. NERC explains that 
although certain requirements in the existing CIP Reliability Standards 
apply to EACMS, PACS, and PCAs due to their association with BES Cyber 
Systems (either by function or location), the standard drafting team 
determined that the proposed supply chain risk management Reliability 
Standards should focus on high and medium impact BES Cyber Systems 
only. NERC states that this determination was based on the conclusion 
that applying the

[[Page 3436]]

proposed Reliability Standards to EACMS, PACS, and PCAs ``would divert 
resources from protecting medium and high BES Cyber Systems.'' \25\
---------------------------------------------------------------------------

    \25\ Id. at 20.
---------------------------------------------------------------------------

    15. NERC maintains that with respect to low impact BES Cyber 
Systems and EACMS, PACS, and PCAs, while not mandatory, NERC expects 
that these assets will likely be subject to responsible entity supply 
chain risk management plans required by proposed Reliability Standard 
CIP-013-1. Specifically, NERC asserts that ``Responsible Entities may 
implement a single process for procuring products and services 
associated with their operational environments.'' \26\ NERC contends 
that ``by requiring that entities implement supply chain cybersecurity 
risk management plans for high and medium impact BES Cyber Systems, 
those plans would likely also cover their low impact BES Cyber 
Systems.'' \27\ NERC also claims that responsible entities ``may also 
use the same vendors for procuring PACS, EACMS, and PCAs as they do for 
their high and medium impact BES Cyber Systems such that the same 
security considerations may be addressed for those Cyber Assets.'' \28\
---------------------------------------------------------------------------

    \26\ Id.
    \27\ Id. at 19.
    \28\ Id. at 20.
---------------------------------------------------------------------------

Proposed Reliability Standard CIP-013-1
    16. NERC states that the focus of proposed Reliability Standard 
CIP-013-1 is on the steps that responsible entities take ``to consider 
and address cybersecurity risks from vendor products and services 
during BES Cyber System planning and procurement.'' \29\ NERC explains 
that proposed Reliability Standard CIP-013-1 does not require any 
specific controls or mandate ``one-size-fits-all'' requirements due to 
the differences in needs and characteristics of responsible entities 
and the diversity of bulk electric system environments, technologies, 
and risks. NERC states that the goal of the proposed Reliability 
Standard is ``to help ensure that responsible entities establish 
organizationally-defined processes that integrate a cybersecurity risk 
management framework into the system development lifecycle.'' \30\ NERC 
explains that, among other things, proposed Reliability Standard CIP-
013-1 addresses the risk associated with information system planning, 
as well as vendor risk management and procurement controls, the third 
and fourth objectives outlined in Order No. 829.
---------------------------------------------------------------------------

    \29\ Id. at 22.
    \30\ Id. at 23.
---------------------------------------------------------------------------

    17. NERC states that, consistent with the Commission's FPA section 
215 jurisdiction and Order No. 829, the proposed Reliability Standard 
applies only to responsible entities and does not directly impose 
obligations on suppliers, vendors, or other entities that provide 
products or services to responsible entities. NERC explains that the 
focus of the proposed Reliability Standard is on the steps responsible 
entities take to account for security issues during the planning and 
procurement phase of high and medium impact BES Cyber Systems. NERC 
also explains that any resulting obligation that a supplier, vendor, or 
other entity accepts in providing products or services to the 
responsible entity is a contractual matter between the responsible 
entity and third parties, which is outside the scope of the proposed 
Reliability Standard.
    18. NERC explains that the term ``vendor'' is used broadly to refer 
to any person, company or other organization with whom the responsible 
entity, or an affiliate, contracts with to supply BES Cyber Systems and 
related services to the responsible entity. NERC states that the use of 
the term ``vendor,'' however, ``was not intended to bring registered 
entities that provide reliability services to other registered entities 
as part of their functional obligations under NERC's Reliability 
Standards (e.g., a Balancing Authority providing balancing services for 
registered entities in its Balancing Authority Area) within the scope 
of the proposed Reliability Standards.'' \31\
---------------------------------------------------------------------------

    \31\ Id. at 21.
---------------------------------------------------------------------------

    19. NERC maintains that, consistent with Order No. 829, responsible 
entities need not apply their supply chain risk management plans to the 
acquisition of vendor products or services under contracts executed 
prior to the effective date of Reliability Standard CIP-013-1, nor 
would such contracts need to be renegotiated or abrogated to comply 
with the proposed Reliability Standard. In addition, NERC indicates 
that, consistent with the development of a forward looking Reliability 
Standard, if entities are in the middle of procurement activities for 
an applicable product or service at the time of the effective date of 
proposed Reliability Standard CIP-013-1, NERC would not expect entities 
to begin those activities anew to implement their supply chain 
cybersecurity risk management plan to comply with proposed Reliability 
Standard CIP-013-1.
    20. NERC explains that, under Requirement R1 of this Reliability 
Standard, responsible entities would be required to have one or more 
processes to address, as applicable, the following baseline set of 
security concepts in their procurement activities for high and medium 
impact BES Cyber Systems: (1) Vendor security event notification 
processes (Part 1.2.1); (2) coordinated incident response activities 
(Part 1.2.2); (3) vendor personnel termination notification for 
employees with access to remote and onsite systems (Part 1.2.3); (4) 
product/services vulnerability disclosures (Part 1.2.4); (5) 
verification of software integrity and authenticity (Part 1.2.5); and 
(6) coordination of vendor remote access controls (Part 1.2.6). NERC 
states that the intent of Part 1.2 of Requirement R1 is not to require 
that every contract with a vendor include provisions for each of the 
listed items, but to ensure that these security items are an integrated 
part of procurement activities, such as a request for proposal or in 
the contract negotiation process.
    21. NERC states that Requirement R2 mandates that each responsible 
entity implement its supply chain cybersecurity risk management plan. 
NERC explains that the actual terms and conditions of a procurement 
contract and vendor performance under a contract are outside the scope 
of proposed Reliability Standard CIP-013-1. NERC states that the focus 
of proposed Reliability Standard CIP-013-1 is ``on the processes 
Responsible Entities implement to consider and address cyber security 
risks from vendor products or services during BES Cyber System planning 
and procurement, not on the outcome of those processes. . . .'' \32\ 
NERC maintains that responsible entities must make a business decision 
on whether and how to proceed with an acquisition after weighing the 
risks associated with a vendor or product and making a good faith 
effort to include security controls in any agreement with a vendor, as 
required by proposed Reliability Standard CIP-013-1. In addition, NERC 
states that vendor performance is outside the scope of the proposed 
Reliability Standards and, while NERC expects responsible entities to 
enforce the provisions of their contracts, ``a Responsible Entity 
should not be held responsible under the proposed Reliability Standard 
for actions (or inactions) of the vendor.'' \33\
---------------------------------------------------------------------------

    \32\ Id. at 27.
    \33\ Id. at 28.
---------------------------------------------------------------------------

    22. With regard to assessing compliance with proposed Reliability

[[Page 3437]]

Standard CIP-013-1, NERC states that NERC and Regional Entities would 
focus on whether responsible entities: (1) Developed processes 
reasonably designed to (i) identify and assess risks associated with 
vendor products and services in accordance with Part 1.1 and (ii) 
ensure that the security items listed in Part 1.2 are an integrated 
part of procurement activities; and (2) implemented those processes in 
good faith. NERC explains that NERC and Regional Entities will evaluate 
the steps a responsible entity took to assess risks posed by a vendor 
and associated products or services and, based on that risk assessment, 
the steps the entity took to mitigate those risks, including the 
negotiation of security provisions in its agreements with the vendor.
    23. Finally, NERC explains that Requirement R3 requires a 
responsible entity to review and obtain the CIP Senior Manager's 
approval of its supply chain risk management plan at least once every 
15 calendar months in order to ensure that the plan remains up-to-date.
Proposed Modifications in Reliability Standard CIP-005-6
    24. Proposed Reliability Standard CIP-005-6 includes two new parts, 
Parts 2.4 and 2.5, to address vendor remote access, which is the second 
objective discussed in Order No. 829. NERC explains that the new parts 
work in tandem with proposed Reliability Standard CIP-013-1, 
Requirement R1.2.6, which requires responsible entities to address 
Interactive Remote Access and system-to-system remote access when 
procuring industrial control system hardware, software, and computing 
and networking services associated with bulk electric system 
operations. NERC states that proposed Reliability Standard CIP-005-6, 
Requirement R2.4 requires one or more methods for determining active 
vendor remote access sessions, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. NERC explains that the 
security objective of Requirement R2.4 is to provide awareness of all 
active vendor remote access sessions, both Interactive Remote Access 
and system[hyphen]to[hyphen]system remote access, that are taking place 
on a responsible entity's system.
    25. NERC maintains that proposed Reliability Standard CIP-005-6, 
Requirement R2.5 requires one or more methods to disable active vendor 
remote access, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. NERC explains that the 
security objective of Requirement R2.5 is to provide the ability to 
disable active remote access sessions in the event of a system breach. 
In addition, NERC explains that Requirement R2 was modified to only 
reference Interactive Remote Access where appropriate. Specifically, 
Requirements R2.1, R2.2, and R2.3 apply to Interactive Remote access 
only, while Requirements R2.4 and R2.5 apply both to Interactive Remote 
Access and system-to-system remote access.
Proposed Modifications in Reliability Standard CIP-010-3
    26. Proposed Reliability Standard CIP-010-3 includes a new part, 
Part 1.6, to address software integrity and authenticity, the first 
objective addressed in Order No. 829, by requiring the identification 
of the publisher and confirming the integrity of all software and 
patches. NERC explains that proposed Reliability Standard CIP-010-3, 
Requirement R1.6 requires responsible entities to verify software 
integrity and authenticity in the operational phase, if the software 
source provides a method to do so. Specifically, NERC states that 
proposed Reliability Standard CIP-010-3, Requirement R1.6 requires that 
responsible entities must verify the identity of the software source 
and the integrity of the software obtained by the software sources 
prior to installing software that changes established baseline 
configurations, when methods are available to do so. NERC asserts that 
the security objective of proposed Requirement R1.6 is to ensure that 
the software being installed in the BES Cyber System was not modified 
without the awareness of the software supplier and is not counterfeit. 
NERC contends that these steps help reduce the likelihood that an 
attacker could exploit legitimate vendor patch management processes to 
deliver compromised software updates or patches to a BES Cyber System.
BOT Resolutions
    27. In the petition, NERC states that in conjunction with the 
adoption of the proposed Reliability Standards, on August 10, 2017 the 
BOT adopted resolutions regarding supply chain risk management. In 
particular, the BOT requested that NERC management, in collaboration 
with appropriate NERC technical committees, industry representatives, 
and appropriate experts, including representatives of industry vendors, 
further study the nature and complexity of cyber security supply chain 
risks, including risks associated with low impact assets not currently 
subject to the proposed supply chain risk management Reliability 
Standards. The BOT further requested NERC to develop recommendations 
for follow-up actions that will best address any issues identified. 
Finally, the BOT requested that NERC management provide an interim 
progress report no later than 12 months after the adoption of these 
resolutions and a final report no later than 18 months after the 
adoption of the resolutions. In its petition, NERC states that ``over 
the next 18 months, NERC, working with various stakeholders, will 
continue to assess whether supply chain risks related to low impact BES 
Cyber Systems, PACS, EACMS and PCA necessitate further consideration 
for inclusion in a mandatory Reliability Standard.'' \34\
---------------------------------------------------------------------------

    \34\ Id. at 20-21.
---------------------------------------------------------------------------

Implementation Plan
    28. NERC's proposed implementation plan provides that the proposed 
Reliability Standards become effective on the first day of the first 
calendar quarter that is 18 months after the effective date of a 
Commission order approving them. NERC states that the proposed 
implementation period is designed to afford responsible entities 
sufficient time to develop and implement their supply chain 
cybersecurity risk management plans required under proposed Reliability 
Standard CIP-013-1 and implement the new controls required in proposed 
Reliability Standards CIP-005-6 and CIP-010-3.

II. Discussion

    29. Pursuant to section 215(d)(2) of the FPA, the Commission 
proposes to approve supply chain risk management Reliability Standards 
CIP-013-1, CIP-005-6 and CIP-010-3 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. The 
proposed Reliability Standards will enhance existing protections for 
bulk electric system reliability by addressing the four objectives set 
forth in Order No. 829: (1) Software integrity and authenticity; (2) 
vendor remote access; (3) information system planning; and (4) vendor 
risk management and procurement controls.
    30. The proposed Reliability Standards address the four objectives 
discussed in Order No. 829. Proposed Reliability Standard CIP-013-1 
addresses information system planning and vendor risk management and 
procurement controls by requiring that responsible entities develop and 
implement one or more documented supply chain cyber security risk 
management plan(s) for high and medium impact BES Cyber Systems.

[[Page 3438]]

The required plans must address, as applicable, a baseline set of six 
security concepts: Vendor security event notification; coordinated 
incident response; vendor personnel termination notification; product/
services vulnerability disclosures; verification of software integrity 
and authenticity; and coordination of vendor remote access controls. 
Proposed Reliability Standard CIP-005-6 addresses vendor remote access 
by creating two new requirements: for determining active vendor remote 
access sessions and for having one or more methods to disable active 
vendor remote access sessions. Proposed Reliability Standard CIP-010-3 
addresses software authenticity and integrity by creating a new 
requirement that responsible entities verify the identity of the 
software source and the integrity of the software obtained from the 
software source prior to installing software that changes established 
baseline configurations, when methods are available to do so. Taken 
together, the proposed Reliability Standards constitute substantial 
progress in addressing the supply chain cyber security risks identified 
in Order No. 829.
    31. While the Commission proposes to approve the proposed 
Reliability Standards, certain cyber security risks associated with the 
supply chain for BES Cyber Systems may not be adequately addressed by 
the NERC proposal. In particular, as discussed below, the Commission is 
concerned with the exclusion of EACMS, PACS, and PCAs from the scope of 
the proposed Reliability Standards.\35\ To address this risk, pursuant 
to section 215(d)(5) of the FPA, the Commission proposes that NERC 
develop modifications to the CIP Reliability Standards to include EACMS 
within the scope of the supply chain risk management Reliability 
Standards. In addition, the Commission proposes to direct NERC to 
evaluate the cyber security supply chain risks presented by PACS and 
PCAs in the cyber security supply chain risks study requested by the 
BOT. The Commission further proposes to direct NERC to file the BOT-
requested study's interim and final reports with the Commission upon 
their completion.
---------------------------------------------------------------------------

    \35\ As we noted previously, the only exceptions are the 
modifications in proposed Reliability Standard CIP-005-6, which 
apply to PCAs.
---------------------------------------------------------------------------

    32. Below, we discuss the following issues: (A) Inclusion of EACMS 
in the supply chain risk management Reliability Standards; (B) 
inclusion of PACS and PCAs in the BOT-requested study on cyber security 
supply chain risks and filing of the study's interim and final reports 
with the Commission; and (C) NERC's proposed implementation plan.

A. Inclusion of EACMS in CIP Reliability Standards

    33. The proposed Reliability Standards only apply to medium and 
high impact BES Cyber Systems; they do not apply to low impact BES 
Cyber Systems or Cyber Assets associated with medium and high impact 
BES Cyber Systems (i.e., EACMS, PACS, and PCAs). The BOT-requested 
study on cyber security supply chain risks will examine the risks posed 
by low impact BES Cyber Systems and, as discussed in the following 
section, we believe it is appropriate to await the outcome of that 
study's final report before considering whether low impact BES Cyber 
Systems should be addressed in the supply chain risk management 
Reliability Standards.
    34. With respect to Cyber Assets associated with medium and high 
impact BES Cyber Systems, and EACMS in particular, we propose further 
action than what is requested in the BOT resolutions.\36\ As explained 
in current Reliability Standard CIP-002-5.1a, BES Cyber Systems have 
associated Cyber Assets, which, if compromised, pose a threat to the 
BES Cyber System by virtue of: (1) Their location within the Electronic 
Security Perimeter (i.e., PCAs), or (2) the security control function 
they perform (i.e., EACMS and PACS).\37\ EACMS support BES Cyber 
Systems and are part of the network and security architecture that 
allow BES Cyber Systems to work as intended by performing electronic 
access control or electronic access monitoring of the Electronic 
Security Perimeter (ESP) or BES Cyber Systems.
---------------------------------------------------------------------------

    \36\ We address PACS and PCAs in the following section.
    \37\ Reliability Standard CIP-002-5.1a (Cyber Security--BES 
Cyber System Categorization), Background at 6.
---------------------------------------------------------------------------

    35. Since EACMS support and enable BES Cyber System operation, 
misoperation and unavailability of EACMS that support a given BES Cyber 
System could also contribute to misoperation of a BES Cyber System or 
render it unavailable, which could adversely affect bulk electric 
system reliability. EACMS control electronic access, including 
interactive remote access, into the ESP that protects high and medium 
impact BES Cyber Systems. One function of electronic access control is 
to prevent malware or malicious actors from gaining access to the BES 
Cyber Systems and PCAs within the ESP. Once an EACMS is compromised, 
the attacker may gain control of the BES Cyber System or PCA. An 
attacker does not need physical access to the facility housing a BES 
Cyber System in order to gain access to a BES Cyber System or PCA via 
an EACMS compromise. By contrast, compromise of PACS, which could 
potentially grant an attacker physical access to a BES Cyber System, 
requires physical access. Further, PCAs typically become vulnerable to 
remote compromise once EACMS have been compromised. Therefore, EACMS 
represent the most likely route an attacker would take to access a BES 
Cyber System or PCA within an ESP.
    36. Currently-effective Reliability Standard CIP-010-2 applies to 
EACMS and the modifications proposed in Reliability Standard CIP-010-3 
maintain the current coverage of EACMS, except for new Part 1.6 of 
Requirement R1, which addresses software integrity and authenticity. 
Moreover, NERC's petition acknowledges that requirements in the 
existing CIP Reliability Standards ``require Responsible Entities to 
apply certain protections to PACS, EACMS, and PCAs, given their 
association with BES Cyber Systems either by function or location.'' 
\38\ This statement suggests a recognition by NERC that EACMS, PACS, 
and PCAs warrant certain protections. We agree with NERC's statement, 
but we believe that the most important focus is on EACMS for the 
reasons described above.
---------------------------------------------------------------------------

    \38\ NERC Petition at 19.
---------------------------------------------------------------------------

    37. In addition, while EACMS is a term unique to NERC-developed 
Reliability Standards, it is widely recognized that the types of access 
and monitoring functions that are included within NERC's definition of 
EACMS, such as firewalls, are integral to protecting industrial control 
systems. For example, the Department of Homeland Security's Industrial 
Control Systems Cyber Emergency Response Team (ICS-CERT) identifies 
firewalls as ``the first line of defense within an ICS network 
environment'' that ``keep the intruder out while allowing the 
authorized passage of data necessary to run the organization.'' \39\ 
ICS-CERT further explains that firewalls ``act as

[[Page 3439]]

sentinels, or gatekeepers, between zones . . . [and] [w]hen properly 
configured, they will only let essential traffic cross security 
boundaries[,] . . . [i]f they are not properly configured, they could 
easily pass unauthorized or malicious users or content.'' Accordingly, 
if EACMS are compromised, that could adversely affect the reliable 
operation of associated BES Cyber Systems.
---------------------------------------------------------------------------

    \39\ ICS-CERT, Recommended Practice: Improving Industrial 
Control System Cybersecurity with Defense-in-Depth Strategies, at 23 
(September 2016), https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf. See also NIST, Guide to 
Industrial Control Systems (ICS) Security, NIST Special Publication 
800-82, Revision 2, at Section 5 (ICS Security Architecture) (May 
2015) (discussing importance of technologies and strategies, 
including firewalls, to secure industrial control systems), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf.
---------------------------------------------------------------------------

    38. NERC explains that the standard drafting team chose to limit 
the scope of the proposed Reliability Standards to medium and high 
impact BES Cyber Systems, but not their associated Cyber Assets (e.g., 
EACMS), in order not to ``divert resources from protecting medium and 
high BES Cyber Systems.'' \40\ As noted above, EACMS include 
``authentication servers (e.g., RADIUS servers, Active Directory 
servers, Certificate Authorities), security event monitoring systems, 
and intrusion detection systems'' that are integral to the security of 
the medium and high impact BES Cyber Systems to which they are 
associated.\41\ While NERC states that it will continue to assess 
whether supply chain risks related to low impact BES Cyber Systems, 
PACS, EACMS, and PCAs necessitate further consideration for inclusion 
in a mandatory Reliability Standard, in view of the discussion above, 
we propose to determine that a sufficient basis currently exists to 
include EACMS associated with medium and high impact BES Cyber Systems 
in the supply chain risk management Reliability Standards.
---------------------------------------------------------------------------

    \40\ Id. at 20.
    \41\ Reliability Standard CIP-002-5.1a (Cyber Security--BES 
Cyber System Categorization), Section A.6 at 6.
---------------------------------------------------------------------------

    39. Accordingly, pursuant to section 215(d)(5) of the FPA, the 
Commission proposes to direct NERC to develop modifications to the CIP 
Reliability Standards to include EACMS associated with medium and high 
impact BES Cyber Systems within the scope of the supply chain risk 
management Reliability Standards. The Commission seeks comment on this 
proposal.

B. BOT-Requested Cyber Security Supply Chain Risks Study

    40. As discussed above, we believe it is appropriate to await the 
findings from the BOT-requested study on cyber security supply chain 
risks before considering whether low impact BES Cyber Systems should be 
addressed in the supply chain risk management Reliability Standards.
    41. We note that while the BOT resolutions explicitly stated that 
the BOT-requested study should examine the risks posed by low impact 
BES Cyber Systems, the BOT resolutions did not identify PACS and PCAs 
as subjects of the study. However, NERC's petition suggests that NERC 
will be evaluating PACS and PCAs as part of the BOT-requested 
study.\42\
---------------------------------------------------------------------------

    \42\ NERC Petition at 21 (``over the next 18 months, NERC, 
working with various stakeholders, will continue to assess whether 
supply chain risks related to low impact BES Cyber Systems, PACS, 
EACMS, and PCA necessitate further consideration for inclusion in a 
mandatory Reliability Standard'').
---------------------------------------------------------------------------

    42. While many of the concerns expressed in the previous section 
with respect to the risks posed by EACMS also apply to varying degrees 
to PACS and PCAs, we propose to direct NERC, consistent with the 
representation made in NERC's petition, to include PACS and PCAs in the 
BOT-requested study and to await the findings of the study's final 
report before considering further action. We distinguish among EACMS 
and the other Cyber Assets because, for example, a compromise of a 
PACS, which would potentially grant an attacker physical access to a 
BES Cyber System or PCA, is less likely since physical access is also 
required. Therefore, while we believe that EACMS require immediate 
action, because they represent the most likely route an attacker would 
take to access a BES Cyber System or PCA within an ESP, possible action 
on other Cyber Assets can await completion of the BOT-requested study's 
final report.
    43. In addition to proposing to direct NERC to include PACS and 
PCAs in the BOT-requested study, we propose to direct that NERC file 
the study's interim and final reports with the Commission upon their 
completion. The Commission seeks comment on these proposals.

C. Implementation Plan

    44. The 18-month implementation period proposed by NERC does not 
appear to be justified based on the anticipated effort required to 
develop and implement a supply chain risk management plan.\43\ While 
NERC maintains that the proposed implementation period is ``designed to 
afford responsible entities sufficient time to develop and implement 
their supply chain cybersecurity risk management plans required under 
proposed Reliability Standard CIP-013-1 and implement the new controls 
required in proposed Reliability Standards CIP-005-6 and CIP-010-3,'' 
\44\ the security objectives of the proposed Reliability Standards are 
process-based and do not prescribe technology that might justify an 
extended implementation period. Instead, we propose that the proposed 
Reliability Standards become effective the first day of the first 
calendar quarter that is 12 months following the effective date of a 
Commission order approving the Reliability Standards. Our proposed 
implementation period is reasonable, given the nature of the 
requirements in the proposed Reliability Standards, and provides 
enhanced security for the bulk electric system in a timelier manner. We 
seek comment on this proposal.
---------------------------------------------------------------------------

    \43\ The 18-month implementation plan proposed by NERC may be 
longer given NERC's request that the effective date of the proposed 
Reliability Standards falls on the first day of the first calendar 
quarter that is 18 months after the effective date of a Commission 
order approving the proposed Reliability Standards.
    \44\ NERC Petition at 35.
---------------------------------------------------------------------------

III. Information Collection Statement

    45. The FERC-725B information collection requirements contained in 
this notice of proposed rulemaking are subject to review by the Office 
of Management and Budget (OMB) under section 3507(d) of the Paperwork 
Reduction Act of 1995.\45\ OMB's regulations require approval of 
certain information collection requirements imposed by agency 
rules.\46\ Upon approval of a collection of information, OMB will 
assign an OMB control number and expiration date. Respondents subject 
to the filing requirements of this rule will not be penalized for 
failing to respond to these collections of information unless the 
collections of information display a valid OMB control number. The 
Commission solicits comments on the Commission's need for this 
information, whether the information will have practical utility, the 
accuracy of the burden estimates, ways to enhance the quality, utility, 
and clarity of the information to be collected or retained, and any 
suggested methods for minimizing respondents' burden, including the use 
of automated information techniques.
---------------------------------------------------------------------------

    \45\ 44 U.S.C. 3507(d).
    \46\ 5 CFR 1320.11.
---------------------------------------------------------------------------

    46. The Commission bases its paperwork burden estimates on the 
changes in paperwork burden presented by the newly proposed CIP 
Reliability Standard CIP-013-1 and the proposed revisions to CIP 
Reliability Standard CIP-005-6 and CIP-010-3 as compared to the current 
Commission-approved Reliability Standards CIP-005-5 and CIP-010-2, 
respectively. As discussed above, the notice of proposed rulemaking 
addresses several areas of the CIP Reliability Standards through 
proposed Reliability Standard CIP-013-1, Requirements R1, R2, and R3. 
Under Requirement R1, responsible entities

[[Page 3440]]

would be required to have one or more processes to address the 
following baseline set of security concepts, as applicable, in their 
procurement activities for high and medium impact BES Cyber Systems: 
(1) Vendor security event notification processes (Part 1.2.1); (2) 
coordinated incident response activities (Part 1.2.2); (3) vendor 
personnel termination notification for employees with access to remote 
and onsite systems (Part 1.2.3); (4) product/services vulnerability 
disclosures (Part 1.2.4); (5) verification of software integrity and 
authenticity (Part 1.2.5); and (6) coordination of vendor remote access 
controls (Part 1.2.6). Requirement R2 mandates that each responsible 
entity implement its supply chain cybersecurity risk management plan. 
Requirement R3 requires a responsible entity to review and obtain the 
CIP Senior Manager's approval of its supply chain risk management plan 
at least once every 15 calendar months in order to ensure that the plan 
remains up-to-date.
    47. Separately, proposed Reliability Standard CIP-005-6, 
Requirement R2.4 requires one or more methods for determining active 
vendor remote access sessions, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. Proposed Reliability 
Standard CIP-005-6, Requirement R2.5 requires one or more methods to 
disable active vendor remote access, including Interactive Remote 
Access and system[hyphen]to[hyphen]system remote access. Proposed 
Reliability Standard CIP-010-3, Requirement R1.6 requires responsible 
entities to verify software integrity and authenticity in the 
operational phase, if the software source provides a method to do so.
    48. The NERC Compliance Registry, as of December 2017, identifies 
approximately 1,250 unique U.S. entities that are subject to mandatory 
compliance with Reliability Standards. Of this total, we estimate that 
288 entities will face an increased paperwork burden under proposed 
Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3. Based on 
these assumptions, we estimate the following reporting burden:

                                                                    RM17-13-000 NOPR
                             [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                        Annual number                                              Total annual burden       Cost per
                                          Number of     of responses    Total number    Average burden and cost   hours and total annual    respondent
                                         respondents   per respondent   of responses        per response 47                cost                 ($)
                                                  (1)             (2)     (1) * (2) =  (4).....................  (3) * (4) = (5)........       (5) / (1)
                                                                                  (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create supply chain risk management               288               1             288  546 hrs.; $44,772.......  157,248 hrs.;                    44,772
 plan (one-time) 48 (CIP-013-1 R1).                                                                               $12,894,336.
Updates and reviews of supply chain               288               1             288  30 hrs.; $2,460.........  8,640 hrs.; $708,480...           2,460
 risk management plan (ongoing) 49
 (CIP-013-1 R2).
Develop Procedures to update remote               288               1             288  50 hrs.; $4,100.........  14,400 hrs.; $1,180,800           4,100
 access requirements (one time) (CIP-
 005-6 R1-R4).
Develop procedures for software                   288               1             288  50 hrs.; $4,100.........  14,400 hrs.; $1,180,800           4,100
 integrity and authenticity
 requirements (one time) (CIP-010-3
 R1-R4).
                                      ------------------------------------------------------------------------------------------------------------------
    Total (one-time).................  ..............  ..............             864  ........................  186,048 hrs.;            ..............
                                                                                                                  $15,255,936.
    Total (ongoing)..................  ..............  ..............             288  ........................  8,640 hrs.; $708,340...  ..............
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The one-time burden of 186,048 hours will be averaged over three 
years (186,048 hours / 3 = 62,016 hours/year over three years).
---------------------------------------------------------------------------

    \47\ The loaded hourly wage figure (includes benefits) is based 
on the average of the occupational categories for 2016 found on the 
Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm):
    Legal (Occupation Code: 23-0000): $143.68.
    Information Security Analysts (Occupation Code 15-1122): $66.34.
    Computer and Information Systems Managers (Occupation Code: 11-
3021): $100.68.
    Management (Occupation Code: 11-0000): $81.52.
    Electrical Engineer (Occupation Code: 17-2071): $68.12.
    Management Analyst( Code: 43-0000): $63.49.
    These various occupational categories are weighted as follows: 
[($81.52)(.10) + $66.34(.315) + $68.12(.02) + $143.68(.15) + 
$100.68(.10) + $63.49(.315)] = $82.03. The figure is rounded to 
$82.00 for use in calculating wage figures in this NOPR.
    \48\ One-time burdens apply in Year One only.
    \49\ Ongoing burdens apply in Year 2 and beyond.
---------------------------------------------------------------------------

    The ongoing burden of 8,640 hours applies to only Years 2 and 
beyond.
    The number of responses is also average over three years (864 
responses (one-time) + (288 responses (Year 2) + 288 responses (Year 
3)) / 3 = 480 responses.
    The responses and burden for Years 1-3 will total respectively as 
follows:
Year 1: 480 responses; 62,016 hours
Year 2: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours
Year 3: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours
    49. The following shows the annual cost burden for each year, based 
on the burden hours in the table above:

 Year 1: $15,255,936
 Years 2 and beyond: $708,480
 The paperwork burden estimate includes costs associated with 
the initial development of a policy to address requirements relating 
to: (1) Developing the supply chain risk management plan; (2) updating 
the procedures related to remote access requirements (3) developing the 
procedures related to software integrity and authenticity. Further, the 
estimate reflects the assumption that costs incurred in year 1 will 
pertain to plan and procedure development, while costs in years 2 and 3 
will reflect the burden associated with maintaining the SCRM plan and 
modifying it as necessary on a 15 month basis.


[[Page 3441]]


    50. Title: Mandatory Reliability Standards, Revised Critical 
Infrastructure Protection Reliability Standards.
    Action: Proposed Collection FERC-725B.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This notice of proposed rulemaking 
proposes to approve the requested modifications to Reliability 
Standards pertaining to critical infrastructure protection. As 
discussed above, the Commission proposes to approve NERC's proposed CIP 
Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 pursuant to 
section 215(d)(2) of the FPA because they improve upon the currently-
effective suite of cyber security CIP Reliability Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standards and made a determination that its action is 
necessary to implement section 215 of the FPA.
    51. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen 
Brown, Office of the Executive Director, e-mail: 
[email protected], phone: (202) 502-8663, fax: (202) 273-0873].
    52. For submitting comments concerning the collection(s) of 
information and the associated burden estimate(s), please send your 
comments to the Commission, and to the Office of Management and Budget, 
Office of Information and Regulatory Affairs, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission, 
phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons, 
comments to OMB should be submitted by e-mail to: 
[email protected]. Comments submitted to OMB should include 
Docket Number RM17-13-000.

IV. Environmental Analysis

    53. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\50\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\51\ The actions proposed 
herein fall within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \50\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
    \51\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act Analysis

    54. The Regulatory Flexibility Act of 1980 (RFA) generally requires 
a description and analysis of proposed rules that will have significant 
economic impact on a substantial number of small entities.\52\ The 
Small Business Administration's (SBA) Office of Size Standards develops 
the numerical definition of a small business.\53\ The SBA revised its 
size standard for electric utilities (effective January 22, 2014) to a 
standard based on the number of employees, including affiliates (from 
the prior standard based on megawatt hour sales).\54\
---------------------------------------------------------------------------

    \52\ 5 U.S.C. 601-12.
    \53\ 13 CFR 121.101.
    \54\ 13 CFR 121.201, Subsection 221.
---------------------------------------------------------------------------

    55. Proposed Reliability Standards CIP-013-1, CIP-005-6, CIP-010-3 
are expected to impose an additional burden on 288 entities \55\ 
(reliability coordinators, generator operators, generator owners, 
interchange coordinators or authorities, transmission operators, 
balancing authorities, and transmission owners).
---------------------------------------------------------------------------

    \55\ Public utilities may fall under one of several different 
categories, each with a size threshold based on the company's number 
of employees, including affiliates, the parent company, and 
subsidiaries. For the analysis in this NOPR, we are using a 500 
employee threshold due to each affected entity falling within the 
role of Electric Bulk Power Transmission and Control (NAISC Code: 
221121).
---------------------------------------------------------------------------

    56. Of the 288 affected entities discussed above, we estimate that 
approximately 248 or 86.2 percent of the affected entities are small 
entities. We estimate that each of the 248 small entities to whom the 
proposed modifications to Reliability Standards CIP-013-1, CIP-005-6, 
CIP-010-3 apply will incur one-time costs of approximately $52,972 per 
entity to implement the proposed Reliability Standards, as well as the 
ongoing paperwork burden reflected in the Information Collection 
Statement (approximately $2,460 per year per entity). We do not 
consider the estimated costs for these 248 small entities to be a 
significant economic impact. Accordingly, we certify that proposed 
Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 will not have 
a significant economic impact on a substantial number of small 
entities.

VI. Comment Procedures

    57. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due March 26, 2018. Comments must refer to 
Docket No. RM17-13-000, and must include the commenter's name, the 
organization they represent, if applicable, and address.
    58. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's web site at http://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    59. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE, 
Washington, DC 20426.
    60. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

VII. Document Availability

    61. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, 
Washington, DC 20426.
    62. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number of this document, excluding the last three digits, in 
the docket number field.
    63. User assistance is available for eLibrary and the Commission's 
website during normal business hours from the

[[Page 3442]]

Commission's Online Support at (202) 502-6652 (toll free at 1-866-208-
3676) or e-mail at [email protected], or the Public Reference 
Room at (202) 502-8371, TTY (202) 502-8659. E-mail the Public Reference 
Room at [email protected].

    By direction of the Commission. Commissioner LaFleur is 
concurring with a separate statement attached.

    Issued: January 18, 2018.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

Attachment

LaFLEUR, Commissioner concurring:

    In today's order, the Commission proposes to approve the supply 
chain risk management standards filed by the North American Electric 
Reliability Corporation (NERC), and direct certain modifications to 
those standards. I write separately to explain my vote in support of 
today's order, given my dissent on the Commission order that 
directed the development of these standards.\1\
---------------------------------------------------------------------------

    \1\ Revised Critical Infrastructure Protection Reliability 
Standards, Order No. 829, 156 FERC ] 61,050 (2016) (LaFleur, Comm'r, 
dissenting).
---------------------------------------------------------------------------

    As I stated in my dissent, I shared the Commission's concern 
about supply chain threats and supported continued Commission 
attention to those threats. Indeed, I remain concerned that the 
supply chain is a significant cyber vulnerability for the bulk power 
system. However, I believed that the Commission was proceeding too 
quickly to require a supply chain standard, without having 
sufficiently worked with NERC, industry, and other stakeholders on 
how to design an effective, auditable, and enforceable standard. In 
my view, the directive that resulted was insufficiently developed 
and created a risk that needed protections against supply threats 
would be delayed, due in large part to the nature of the NERC 
standards process.
    Given the limited guidance and timeline provided by the 
Commission in Order No. 829, the proposed standards are, 
unsurprisingly, quite general, focusing primarily ``on the processes 
Responsible Entities implement to consider and address cyber 
security risks from vendor products or services during BES Cyber 
System planning and procurement, not on the outcome of those 
processes . . .'' \2\ The proposed standards would provide 
significant flexibility to registered entities to determine how best 
to comply with their requirements. In my view, that flexibility 
presents both potential risks and benefits. It could allow 
effective, adaptable approaches to flourish, or allow compliance 
plans that meet the letter of the standards but do not effectively 
address supply chain threats. I hope that we will see more of the 
former, but I believe the Commission, NERC, and the Regional 
Entities should closely monitor implementation if the standards are 
ultimately approved.
---------------------------------------------------------------------------

    \2\ NERC Petition at 27.
---------------------------------------------------------------------------

    In voting for today's order, I recognize that the choice before 
the Commission today is not the same as it was in July 2016. I 
acknowledge that a significant amount of time and effort have been 
committed to the development of these standards in response to a 
duly voted Commission order. Most importantly, I agree that they are 
an improvement over the status quo. I do not believe that remanding 
these standards or the larger supply chain issue to the NERC 
standards process would be a prudent step at this point. Rather, I 
believe the better course of action at this time is to move forward 
with these standards and, assuming the Commission ultimately 
proceeds to Final Rule, improve them over time as needed.
    In that regard, I believe the Commission is appropriately 
proposing to direct a modification to the proposed standards to 
address an identified reliability gap regarding Electronic Access 
Control and Monitoring Systems. I also support the proposal to 
require NERC to include Physical Access Controls and Protected Cyber 
Assets within its ongoing assessment of the supply chain risks posed 
by low-impact Bulk Electric System Cyber Systems, which will help 
the Commission and NERC determine whether further revisions to the 
standards are needed.
    More so than with most standards, I believe that whether these 
standards are effective will only reveal itself over time as we gain 
additional experience with them. I am therefore particularly 
interested in feedback from commenters on how the Commission, NERC, 
and industry should assess these standards, including any reporting 
obligations that might be appropriate.\3\ In addition, given the 
very general process-oriented nature of the standard, I also support 
the proposal to shorten the implementation date for the new 
standards. If ultimately adopted, the revised deadline will allow 
industry, NERC, and the Commission to put the standards in place 
sooner while continuing to evaluate how best to protect the bulk 
power system against supply chain threats.
---------------------------------------------------------------------------

    \3\ I note that NERC has also developed draft implementation 
guidance that provides additional detail regarding possible 
compliance approaches. As NERC and the Regional Entities gain 
additional experience with assessing compliance under these 
standards, updating this implementation guidance could be an 
effective approach for quickly disseminating best practices and 
lessons learned.
---------------------------------------------------------------------------

    For these reasons, I respectfully concur.

Cheryl A. LaFleur,

Commissioner.

[FR Doc. 2018-01247 Filed 1-24-18; 8:45 am]
BILLING CODE 6717-01-P



                                                                           Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules                                                                 3433

                                                       SCHEDULE OF MATERIALS ANNUAL FEES AND FEES FOR GOVERNMENT AGENCIES LICENSED BY NRC—Continued
                                                                                                                          [See footnotes at end of table]

                                                                                                                                                                                                                        Annual
                                                                                                               Category of materials licenses                                                                          fees 1 2 3

                                                       B. Uranium Mill Tailings Radiation Control Act (UMTRCA) activities ..........................................................................................       188,000
                                                     1 Annual  fees will be assessed based on whether a licensee held a valid license with the NRC authorizing possession and use of radioactive
                                                  material during the current FY. The annual fee is waived for those materials licenses and holders of certificates, registrations, and approvals who
                                                  either filed for termination of their licenses or approvals or filed for possession only/storage licenses before October 1 of the current FY, and per-
                                                  manently ceased licensed activities entirely before this date. Annual fees for licensees who filed for termination of a license, downgrade of a li-
                                                  cense, or for a possession-only license during the FY and for new licenses issued during the FY will be prorated in accordance with the provi-
                                                  sions of § 171.17. If a person holds more than one license, certificate, registration, or approval, the annual fee(s) will be assessed for each li-
                                                  cense, certificate, registration, or approval held by that person. For licenses that authorize more than one activity on a single license (e.g.,
                                                  human use and irradiator activities), annual fees will be assessed for each category applicable to the license.
                                                     2 Payment of the prescribed annual fee does not automatically renew the license, certificate, registration, or approval for which the fee is paid.
                                                  Renewal applications must be filed in accordance with the requirements of parts 30, 40, 70, 71, 72, or 76 of this chapter.
                                                     3 Each FY, fees for these materials licenses will be calculated and assessed in accordance with § 171.13 and will be published in the Federal
                                                  Register for notice and comment.
                                                     4 Other facilities include licenses for extraction of metals, heavy metals, and rare earths.
                                                     5 There are no existing NRC licenses in these fee categories. If NRC issues a license for these categories, the Commission will consider es-
                                                  tablishing an annual fee for this type of license.
                                                     6 Standardized spent fuel facilities, 10 CFR parts 71 and 72 Certificates of Compliance and related Quality Assurance program approvals, and
                                                  special reviews, such as topical reports, are not assessed an annual fee because the generic costs of regulating these activities are primarily at-
                                                  tributable to users of the designs, certificates, and topical reports.
                                                     7 Licensees in this category are not assessed an annual fee because they are charged an annual fee in other categories while they are li-
                                                  censed to operate.
                                                     8 No annual fee is charged because it is not practical to administer due to the relatively short life or temporary nature of the license.
                                                     9 Separate annual fees will not be assessed for pacemaker licenses issued to medical institutions that also hold nuclear medicine licenses
                                                  under fee categories 7.A, 7.B. or 7.C.
                                                     10 This includes Certificates of Compliance issued to the U.S. Department of Energy that are not funded from the Nuclear Waste Fund.
                                                     11 See § 171.15(c).
                                                     12 See § 171.15(c).
                                                     13 No annual fee is charged for this category because the cost of the general license registration program applicable to licenses in this cat-
                                                  egory will be recovered through 10 CFR part 170 fees.
                                                     14 Persons who possess radium sources that are used for operational purposes in another fee category are not also subject to the fees in this
                                                  category. (This exception does not apply if the radium sources are possessed for storage only.)
                                                     15 Licensees subject to fees under categories 1.A., 1.B., 1.E., 2.A., and licensees paying fees under fee category 17 must pay the largest ap-
                                                  plicable fee and are not subject to additional fees listed in this table.
                                                     16 Licensees paying fees under 3.C. are not subject to fees under 2.B. for possession and shielding authorized on the same license.
                                                     17 Licensees paying fees under 7.C. are not subject to fees under 2.B. for possession and shielding authorized on the same license.
                                                     18 Licensees paying fees under 3.N. are not subject to paying fees under 3.P. for calibration or leak testing services authorized on the same li-
                                                  cense.
                                                     19 Licensees paying fees under 7.B. are not subject to paying fees under 7.C. for broad scope license licenses issued under parts 30, 35, 40,
                                                  and 70 of this chapter for human use of byproduct material, source material, and/or special nuclear material, except licenses for byproduct mate-
                                                  rial, source material, or special nuclear material in sealed sources contained in teletherapy devices authorized on the same license.
                                                     20 Licensees are exempt from paying annual fees under this fee category when they are licensed under multiple fee categories.
                                                     21 No annual fee is charged for a materials license (or part of a materials license) that has transitioned to this fee category because the de-
                                                  commissioning costs will be recovered through 10 CFR part 170 fees, but annual fees may be charged for other activities authorized under the li-
                                                  cense that are not in decommissioning status.


                                                    (e) The fee-relief adjustment allocated                    § 171.17      Proration.                                       DEPARTMENT OF ENERGY
                                                  to annual fees includes the budgeted                         *      *    *      *    *
                                                  resources for the activities listed in                                                                                      Federal Energy Regulatory
                                                                                                                  (a) Reactors, 10 CFR part 72 licensees                      Commission
                                                  paragraph (e)(1) of this section, plus the                   who do not hold 10 CFR part 50
                                                  total budgeted resources for the                             licenses, and materials licenses with
                                                  activities included in paragraphs (e)(2)                                                                                    18 CFR Part 40
                                                                                                               annual fees of $100,000 or greater for a
                                                  and (3) of this section, as reduced by the                   single fee category. The NRC will base                         [Docket No. RM17–13–000]
                                                  appropriations the NRC receives for                          the proration of annual fees for
                                                  these types of activities. If the NRC’s                                                                                     Supply Chain Risk Management
                                                                                                               terminated and downgraded licensees                            Reliability Standards
                                                  appropriations for these types of                            on the fee rule in effect at the time the
                                                  activities are greater than the budgeted                     action is official. The NRC will base the                      AGENCY: Federal Energy Regulatory
                                                  resources for the activities included in                     determinations on the proration                                Commission, Department of Energy.
                                                  paragraphs (e)(2) and (3) of this section                    requirements under paragraphs (a)(2)                           ACTION: Notice of proposed rulemaking.
                                                  for a given fiscal year, a negative fee-                     and (3) of this section.
                                                  relief adjustment (or annual fee                                                                                            SUMMARY:  The Federal Energy
                                                  reduction) will be allocated to annual                       *      *    *      *    *                                      Regulatory Commission (Commission)
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  fees. The activities comprising the FY                         Dated at Rockville, Maryland, this 10th day                  proposes to approve supply chain risk
                                                  2018 fee-relief adjustment are as                            of January 2018.                                               management Reliability Standards CIP–
                                                  follows:                                                       For the Nuclear Regulatory Commission.                       013–1 (Cyber Security—Supply Chain
                                                  *      *    *     *      *                                   Maureen E. Wylie,                                              Risk Management), CIP–005–6 (Cyber
                                                                                                                                                                              Security—Electronic Security
                                                  ■ 12. In § 171.17, revise paragraph (a)                      Chief Financial Officer.
                                                                                                                                                                              Perimeter(s)) and CIP–010–3 (Cyber
                                                  introductory text to read as follows:                        [FR Doc. 2018–01065 Filed 1–24–18; 8:45 am]
                                                                                                                                                                              Security—Configuration Change
                                                                                                               BILLING CODE 7590–01–P                                         Management and Vulnerability


                                             VerDate Sep<11>2014    16:54 Jan 24, 2018    Jkt 244001    PO 00000     Frm 00027     Fmt 4702    Sfmt 4702    E:\FR\FM\25JAP1.SGM        25JAP1


                                                  3434                     Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules

                                                  Assessments). The North American                          Order No. 829.2 The proposed                            Monitoring Systems (EACMS),5 Physical
                                                  Electric Reliability Corporation (NERC),                  Reliability Standards are intended to                   Access Control Systems (PACS),6 and
                                                  the Commission-certified Electric                         augment the currently-effective CIP                     Protected Cyber Assets (PCAs),7 with
                                                  Reliability Organization, submitted the                   Reliability Standards to mitigate                       the exception of the modifications in
                                                  proposed Reliability Standards for                        cybersecurity risks associated with the                 proposed Reliability Standard CIP–005–
                                                  Commission approval in response to a                      supply chain for BES Cyber Systems.3                    6, which apply to PCAs. To address this
                                                  Commission directive. In addition, the                       2. As the Commission previously                      gap, pursuant to section 215(d)(5) of the
                                                  Commission proposes that NERC                             recognized, the global supply chain                     FPA,8 the Commission proposes to
                                                  develop and submit certain                                provides the opportunity for significant                direct NERC to develop modifications to
                                                  modifications to the supply chain risk                    benefits to customers, including low                    the CIP Reliability Standards to include
                                                  management Reliability Standards.                         cost, interoperability, rapid innovation,               EACMS associated with medium and
                                                  DATES: Comments are due March 26,                         a variety of product features and                       high impact BES Cyber Systems within
                                                  2018.                                                     choice.4 However, the global supply                     the scope of the supply chain risk
                                                  ADDRESSES:    Comments, identified by                     chain also enables opportunities for                    management Reliability Standards.9 In
                                                  docket number, may be filed in the                        adversaries to directly or indirectly                   addition, the Commission proposes to
                                                  following ways:                                           affect the management or operations of                  direct NERC to evaluate the cyber
                                                    • Electronic Filing through http://                     companies that may result in risks to                   security supply chain risks presented by
                                                  www.ferc.gov. Documents created                           end users. Supply chain risks may                       PACS and PCAs in the study of cyber
                                                  electronically using word processing                      include the insertion of counterfeits,                  security supply chain risks requested by
                                                  software should be filed in native                        unauthorized production, tampering,                     the NERC Board of Trustees (BOT) in its
                                                  applications or print-to-PDF format and                   theft, or insertion of malicious software,              resolutions of August 10, 2017.10 The
                                                  not in a scanned format.                                  as well as poor manufacturing and                       Commission further proposes to direct
                                                    • Mail/Hand Delivery: Those unable                      development practices. We propose to                    NERC to file the BOT-requested study’s
                                                  to file electronically may mail or hand-                  determine that the supply chain risk                    interim and final reports with the
                                                  deliver comments to: Federal Energy                       management Reliability Standards                        Commission upon their completion.
                                                  Regulatory Commission, Secretary of the                   submitted by NERC constitute
                                                  Commission, 888 First Street NE,                          substantial progress in addressing the                     5 EACMS are defined as ‘‘Cyber Assets that

                                                  Washington, DC 20426.                                     supply chain cyber security risks                       perform electronic access control or electronic
                                                    Instructions: For detailed instructions                 identified by the Commission.                           access monitoring of the Electronic Security
                                                                                                                                                                    Perimeter(s) or BES Cyber Systems. This includes
                                                  on submitting comments and additional                        3. The Commission also proposes to                   Intermediate Systems.’’ NERC Glossary. Reliability
                                                  information on the rulemaking process,                    approve the proposed Reliability                        Standard CIP–002–5.1a (Cyber Security—BES Cyber
                                                  see the Comment Procedures Section of                     Standards’ associated violation risk                    System Categorization) states that examples of
                                                  this document.                                            factors and violation severity levels.                  EACMS include ‘‘Electronic Access Points,
                                                                                                                                                                    Intermediate Systems, authentication servers (e.g.,
                                                  FOR FURTHER INFORMATION CONTACT:                          With respect to the proposed Reliability                RADIUS servers, Active Directory servers,
                                                  Simon Slobodnik (Technical                                Standards’ implementation plan and                      Certificate Authorities), security event monitoring
                                                    Information), Office of Electric                        effective date, the Commission proposes                 systems, and intrusion detection systems.’’
                                                                                                            to reduce the implementation period                     Reliability Standard CIP–002–5.1a (Cyber
                                                    Reliability, Federal Energy Regulatory                                                                          Security—BES Cyber System Categorization)
                                                    Commission, 888 First Street NE,                        from the first day of the first calendar                Section A.6 at 6.
                                                    Washington, DC 20426, (202) 502–                        quarter that is 18 months following the                    6 PACS are defined as ‘‘Cyber Assets that control,

                                                    6707, simon.slobodnik@ferc.gov.                         effective date of a Commission order                    alert, or log access to the Physical Security
                                                  Kevin Ryan (Legal Information), Office                    approving the proposed Reliability                      Perimeter(s), exclusive of locally mounted hardware
                                                                                                            Standards, as proposed by NERC, to the                  or devices at the Physical Security Perimeter such
                                                    of the General Counsel, Federal                                                                                 as motion sensors, electronic lock control
                                                    Energy Regulatory Commission, 888                       first day of the first calendar quarter that            mechanisms, and badge readers.’’ NERC Glossary.
                                                    First Street NE, Washington, DC                         is 12 months following the effective date               Reliability Standard CIP–002–5.1a states that
                                                    20426, (202) 502–6840, kevin.ryan@                      of a Commission order.                                  examples include ‘‘authentication servers, card
                                                                                                                                                                    systems, and badge control systems.’’ Id.
                                                    ferc.gov.                                                  4. While the Commission proposes to                     7 PCAs are defined as ‘‘[o]ne or more Cyber Assets
                                                                                                            determine that the proposed Reliability                 connected using a routable protocol within or on an
                                                  SUPPLEMENTARY INFORMATION:
                                                                                                            Standards address most aspects of the                   Electronic Security Perimeter that is not part of the
                                                    1. Pursuant to section 215(d)(2) of the                                                                         highest impact BES Cyber System within the same
                                                                                                            Commission’s directive in Order No.
                                                  Federal Power Act (FPA),1 the                                                                                     Electronic Security Perimeter. The impact rating of
                                                                                                            829, there remains a significant cyber
                                                  Commission proposes to approve                                                                                    Protected Cyber Assets is equal to the highest rated
                                                                                                            security risk associated with the supply                BES Cyber System in the same [Electronic Security
                                                  supply chain risk management
                                                                                                            chain for BES Cyber Systems because                     Perimeter].’’ NERC Glossary. Reliability Standard
                                                  Reliability Standards CIP–013–1 (Cyber                                                                            CIP–002–5.1a states that examples include, to the
                                                                                                            the proposed Reliability Standards
                                                  Security—Supply Chain Risk                                                                                        extent they are within the Electronic Security
                                                                                                            exclude Electronic Access Control and
                                                  Management), CIP–005–6 (Cyber                                                                                     Perimeter, ‘‘file servers, ftp servers, time servers,
                                                  Security—Electronic Security                                                                                      LAN switches, networked printers, digital fault
                                                                                                              2 Revised Critical Infrastructure Protection          recorders, and emission monitoring systems.’’ Id.
                                                  Perimeter(s)) and CIP–010–3 (Cyber                        Reliability Standards, Order No. 829, 156 FERC ¶           8 16 U.S.C. 824o(d)(5).
                                                  Security—Configuration Change                             61,050, at P 43 (2016).                                    9 Reliability Standard CIP–002–5.1a (Cyber
                                                  Management and Vulnerability                                3 BES Cyber System is defined as ‘‘[o]ne or more      Security System Categorization) provides a ‘‘tiered’’
                                                  Assessments). The North American                          BES Cyber Assets logically grouped by a                 approach to cybersecurity requirements, based on
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  Electric Reliability Corporation (NERC),                  responsible entity to perform one or more reliability   classifications of high, medium and low impact BES
                                                                                                            tasks for a functional entity.’’ Glossary of Terms      Cyber Systems.
                                                  the Commission-certified Electric                         Used in NERC Reliability Standards (NERC                   10 Proposed Additional Resolutions for Agenda
                                                  Reliability Organization (ERO),                           Glossary), http://www.nerc.com/files/glossary_of_       Item 9.a: Cyber Security—Supply Chain Risk
                                                  submitted the proposed Reliability                        terms.pdf. The acronym BES refers to the bulk           Management—CIP–005–6, CIP–010–3, and CIP–
                                                  Standards for Commission approval in                      electric system.                                        013–1 (August 10, 2017), http://www.nerc.com/gov/
                                                                                                              4 Revised Critical Infrastructure Protection          bot/Agenda%20highlights%20and
                                                  response to a Commission directive in                     Reliability Standards, Notice of Proposed               %20Mintues%202013/Proposed%20
                                                                                                            Rulemaking, 80 FR 43354 (July, 22, 2015), 152           Resolutions%20re%20Supply%20Chain
                                                    1 16   U.S.C. 824o(d)(2).                               FERC ¶ 61,054, at PP 61–62 (2015).                      %20Follow-Up%20v2.pdf.



                                             VerDate Sep<11>2014     16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00028   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM   25JAP1


                                                                         Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules                                            3435

                                                  I. Background                                           traverse over an unmonitored                           the proposed Reliability Standards is to
                                                                                                          connection into a responsible entity’s                 enhance the cybersecurity posture of the
                                                  A. Section 215 and Mandatory
                                                                                                          BES Cyber System.17                                    electric industry by requiring
                                                  Reliability Standards                                      9. For the third objective, information             responsible entities to take additional
                                                    5. Section 215 of the FPA requires a                  system planning, Order No. 829                         actions to address cybersecurity risks
                                                  Commission-certified ERO to develop                     indicated that the objective is intended               associated with the supply chain for
                                                  mandatory and enforceable Reliability                   to address the risk that responsible                   BES Cyber Systems. NERC explains that
                                                  Standards, subject to Commission                        entities could unintentionally plan to                 the proposed Reliability Standards are
                                                  review and approval. Reliability                        procure and install unsecure equipment                 designed to augment the existing
                                                  Standards may be enforced by the ERO,                   or software within their information                   controls required in the currently-
                                                  subject to Commission oversight, or by                  systems, or could unintentionally fail to              effective CIP Reliability Standards that
                                                  the Commission independently.11                         anticipate security issues that may arise              help mitigate supply chain risks,
                                                  Pursuant to section 215 of the FPA, the                 due to their network architecture or                   providing increased attention on
                                                  Commission established a process to                     during technology and vendor                           minimizing the attack surfaces of
                                                  select and certify an ERO,12 and                        transitions.18                                         information and communications
                                                  subsequently certified NERC.13                             10. Vendor risk management and                      technology products and services
                                                                                                          procurement controls, the fourth                       procured to support reliable bulk
                                                  B. Order No. 829
                                                                                                          objective, the Commission explained,                   electric system operations, consistent
                                                     6. In Order No. 829, the Commission                  are intended to address the risk that                  with Order No. 829. Each proposed
                                                  directed NERC to develop a new or                       responsible entities could enter into                  Reliability Standard is summarized
                                                  modified Reliability Standard that                      contracts with vendors that pose                       below.
                                                  addresses supply chain risk                             significant risks to the responsible                      13. NERC states that the proposed
                                                  management for industrial control                       entities’ information systems, as well as              Reliability Standards apply only to
                                                  system hardware, software and                           the risk that products procured by a                   medium and high impact BES Cyber
                                                  computing and networking services                       responsible entity fail to meet minimum                Systems. NERC explains that the goal of
                                                  associated with bulk electric system                    security criteria. This objective also                 the CIP Reliability Standards is to
                                                  operations.14 Specifically, the                         addresses the risk that a compromised                  ‘‘focus[ ] industry resources on
                                                  Commission directed NERC to develop                     vendor would not provide adequate                      protecting those BES Cyber Systems
                                                  a forward-looking, objective-based                      notice and related incident response to                with heightened risks to the [bulk
                                                  Reliability Standard that would require                 responsible entities with whom that                    electric system] . . . [and] that the
                                                  responsible entities to develop and                     vendor is connected.19                                 requirements applicable to low impact
                                                  implement a plan with supply chain                         11. Order No. 829 stated that while                 BES Cyber Systems, given their lower
                                                  management security controls focused                    responsible entities should be required                risk profile, should not be overly
                                                  on four security objectives: (1) Software               to develop and implement a plan, the                   burdensome to divert resources from the
                                                  integrity and authenticity; (2) vendor                  Commission did not require NERC to                     protection of medium and high impact
                                                  remote access; (3) information system                   impose any specific controls or ‘‘one-                 BES Cyber Systems.’’ 23 NERC further
                                                  planning; and (4) vendor risk                           size-fits-all’’ requirements.20 In                     maintains that the standard drafting
                                                  management and procurement                              addition, the Commission stated that                   team chose to apply the proposed
                                                  controls.15                                             NERC’s response to the Order No. 829                   Reliability Standards only to medium
                                                     7. The Commission explained that the                 directive should respect the                           and high impact BES Cyber Systems
                                                  first objective, verification of software               Commission’s jurisdiction under FPA                    because the proposed Reliability
                                                  integrity and authenticity, is intended to              section 215 by only addressing the                     Standards are ‘‘consistent with the type
                                                  reduce the likelihood that an attacker                  obligations of responsible entities and                of existing CIP cybersecurity
                                                  could exploit legitimate vendor patch                   not by directly imposing any obligations               requirements applicable to high and
                                                  management processes to deliver                         on non-jurisdictional suppliers, vendors               medium impact BES Cyber Systems as
                                                  compromised software updates or                         or other entities that provide products                opposed to those applicable to low
                                                  patches to a BES Cyber System.16                        or services to responsible entities.21                 impact BES Cyber Systems.’’ 24
                                                     8. With respect to the second                                                                                  14. NERC states that the standard
                                                                                                          C. NERC Petition and Proposed
                                                  objective, vendor remote access, the                    Reliability Standards                                  drafting team also excluded EACMS,
                                                  Commission stated that the objective is                                                                        PACS, and PCAs from the scope of the
                                                  intended to address the threat that                       12. On September 26, 2017, NERC                      proposed Reliability Standards, with the
                                                  vendor credentials could be stolen and                  submitted for Commission approval                      exception of the modifications in
                                                  used to access a BES Cyber System                       proposed Reliability Standards CIP–                    proposed Reliability Standard CIP–005–
                                                  without the responsible entity’s                        013–1, CIP–005–6, and CIP–010–3 and                    6, which apply to PCAs. NERC explains
                                                  knowledge, as well as the threat that a                 their associated violation risk factors                that although certain requirements in
                                                  compromise at a trusted vendor could                    and violation severity levels,                         the existing CIP Reliability Standards
                                                                                                          implementation plans, and effective                    apply to EACMS, PACS, and PCAs due
                                                    11 16   U.S.C. 824o(e).                               dates.22 NERC states that the purpose of               to their association with BES Cyber
                                                    12 Rules   Concerning Certification of the Electric                                                          Systems (either by function or location),
                                                  Reliability Organization; and Procedures for the          17 Id. P 52.
                                                  Establishment, Approval, and Enforcement of               18 Id.
                                                                                                                                                                 the standard drafting team determined
                                                                                                                   P 57.
                                                                                                                                                                 that the proposed supply chain risk
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  Electric Reliability Standards, Order No. 672, FERC       19 Id. P 60.
                                                  Stats. & Regs. ¶ 31,204, order on reh’g, Order No.        20 Id. P 13.                                         management Reliability Standards
                                                  672–A, FERC Stats. & Regs. ¶ 31,212 (2006).               21 Id. P 21.                                         should focus on high and medium
                                                     13 North American Electric Reliability Corp., 116
                                                                                                            22 Proposed Reliability Standards CIP–013–1,         impact BES Cyber Systems only. NERC
                                                  FERC ¶ 61,062, order on reh’g and compliance, 117
                                                  FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc.
                                                                                                          CIP–005–6 and CIP–010–3 are not attached to this       states that this determination was based
                                                                                                          notice of proposed rulemaking (NOPR). The              on the conclusion that applying the
                                                  v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).                proposed Reliability Standards are available on the
                                                     14 Order No. 829, 156 FERC ¶ 61,050 at P 43.
                                                                                                          Commission’s eLibrary document retrieval system
                                                     15 Id. P 45.                                                                                                  23 NERC      Petition at 16–17.
                                                                                                          in Docket No. RM17–13–000 and on the NERC
                                                     16 Id. P 49.                                         website, www.nerc.com.                                   24 Id.   at 18.



                                             VerDate Sep<11>2014   16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00029   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM      25JAP1


                                                  3436                      Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules

                                                  proposed Reliability Standards to                          fourth objectives outlined in Order No.                     20. NERC explains that, under
                                                  EACMS, PACS, and PCAs ‘‘would divert                       829.                                                     Requirement R1 of this Reliability
                                                  resources from protecting medium and                          17. NERC states that, consistent with                 Standard, responsible entities would be
                                                  high BES Cyber Systems.’’ 25                               the Commission’s FPA section 215                         required to have one or more processes
                                                     15. NERC maintains that with respect                    jurisdiction and Order No. 829, the                      to address, as applicable, the following
                                                  to low impact BES Cyber Systems and                        proposed Reliability Standard applies                    baseline set of security concepts in their
                                                  EACMS, PACS, and PCAs, while not                           only to responsible entities and does not                procurement activities for high and
                                                  mandatory, NERC expects that these                         directly impose obligations on                           medium impact BES Cyber Systems: (1)
                                                  assets will likely be subject to                           suppliers, vendors, or other entities that               Vendor security event notification
                                                  responsible entity supply chain risk                       provide products or services to                          processes (Part 1.2.1); (2) coordinated
                                                  management plans required by                               responsible entities. NERC explains that                 incident response activities (Part 1.2.2);
                                                  proposed Reliability Standard CIP–013–                     the focus of the proposed Reliability                    (3) vendor personnel termination
                                                  1. Specifically, NERC asserts that                         Standard is on the steps responsible                     notification for employees with access
                                                                                                             entities take to account for security                    to remote and onsite systems (Part
                                                  ‘‘Responsible Entities may implement a
                                                                                                             issues during the planning and                           1.2.3); (4) product/services vulnerability
                                                  single process for procuring products
                                                                                                             procurement phase of high and medium                     disclosures (Part 1.2.4); (5) verification
                                                  and services associated with their
                                                                                                             impact BES Cyber Systems. NERC also                      of software integrity and authenticity
                                                  operational environments.’’ 26 NERC
                                                                                                             explains that any resulting obligation                   (Part 1.2.5); and (6) coordination of
                                                  contends that ‘‘by requiring that entities
                                                                                                             that a supplier, vendor, or other entity                 vendor remote access controls (Part
                                                  implement supply chain cybersecurity
                                                                                                             accepts in providing products or                         1.2.6). NERC states that the intent of
                                                  risk management plans for high and
                                                                                                             services to the responsible entity is a                  Part 1.2 of Requirement R1 is not to
                                                  medium impact BES Cyber Systems,
                                                                                                             contractual matter between the                           require that every contract with a
                                                  those plans would likely also cover their
                                                                                                             responsible entity and third parties,                    vendor include provisions for each of
                                                  low impact BES Cyber Systems.’’ 27                                                                                  the listed items, but to ensure that these
                                                  NERC also claims that responsible                          which is outside the scope of the
                                                                                                             proposed Reliability Standard.                           security items are an integrated part of
                                                  entities ‘‘may also use the same vendors                                                                            procurement activities, such as a request
                                                  for procuring PACS, EACMS, and PCAs                           18. NERC explains that the term
                                                                                                             ‘‘vendor’’ is used broadly to refer to any               for proposal or in the contract
                                                  as they do for their high and medium                                                                                negotiation process.
                                                  impact BES Cyber Systems such that the                     person, company or other organization
                                                                                                             with whom the responsible entity, or an                     21. NERC states that Requirement R2
                                                  same security considerations may be                                                                                 mandates that each responsible entity
                                                  addressed for those Cyber Assets.’’ 28                     affiliate, contracts with to supply BES
                                                                                                             Cyber Systems and related services to                    implement its supply chain
                                                  Proposed Reliability Standard                              the responsible entity. NERC states that                 cybersecurity risk management plan.
                                                  CIP–013–1                                                                                                           NERC explains that the actual terms and
                                                                                                             the use of the term ‘‘vendor,’’ however,
                                                                                                                                                                      conditions of a procurement contract
                                                                                                             ‘‘was not intended to bring registered
                                                     16. NERC states that the focus of                                                                                and vendor performance under a
                                                                                                             entities that provide reliability services
                                                  proposed Reliability Standard                                                                                       contract are outside the scope of
                                                                                                             to other registered entities as part of
                                                  CIP–013–1 is on the steps that                                                                                      proposed Reliability Standard CIP–013–
                                                                                                             their functional obligations under
                                                  responsible entities take ‘‘to consider                                                                             1. NERC states that the focus of
                                                                                                             NERC’s Reliability Standards (e.g., a
                                                  and address cybersecurity risks from                                                                                proposed Reliability Standard CIP–013–
                                                                                                             Balancing Authority providing
                                                  vendor products and services during                                                                                 1 is ‘‘on the processes Responsible
                                                                                                             balancing services for registered entities
                                                  BES Cyber System planning and                                                                                       Entities implement to consider and
                                                                                                             in its Balancing Authority Area) within
                                                  procurement.’’ 29 NERC explains that                                                                                address cyber security risks from vendor
                                                                                                             the scope of the proposed Reliability                    products or services during BES Cyber
                                                  proposed Reliability Standard CIP–013–
                                                                                                             Standards.’’ 31                                          System planning and procurement, not
                                                  1 does not require any specific controls
                                                                                                                19. NERC maintains that, consistent                   on the outcome of those
                                                  or mandate ‘‘one-size-fits-all’’
                                                                                                             with Order No. 829, responsible entities                 processes. . . .’’ 32 NERC maintains that
                                                  requirements due to the differences in
                                                                                                             need not apply their supply chain risk                   responsible entities must make a
                                                  needs and characteristics of responsible
                                                                                                             management plans to the acquisition of                   business decision on whether and how
                                                  entities and the diversity of bulk electric
                                                                                                             vendor products or services under                        to proceed with an acquisition after
                                                  system environments, technologies, and
                                                                                                             contracts executed prior to the effective                weighing the risks associated with a
                                                  risks. NERC states that the goal of the
                                                                                                             date of Reliability Standard CIP–013–1,                  vendor or product and making a good
                                                  proposed Reliability Standard is ‘‘to
                                                                                                             nor would such contracts need to be                      faith effort to include security controls
                                                  help ensure that responsible entities
                                                                                                             renegotiated or abrogated to comply                      in any agreement with a vendor, as
                                                  establish organizationally-defined
                                                                                                             with the proposed Reliability Standard.                  required by proposed Reliability
                                                  processes that integrate a cybersecurity
                                                                                                             In addition, NERC indicates that,                        Standard CIP–013–1. In addition, NERC
                                                  risk management framework into the
                                                                                                             consistent with the development of a                     states that vendor performance is
                                                  system development lifecycle.’’ 30 NERC
                                                                                                             forward looking Reliability Standard, if                 outside the scope of the proposed
                                                  explains that, among other things,
                                                                                                             entities are in the middle of                            Reliability Standards and, while NERC
                                                  proposed Reliability Standard
                                                                                                             procurement activities for an applicable                 expects responsible entities to enforce
                                                  CIP–013–1 addresses the risk associated
                                                                                                             product or service at the time of the                    the provisions of their contracts, ‘‘a
                                                  with information system planning, as
                                                                                                             effective date of proposed Reliability
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  well as vendor risk management and                                                                                  Responsible Entity should not be held
                                                                                                             Standard CIP–013–1, NERC would not                       responsible under the proposed
                                                  procurement controls, the third and
                                                                                                             expect entities to begin those activities                Reliability Standard for actions (or
                                                    25 Id.
                                                                                                             anew to implement their supply chain                     inactions) of the vendor.’’ 33
                                                             at 20.
                                                    26 Id.
                                                                                                             cybersecurity risk management plan to                       22. With regard to assessing
                                                    27 Id. at 19.
                                                                                                             comply with proposed Reliability                         compliance with proposed Reliability
                                                    28 Id. at 20.                                            Standard CIP–013–1.
                                                    29 Id. at 22.                                                                                                       32 Id.   at 27.
                                                    30 Id. at 23.                                              31 Id.   at 21.                                          33 Id.   at 28.



                                             VerDate Sep<11>2014      16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00030     Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM      25JAP1


                                                                         Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules                                            3437

                                                  Standard CIP–013–1, NERC states that                    remote access sessions in the event of a               Standards. The BOT further requested
                                                  NERC and Regional Entities would                        system breach. In addition, NERC                       NERC to develop recommendations for
                                                  focus on whether responsible entities:                  explains that Requirement R2 was                       follow-up actions that will best address
                                                  (1) Developed processes reasonably                      modified to only reference Interactive                 any issues identified. Finally, the BOT
                                                  designed to (i) identify and assess risks               Remote Access where appropriate.                       requested that NERC management
                                                  associated with vendor products and                     Specifically, Requirements R2.1, R2.2,                 provide an interim progress report no
                                                  services in accordance with Part 1.1 and                and R2.3 apply to Interactive Remote                   later than 12 months after the adoption
                                                  (ii) ensure that the security items listed              access only, while Requirements R2.4                   of these resolutions and a final report no
                                                  in Part 1.2 are an integrated part of                   and R2.5 apply both to Interactive                     later than 18 months after the adoption
                                                  procurement activities; and (2)                         Remote Access and system-to-system                     of the resolutions. In its petition, NERC
                                                  implemented those processes in good                     remote access.                                         states that ‘‘over the next 18 months,
                                                  faith. NERC explains that NERC and                                                                             NERC, working with various
                                                                                                          Proposed Modifications in Reliability
                                                  Regional Entities will evaluate the steps                                                                      stakeholders, will continue to assess
                                                                                                          Standard CIP–010–3
                                                  a responsible entity took to assess risks                                                                      whether supply chain risks related to
                                                  posed by a vendor and associated                           26. Proposed Reliability Standard                   low impact BES Cyber Systems, PACS,
                                                  products or services and, based on that                 CIP–010–3 includes a new part, Part 1.6,               EACMS and PCA necessitate further
                                                  risk assessment, the steps the entity took              to address software integrity and                      consideration for inclusion in a
                                                  to mitigate those risks, including the                  authenticity, the first objective                      mandatory Reliability Standard.’’ 34
                                                  negotiation of security provisions in its               addressed in Order No. 829, by
                                                                                                          requiring the identification of the                    Implementation Plan
                                                  agreements with the vendor.
                                                     23. Finally, NERC explains that                      publisher and confirming the integrity                    28. NERC’s proposed implementation
                                                  Requirement R3 requires a responsible                   of all software and patches. NERC                      plan provides that the proposed
                                                  entity to review and obtain the CIP                     explains that proposed Reliability                     Reliability Standards become effective
                                                  Senior Manager’s approval of its supply                 Standard CIP–010–3, Requirement R1.6                   on the first day of the first calendar
                                                  chain risk management plan at least                     requires responsible entities to verify                quarter that is 18 months after the
                                                  once every 15 calendar months in order                  software integrity and authenticity in                 effective date of a Commission order
                                                  to ensure that the plan remains up-to-                  the operational phase, if the software                 approving them. NERC states that the
                                                  date.                                                   source provides a method to do so.                     proposed implementation period is
                                                                                                          Specifically, NERC states that proposed                designed to afford responsible entities
                                                  Proposed Modifications in Reliability                   Reliability Standard CIP–010–3,                        sufficient time to develop and
                                                  Standard CIP–005–6                                      Requirement R1.6 requires that                         implement their supply chain
                                                    24. Proposed Reliability Standard                     responsible entities must verify the                   cybersecurity risk management plans
                                                  CIP–005–6 includes two new parts,                       identity of the software source and the                required under proposed Reliability
                                                  Parts 2.4 and 2.5, to address vendor                    integrity of the software obtained by the              Standard CIP–013–1 and implement the
                                                  remote access, which is the second                      software sources prior to installing                   new controls required in proposed
                                                  objective discussed in Order No. 829.                   software that changes established                      Reliability Standards CIP–005–6 and
                                                  NERC explains that the new parts work                   baseline configurations, when methods                  CIP–010–3.
                                                  in tandem with proposed Reliability                     are available to do so. NERC asserts that
                                                  Standard CIP–013–1, Requirement                         the security objective of proposed                     II. Discussion
                                                  R1.2.6, which requires responsible                      Requirement R1.6 is to ensure that the                    29. Pursuant to section 215(d)(2) of
                                                  entities to address Interactive Remote                  software being installed in the BES                    the FPA, the Commission proposes to
                                                  Access and system-to-system remote                      Cyber System was not modified without                  approve supply chain risk management
                                                  access when procuring industrial                        the awareness of the software supplier                 Reliability Standards CIP–013–1, CIP–
                                                  control system hardware, software, and                  and is not counterfeit. NERC contends                  005–6 and CIP–010–3 as just,
                                                  computing and networking services                       that these steps help reduce the                       reasonable, not unduly discriminatory
                                                  associated with bulk electric system                    likelihood that an attacker could exploit              or preferential, and in the public
                                                  operations. NERC states that proposed                   legitimate vendor patch management                     interest. The proposed Reliability
                                                  Reliability Standard CIP–005–6,                         processes to deliver compromised                       Standards will enhance existing
                                                  Requirement R2.4 requires one or more                   software updates or patches to a BES                   protections for bulk electric system
                                                  methods for determining active vendor                   Cyber System.                                          reliability by addressing the four
                                                  remote access sessions, including                                                                              objectives set forth in Order No. 829: (1)
                                                  Interactive Remote Access and                           BOT Resolutions
                                                                                                                                                                 Software integrity and authenticity; (2)
                                                  system-to-system remote access. NERC                      27. In the petition, NERC states that                vendor remote access; (3) information
                                                  explains that the security objective of                 in conjunction with the adoption of the                system planning; and (4) vendor risk
                                                  Requirement R2.4 is to provide                          proposed Reliability Standards, on                     management and procurement controls.
                                                  awareness of all active vendor remote                   August 10, 2017 the BOT adopted                           30. The proposed Reliability
                                                  access sessions, both Interactive Remote                resolutions regarding supply chain risk                Standards address the four objectives
                                                  Access and system-to-system remote                      management. In particular, the BOT                     discussed in Order No. 829. Proposed
                                                  access, that are taking place on a                      requested that NERC management, in                     Reliability Standard CIP–013–1
                                                  responsible entity’s system.                            collaboration with appropriate NERC                    addresses information system planning
                                                    25. NERC maintains that proposed                      technical committees, industry                         and vendor risk management and
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  Reliability Standard CIP–005–6,                         representatives, and appropriate                       procurement controls by requiring that
                                                  Requirement R2.5 requires one or more                   experts, including representatives of                  responsible entities develop and
                                                  methods to disable active vendor remote                 industry vendors, further study the                    implement one or more documented
                                                  access, including Interactive Remote                    nature and complexity of cyber security                supply chain cyber security risk
                                                  Access and system-to-system remote                      supply chain risks, including risks                    management plan(s) for high and
                                                  access. NERC explains that the security                 associated with low impact assets not                  medium impact BES Cyber Systems.
                                                  objective of Requirement R2.5 is to                     currently subject to the proposed supply
                                                  provide the ability to disable active                   chain risk management Reliability                        34 Id.   at 20–21.



                                             VerDate Sep<11>2014   16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00031   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM      25JAP1


                                                  3438                   Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules

                                                  The required plans must address, as                     risks and filing of the study’s interim                control of the BES Cyber System or
                                                  applicable, a baseline set of six security              and final reports with the Commission;                 PCA. An attacker does not need
                                                  concepts: Vendor security event                         and (C) NERC’s proposed                                physical access to the facility housing a
                                                  notification; coordinated incident                      implementation plan.                                   BES Cyber System in order to gain
                                                  response; vendor personnel termination                                                                         access to a BES Cyber System or PCA
                                                                                                          A. Inclusion of EACMS in CIP Reliability
                                                  notification; product/services                                                                                 via an EACMS compromise. By contrast,
                                                                                                          Standards
                                                  vulnerability disclosures; verification of                                                                     compromise of PACS, which could
                                                  software integrity and authenticity; and                   33. The proposed Reliability                        potentially grant an attacker physical
                                                  coordination of vendor remote access                    Standards only apply to medium and                     access to a BES Cyber System, requires
                                                  controls. Proposed Reliability Standard                 high impact BES Cyber Systems; they do                 physical access. Further, PCAs typically
                                                  CIP–005–6 addresses vendor remote                       not apply to low impact BES Cyber                      become vulnerable to remote
                                                  access by creating two new                              Systems or Cyber Assets associated with                compromise once EACMS have been
                                                  requirements: for determining active                    medium and high impact BES Cyber                       compromised. Therefore, EACMS
                                                  vendor remote access sessions and for                   Systems (i.e., EACMS, PACS, and                        represent the most likely route an
                                                  having one or more methods to disable                   PCAs). The BOT-requested study on                      attacker would take to access a BES
                                                  active vendor remote access sessions.                   cyber security supply chain risks will                 Cyber System or PCA within an ESP.
                                                  Proposed Reliability Standard CIP–010–                  examine the risks posed by low impact                     36. Currently-effective Reliability
                                                  3 addresses software authenticity and                   BES Cyber Systems and, as discussed in                 Standard CIP–010–2 applies to EACMS
                                                  integrity by creating a new requirement                 the following section, we believe it is                and the modifications proposed in
                                                  that responsible entities verify the                    appropriate to await the outcome of that               Reliability Standard CIP–010–3
                                                  identity of the software source and the                 study’s final report before considering                maintain the current coverage of
                                                  integrity of the software obtained from                 whether low impact BES Cyber Systems                   EACMS, except for new Part 1.6 of
                                                  the software source prior to installing                 should be addressed in the supply chain                Requirement R1, which addresses
                                                  software that changes established                       risk management Reliability Standards.                 software integrity and authenticity.
                                                  baseline configurations, when methods                      34. With respect to Cyber Assets                    Moreover, NERC’s petition
                                                  are available to do so. Taken together,                 associated with medium and high                        acknowledges that requirements in the
                                                  the proposed Reliability Standards                      impact BES Cyber Systems, and EACMS                    existing CIP Reliability Standards
                                                  constitute substantial progress in                      in particular, we propose further action               ‘‘require Responsible Entities to apply
                                                  addressing the supply chain cyber                       than what is requested in the BOT                      certain protections to PACS, EACMS,
                                                  security risks identified in Order No.                  resolutions.36 As explained in current                 and PCAs, given their association with
                                                  829.                                                    Reliability Standard CIP–002–5.1a, BES                 BES Cyber Systems either by function or
                                                     31. While the Commission proposes                    Cyber Systems have associated Cyber                    location.’’ 38 This statement suggests a
                                                  to approve the proposed Reliability                     Assets, which, if compromised, pose a                  recognition by NERC that EACMS,
                                                  Standards, certain cyber security risks                 threat to the BES Cyber System by virtue               PACS, and PCAs warrant certain
                                                  associated with the supply chain for                    of: (1) Their location within the                      protections. We agree with NERC’s
                                                  BES Cyber Systems may not be                            Electronic Security Perimeter (i.e.,                   statement, but we believe that the most
                                                  adequately addressed by the NERC                        PCAs), or (2) the security control                     important focus is on EACMS for the
                                                  proposal. In particular, as discussed                   function they perform (i.e., EACMS and                 reasons described above.
                                                  below, the Commission is concerned                      PACS).37 EACMS support BES Cyber                          37. In addition, while EACMS is a
                                                  with the exclusion of EACMS, PACS,                      Systems and are part of the network and                term unique to NERC-developed
                                                  and PCAs from the scope of the                          security architecture that allow BES                   Reliability Standards, it is widely
                                                  proposed Reliability Standards.35 To                    Cyber Systems to work as intended by                   recognized that the types of access and
                                                  address this risk, pursuant to section                  performing electronic access control or                monitoring functions that are included
                                                  215(d)(5) of the FPA, the Commission                    electronic access monitoring of the                    within NERC’s definition of EACMS,
                                                  proposes that NERC develop                              Electronic Security Perimeter (ESP) or                 such as firewalls, are integral to
                                                  modifications to the CIP Reliability                    BES Cyber Systems.                                     protecting industrial control systems.
                                                                                                             35. Since EACMS support and enable
                                                  Standards to include EACMS within the                                                                          For example, the Department of
                                                                                                          BES Cyber System operation,
                                                  scope of the supply chain risk                                                                                 Homeland Security’s Industrial Control
                                                                                                          misoperation and unavailability of
                                                  management Reliability Standards. In                                                                           Systems Cyber Emergency Response
                                                                                                          EACMS that support a given BES Cyber
                                                  addition, the Commission proposes to                                                                           Team (ICS–CERT) identifies firewalls as
                                                                                                          System could also contribute to
                                                  direct NERC to evaluate the cyber                                                                              ‘‘the first line of defense within an ICS
                                                                                                          misoperation of a BES Cyber System or
                                                  security supply chain risks presented by                render it unavailable, which could                     network environment’’ that ‘‘keep the
                                                  PACS and PCAs in the cyber security                     adversely affect bulk electric system                  intruder out while allowing the
                                                  supply chain risks study requested by                   reliability. EACMS control electronic                  authorized passage of data necessary to
                                                  the BOT. The Commission further                         access, including interactive remote                   run the organization.’’ 39 ICS–CERT
                                                  proposes to direct NERC to file the BOT-                access, into the ESP that protects high                further explains that firewalls ‘‘act as
                                                  requested study’s interim and final                     and medium impact BES Cyber
                                                  reports with the Commission upon their                  Systems. One function of electronic
                                                                                                                                                                   38 NERC    Petition at 19.
                                                  completion.                                             access control is to prevent malware or
                                                                                                                                                                   39 ICS–CERT,     Recommended Practice: Improving
                                                     32. Below, we discuss the following                                                                         Industrial Control System Cybersecurity with
                                                                                                          malicious actors from gaining access to                Defense-in-Depth Strategies, at 23 (September
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  issues: (A) Inclusion of EACMS in the                   the BES Cyber Systems and PCAs                         2016), https://ics-cert.us-cert.gov/sites/default/files/
                                                  supply chain risk management                            within the ESP. Once an EACMS is                       recommended_practices/NCCIC_ICS-CERT_
                                                  Reliability Standards; (B) inclusion of                 compromised, the attacker may gain
                                                                                                                                                                 Defense_in_Depth_2016_S508C.pdf. See also NIST,
                                                  PACS and PCAs in the BOT-requested                                                                             Guide to Industrial Control Systems (ICS) Security,
                                                                                                                                                                 NIST Special Publication 800–82, Revision 2, at
                                                  study on cyber security supply chain                      36 We address PACS and PCAs in the following         Section 5 (ICS Security Architecture) (May 2015)
                                                                                                          section.                                               (discussing importance of technologies and
                                                    35 As we noted previously, the only exceptions          37 Reliability Standard CIP–002–5.1a (Cyber          strategies, including firewalls, to secure industrial
                                                  are the modifications in proposed Reliability           Security—BES Cyber System Categorization),             control systems), http://nvlpubs.nist.gov/nistpubs/
                                                  Standard CIP–005–6, which apply to PCAs.                Background at 6.                                       SpecialPublications/NIST.SP.800-82r2.pdf.



                                             VerDate Sep<11>2014   16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00032   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM   25JAP1


                                                                            Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules                                               3439

                                                  sentinels, or gatekeepers, between zones                   the risks posed by low impact BES                        3,’’ 44 the security objectives of the
                                                  . . . [and] [w]hen properly configured,                    Cyber Systems, the BOT resolutions did                   proposed Reliability Standards are
                                                  they will only let essential traffic cross                 not identify PACS and PCAs as subjects                   process-based and do not prescribe
                                                  security boundaries[,] . . . [i]f they are                 of the study. However, NERC’s petition                   technology that might justify an
                                                  not properly configured, they could                        suggests that NERC will be evaluating                    extended implementation period.
                                                  easily pass unauthorized or malicious                      PACS and PCAs as part of the BOT-                        Instead, we propose that the proposed
                                                  users or content.’’ Accordingly, if                        requested study.42                                       Reliability Standards become effective
                                                  EACMS are compromised, that could                             42. While many of the concerns                        the first day of the first calendar quarter
                                                  adversely affect the reliable operation of                 expressed in the previous section with                   that is 12 months following the effective
                                                  associated BES Cyber Systems.                              respect to the risks posed by EACMS                      date of a Commission order approving
                                                     38. NERC explains that the standard                     also apply to varying degrees to PACS                    the Reliability Standards. Our proposed
                                                  drafting team chose to limit the scope of                  and PCAs, we propose to direct NERC,                     implementation period is reasonable,
                                                  the proposed Reliability Standards to                      consistent with the representation made                  given the nature of the requirements in
                                                  medium and high impact BES Cyber                           in NERC’s petition, to include PACS                      the proposed Reliability Standards, and
                                                  Systems, but not their associated Cyber                    and PCAs in the BOT-requested study                      provides enhanced security for the bulk
                                                  Assets (e.g., EACMS), in order not to                      and to await the findings of the study’s                 electric system in a timelier manner. We
                                                  ‘‘divert resources from protecting                         final report before considering further                  seek comment on this proposal.
                                                  medium and high BES Cyber                                  action. We distinguish among EACMS
                                                                                                                                                                      III. Information Collection Statement
                                                  Systems.’’ 40 As noted above, EACMS                        and the other Cyber Assets because, for
                                                  include ‘‘authentication servers (e.g.,                    example, a compromise of a PACS,                            45. The FERC–725B information
                                                  RADIUS servers, Active Directory                           which would potentially grant an                         collection requirements contained in
                                                  servers, Certificate Authorities), security                attacker physical access to a BES Cyber                  this notice of proposed rulemaking are
                                                  event monitoring systems, and intrusion                    System or PCA, is less likely since                      subject to review by the Office of
                                                  detection systems’’ that are integral to                   physical access is also required.                        Management and Budget (OMB) under
                                                  the security of the medium and high                        Therefore, while we believe that                         section 3507(d) of the Paperwork
                                                  impact BES Cyber Systems to which                          EACMS require immediate action,                          Reduction Act of 1995.45 OMB’s
                                                  they are associated.41 While NERC                          because they represent the most likely                   regulations require approval of certain
                                                  states that it will continue to assess                     route an attacker would take to access                   information collection requirements
                                                  whether supply chain risks related to                      a BES Cyber System or PCA within an                      imposed by agency rules.46 Upon
                                                  low impact BES Cyber Systems, PACS,                        ESP, possible action on other Cyber                      approval of a collection of information,
                                                  EACMS, and PCAs necessitate further                        Assets can await completion of the                       OMB will assign an OMB control
                                                  consideration for inclusion in a                           BOT-requested study’s final report.                      number and expiration date.
                                                  mandatory Reliability Standard, in view                       43. In addition to proposing to direct                Respondents subject to the filing
                                                  of the discussion above, we propose to                     NERC to include PACS and PCAs in the                     requirements of this rule will not be
                                                  determine that a sufficient basis                          BOT-requested study, we propose to                       penalized for failing to respond to these
                                                  currently exists to include EACMS                          direct that NERC file the study’s interim                collections of information unless the
                                                  associated with medium and high                            and final reports with the Commission                    collections of information display a
                                                  impact BES Cyber Systems in the                            upon their completion. The Commission                    valid OMB control number. The
                                                  supply chain risk management                               seeks comment on these proposals.                        Commission solicits comments on the
                                                  Reliability Standards.                                                                                              Commission’s need for this information,
                                                                                                             C. Implementation Plan                                   whether the information will have
                                                     39. Accordingly, pursuant to section
                                                  215(d)(5) of the FPA, the Commission                          44. The 18-month implementation                       practical utility, the accuracy of the
                                                  proposes to direct NERC to develop                         period proposed by NERC does not                         burden estimates, ways to enhance the
                                                  modifications to the CIP Reliability                       appear to be justified based on the                      quality, utility, and clarity of the
                                                  Standards to include EACMS associated                      anticipated effort required to develop                   information to be collected or retained,
                                                  with medium and high impact BES                            and implement a supply chain risk                        and any suggested methods for
                                                  Cyber Systems within the scope of the                      management plan.43 While NERC                            minimizing respondents’ burden,
                                                  supply chain risk management                               maintains that the proposed                              including the use of automated
                                                  Reliability Standards. The Commission                      implementation period is ‘‘designed to                   information techniques.
                                                                                                             afford responsible entities sufficient                      46. The Commission bases its
                                                  seeks comment on this proposal.
                                                                                                             time to develop and implement their                      paperwork burden estimates on the
                                                  B. BOT-Requested Cyber Security                            supply chain cybersecurity risk                          changes in paperwork burden presented
                                                  Supply Chain Risks Study                                   management plans required under                          by the newly proposed CIP Reliability
                                                     40. As discussed above, we believe it                   proposed Reliability Standard CIP–013–                   Standard CIP–013–1 and the proposed
                                                  is appropriate to await the findings from                  1 and implement the new controls                         revisions to CIP Reliability Standard
                                                  the BOT-requested study on cyber                           required in proposed Reliability                         CIP–005–6 and CIP–010–3 as compared
                                                  security supply chain risks before                         Standards CIP–005–6 and CIP–010–                         to the current Commission-approved
                                                  considering whether low impact BES                                                                                  Reliability Standards CIP–005–5 and
                                                  Cyber Systems should be addressed in
                                                                                                               42 NERC Petition at 21 (‘‘over the next 18 months,     CIP–010–2, respectively. As discussed
                                                                                                             NERC, working with various stakeholders, will            above, the notice of proposed
                                                  the supply chain risk management                           continue to assess whether supply chain risks
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  Reliability Standards.                                     related to low impact BES Cyber Systems, PACS,
                                                                                                                                                                      rulemaking addresses several areas of
                                                     41. We note that while the BOT                          EACMS, and PCA necessitate further consideration         the CIP Reliability Standards through
                                                  resolutions explicitly stated that the                     for inclusion in a mandatory Reliability Standard’’).    proposed Reliability Standard CIP–013–
                                                  BOT-requested study should examine
                                                                                                               43 The 18-month implementation plan proposed
                                                                                                                                                                      1, Requirements R1, R2, and R3. Under
                                                                                                             by NERC may be longer given NERC’s request that          Requirement R1, responsible entities
                                                                                                             the effective date of the proposed Reliability
                                                    40 Id.   at 20.                                          Standards falls on the first day of the first calendar
                                                    41 Reliability                                                                                                     44 NERC  Petition at 35.
                                                                  Standard CIP–002–5.1a (Cyber               quarter that is 18 months after the effective date of
                                                                                                                                                                       45 44 U.S.C. 3507(d).
                                                  Security—BES Cyber System Categorization),                 a Commission order approving the proposed
                                                  Section A.6 at 6.                                          Reliability Standards.                                    46 5 CFR 1320.11.




                                             VerDate Sep<11>2014      16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00033   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM      25JAP1


                                                  3440                     Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules

                                                  would be required to have one or more                             cybersecurity risk management plan.                                  system-to-system remote access.
                                                  processes to address the following                                Requirement R3 requires a responsible                                Proposed Reliability Standard CIP–010–
                                                  baseline set of security concepts, as                             entity to review and obtain the CIP                                  3, Requirement R1.6 requires
                                                  applicable, in their procurement                                  Senior Manager’s approval of its supply                              responsible entities to verify software
                                                  activities for high and medium impact                             chain risk management plan at least                                  integrity and authenticity in the
                                                  BES Cyber Systems: (1) Vendor security                            once every 15 calendar months in order                               operational phase, if the software source
                                                  event notification processes (Part 1.2.1);                        to ensure that the plan remains up-to-                               provides a method to do so.
                                                  (2) coordinated incident response                                 date.                                                                   48. The NERC Compliance Registry,
                                                  activities (Part 1.2.2); (3) vendor                                 47. Separately, proposed Reliability                               as of December 2017, identifies
                                                  personnel termination notification for                            Standard CIP–005–6, Requirement R2.4                                 approximately 1,250 unique U.S.
                                                  employees with access to remote and                               requires one or more methods for                                     entities that are subject to mandatory
                                                  onsite systems (Part 1.2.3); (4) product/                         determining active vendor remote                                     compliance with Reliability Standards.
                                                  services vulnerability disclosures (Part                          access sessions, including Interactive                               Of this total, we estimate that 288
                                                  1.2.4); (5) verification of software                              Remote Access and system-to-system                                   entities will face an increased
                                                  integrity and authenticity (Part 1.2.5);                          remote access. Proposed Reliability                                  paperwork burden under proposed
                                                  and (6) coordination of vendor remote                             Standard CIP–005–6, Requirement R2.5                                 Reliability Standards CIP–013–1, CIP–
                                                  access controls (Part 1.2.6). Requirement                         requires one or more methods to disable                              005–6, and CIP–010–3. Based on these
                                                  R2 mandates that each responsible                                 active vendor remote access, including                               assumptions, we estimate the following
                                                  entity implement its supply chain                                 Interactive Remote Access and                                        reporting burden:

                                                                                                                                     RM17–13–000 NOPR
                                                                                     [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]

                                                                                                                                    Annual                                                                    Total annual
                                                                                                                                                                             Average burden                                        Cost per
                                                                                                     Number of                     number of               Total number                                       burden hours
                                                                                                                                                                              and cost per                                        respondent
                                                                                                    respondents                 responses per              of responses                                         and total
                                                                                                                                                                               response 47                                            ($)
                                                                                                                                  respondent                                                                   annual cost

                                                                                                            (1)                          (2)               (1) * (2) = (3)              (4)                   (3) * (4) = (5)        (5) ÷ (1)

                                                  Create supply chain risk manage-                                   288                             1                 288   546 hrs.; $44,772              157,248 hrs.;                    44,772
                                                    ment plan (one-time) 48 (CIP–                                                                                                                             $12,894,336.
                                                    013–1 R1).
                                                  Updates and reviews of supply                                      288                             1                 288   30 hrs.; $2,460 ..             8,640 hrs.;                       2,460
                                                    chain risk management plan (on-                                                                                                                           $708,480.
                                                    going) 49 (CIP–013–1 R2).
                                                  Develop Procedures to update re-                                   288                             1                 288   50 hrs.; $4,100 ..             14,400 hrs.;                      4,100
                                                    mote access requirements (one                                                                                                                             $1,180,800.
                                                    time) (CIP–005–6 R1–R4).
                                                  Develop procedures for software in-                               288                               1                288   50 hrs.; $4,100 ..             14,400 hrs.;                       4,100
                                                    tegrity and authenticity require-                                                                                                                         $1,180,800.
                                                    ments (one time) (CIP–010–3
                                                    R1–R4).

                                                       Total (one-time) ........................   ........................     ........................               864   ............................   186,048 hrs.;       ........................
                                                                                                                                                                                                              $15,255,936.
                                                       Total (ongoing) .........................   ........................     ........................               288   ............................   8,640 hrs.;         ........................
                                                                                                                                                                                                              $708,340.



                                                    The one-time burden of 186,048 hours                              The ongoing burden of 8,640 hours                                  • Year 1: $15,255,936
                                                  will be averaged over three years                                 applies to only Years 2 and beyond.                                  • Years 2 and beyond: $708,480
                                                  (186,048 hours ÷ 3 = 62,016 hours/year                              The number of responses is also
                                                  over three years).                                                average over three years (864 responses                              • The paperwork burden estimate
                                                                                                                    (one-time) + (288 responses (Year 2) +                                 includes costs associated with the
                                                    47 The loaded hourly wage figure (includes                      288 responses (Year 3)) ÷ 3 = 480                                      initial development of a policy to
                                                  benefits) is based on the average of the occupational             responses.                                                             address requirements relating to: (1)
                                                  categories for 2016 found on the Bureau of Labor                    The responses and burden for Years                                   Developing the supply chain risk
                                                  Statistics website (http://www.bls.gov/oes/current/
                                                  naics2_22.htm):                                                   1–3 will total respectively as follows:                                management plan; (2) updating the
                                                    Legal (Occupation Code: 23–0000): $143.68.                      Year 1: 480 responses; 62,016 hours                                    procedures related to remote access
                                                    Information Security Analysts (Occupation Code                  Year 2: 480 responses; 62,016 hours +                                  requirements (3) developing the
                                                  15–1122): $66.34.                                                   8,640 hours = 70,656 hours                                           procedures related to software
                                                    Computer and Information Systems Managers                       Year 3: 480 responses; 62,016 hours +                                  integrity and authenticity. Further,
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  (Occupation Code: 11–3021): $100.68.                                8,640 hours = 70,656 hours                                           the estimate reflects the assumption
                                                    Management (Occupation Code: 11–0000):                            49. The following shows the annual
                                                  $81.52.                                                                                                                                  that costs incurred in year 1 will
                                                                                                                    cost burden for each year, based on the                                pertain to plan and procedure
                                                    Electrical Engineer (Occupation Code: 17–2071):
                                                                                                                    burden hours in the table above:
                                                  $68.12.                                                                                                                                  development, while costs in years 2
                                                    Management Analyst( Code: 43–0000): $63.49.                                                                                            and 3 will reflect the burden
                                                    These various occupational categories are                       $82.00 for use in calculating wage figures in this
                                                  weighted as follows: [($81.52)(.10) + $66.34(.315) +              NOPR.                                                                  associated with maintaining the
                                                  $68.12(.02) + $143.68(.15) + $100.68(.10) +                         48 One-time burdens apply in Year One only.                          SCRM plan and modifying it as
                                                  $63.49(.315)] = $82.03. The figure is rounded to                    49 Ongoing burdens apply in Year 2 and beyond.                       necessary on a 15 month basis.


                                             VerDate Sep<11>2014     16:54 Jan 24, 2018    Jkt 244001      PO 00000           Frm 00034      Fmt 4702      Sfmt 4702   E:\FR\FM\25JAP1.SGM          25JAP1


                                                                         Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules                                           3441

                                                    50. Title: Mandatory Reliability                      significant effect on the human                        on a substantial number of small
                                                  Standards, Revised Critical                             environment. Included in the exclusion                 entities.
                                                  Infrastructure Protection Reliability                   are rules that are clarifying, corrective,
                                                                                                                                                                 VI. Comment Procedures
                                                  Standards.                                              or procedural or that do not
                                                     Action: Proposed Collection FERC–                    substantially change the effect of the                    57. The Commission invites interested
                                                  725B.                                                   regulations being amended.51 The                       persons to submit comments on the
                                                     OMB Control No.: 1902–0248.                          actions proposed herein fall within this               matters and issues proposed in this
                                                     Respondents: Businesses or other for-                categorical exclusion in the                           notice to be adopted, including any
                                                  profit institutions; not-for-profit                     Commission’s regulations.                              related matters or alternative proposals
                                                  institutions.                                                                                                  that commenters may wish to discuss.
                                                                                                          V. Regulatory Flexibility Act Analysis                 Comments are due March 26, 2018.
                                                     Frequency of Responses: On
                                                  Occasion.                                                  54. The Regulatory Flexibility Act of               Comments must refer to Docket No.
                                                     Necessity of the Information: This                   1980 (RFA) generally requires a                        RM17–13–000, and must include the
                                                  notice of proposed rulemaking proposes                  description and analysis of proposed                   commenter’s name, the organization
                                                  to approve the requested modifications                  rules that will have significant                       they represent, if applicable, and
                                                  to Reliability Standards pertaining to                  economic impact on a substantial                       address.
                                                  critical infrastructure protection. As                  number of small entities.52 The Small                     58. The Commission encourages
                                                  discussed above, the Commission                         Business Administration’s (SBA) Office                 comments to be filed electronically via
                                                  proposes to approve NERC’s proposed                     of Size Standards develops the                         the eFiling link on the Commission’s
                                                  CIP Reliability Standards CIP–013–1,                    numerical definition of a small                        web site at http://www.ferc.gov. The
                                                  CIP–005–6, and CIP–010–3 pursuant to                    business.53 The SBA revised its size                   Commission accepts most standard
                                                  section 215(d)(2) of the FPA because                    standard for electric utilities (effective             word processing formats. Documents
                                                  they improve upon the currently-                        January 22, 2014) to a standard based on               created electronically using word
                                                  effective suite of cyber security CIP                   the number of employees, including                     processing software should be filed in
                                                  Reliability Standards.                                  affiliates (from the prior standard based              native applications or print-to-PDF
                                                     Internal Review: The Commission has                  on megawatt hour sales).54                             format and not in a scanned format.
                                                  reviewed the proposed Reliability                          55. Proposed Reliability Standards                  Commenters filing electronically do not
                                                  Standards and made a determination                      CIP–013–1, CIP–005–6, CIP–010–3 are                    need to make a paper filing.
                                                  that its action is necessary to implement               expected to impose an additional                          59. Commenters that are not able to
                                                  section 215 of the FPA.                                 burden on 288 entities 55 (reliability                 file comments electronically must send
                                                     51. Interested persons may obtain                    coordinators, generator operators,                     an original of their comments to:
                                                  information on the reporting                            generator owners, interchange                          Federal Energy Regulatory Commission,
                                                  requirements by contacting the                          coordinators or authorities, transmission              Secretary of the Commission, 888 First
                                                  following: Federal Energy Regulatory                    operators, balancing authorities, and                  Street NE, Washington, DC 20426.
                                                  Commission, 888 First Street NE,                        transmission owners).                                     60. All comments will be placed in
                                                  Washington, DC 20426 [Attention: Ellen                     56. Of the 288 affected entities                    the Commission’s public files and may
                                                                                                          discussed above, we estimate that                      be viewed, printed, or downloaded
                                                  Brown, Office of the Executive Director,
                                                                                                          approximately 248 or 86.2 percent of the               remotely as described in the Document
                                                  e-mail: DataClearance@ferc.gov, phone:
                                                                                                          affected entities are small entities. We               Availability section below. Commenters
                                                  (202) 502–8663, fax: (202) 273–0873].
                                                                                                          estimate that each of the 248 small                    on this proposal are not required to
                                                     52. For submitting comments
                                                                                                          entities to whom the proposed                          serve copies of their comments on other
                                                  concerning the collection(s) of
                                                                                                          modifications to Reliability Standards                 commenters.
                                                  information and the associated burden
                                                                                                          CIP–013–1, CIP–005–6, CIP–010–3
                                                  estimate(s), please send your comments                                                                         VII. Document Availability
                                                                                                          apply will incur one-time costs of
                                                  to the Commission, and to the Office of
                                                                                                          approximately $52,972 per entity to                      61. In addition to publishing the full
                                                  Management and Budget, Office of
                                                                                                          implement the proposed Reliability                     text of this document in the Federal
                                                  Information and Regulatory Affairs,
                                                                                                          Standards, as well as the ongoing                      Register, the Commission provides all
                                                  Washington, DC 20503 [Attention: Desk
                                                                                                          paperwork burden reflected in the                      interested persons an opportunity to
                                                  Officer for the Federal Energy
                                                                                                          Information Collection Statement                       view and/or print the contents of this
                                                  Regulatory Commission, phone: (202)
                                                                                                          (approximately $2,460 per year per                     document via the internet through the
                                                  395–4638, fax: (202) 395–7285]. For
                                                                                                          entity). We do not consider the                        Commission’s Home Page (http://
                                                  security reasons, comments to OMB
                                                                                                          estimated costs for these 248 small                    www.ferc.gov) and in the Commission’s
                                                  should be submitted by e-mail to: oira_
                                                                                                          entities to be a significant economic                  Public Reference Room during normal
                                                  submission@omb.eop.gov. Comments
                                                                                                          impact. Accordingly, we certify that                   business hours (8:30 a.m. to 5:00 p.m.
                                                  submitted to OMB should include
                                                                                                          proposed Reliability Standards CIP–                    Eastern time) at 888 First Street NE,
                                                  Docket Number RM17–13–000.
                                                                                                          013–1, CIP–005–6, and CIP–010–3 will                   Room 2A, Washington, DC 20426.
                                                  IV. Environmental Analysis                              not have a significant economic impact                   62. From the Commission’s Home
                                                     53. The Commission is required to                                                                           Page on the internet, this information is
                                                  prepare an Environmental Assessment
                                                                                                            51 18  CFR 380.4(a)(2)(ii).                          available on eLibrary. The full text of
                                                                                                            52 5 U.S.C. 601–12.
                                                  or an Environmental Impact Statement                                                                           this document is available on eLibrary
                                                                                                             53 13 CFR 121.101.
                                                                                                                                                                 in PDF and Microsoft Word format for
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  for any action that may have a                             54 13 CFR 121.201, Subsection 221.

                                                  significant adverse effect on the human                    55 Public utilities may fall under one of several
                                                                                                                                                                 viewing, printing, and/or downloading.
                                                  environment.50 The Commission has                       different categories, each with a size threshold       To access this document in eLibrary,
                                                  categorically excluded certain actions                  based on the company’s number of employees,            type the docket number of this
                                                  from this requirement as not having a
                                                                                                          including affiliates, the parent company, and          document, excluding the last three
                                                                                                          subsidiaries. For the analysis in this NOPR, we are    digits, in the docket number field.
                                                                                                          using a 500 employee threshold due to each
                                                    50 Regulations Implementing the National              affected entity falling within the role of Electric
                                                                                                                                                                   63. User assistance is available for
                                                  Environmental Policy Act of 1969, Order No. 486,        Bulk Power Transmission and Control (NAISC             eLibrary and the Commission’s website
                                                  FERC Stats. & Regs. ¶ 30,783 (1987).                    Code: 221121).                                         during normal business hours from the


                                             VerDate Sep<11>2014   16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00035   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM   25JAP1


                                                  3442                   Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules

                                                  Commission’s Online Support at (202)                    not the same as it was in July 2016. I                 DEPARTMENT OF HEALTH AND
                                                  502–6652 (toll free at 1–866–208–3676)                  acknowledge that a significant amount of               HUMAN SERVICES
                                                  or e-mail at ferconlinesupport@ferc.gov,                time and effort have been committed to the
                                                  or the Public Reference Room at (202)                   development of these standards in response             Food and Drug Administration
                                                  502–8371, TTY (202) 502–8659. E-mail                    to a duly voted Commission order. Most
                                                  the Public Reference Room at                            importantly, I agree that they are an                  21 CFR Part 1
                                                  public.referenceroom@ferc.gov.                          improvement over the status quo. I do not
                                                                                                                                                                 [Docket No. FDA–2011–N–0143]
                                                                                                          believe that remanding these standards or the
                                                    By direction of the Commission.
                                                  Commissioner LaFleur is concurring with a               larger supply chain issue to the NERC                  Foreign Supplier Verification Programs
                                                  separate statement attached.                            standards process would be a prudent step at           for Importers of Food for Humans and
                                                    Issued: January 18, 2018.                             this point. Rather, I believe the better course        Animals: What You Need To Know
                                                                                                          of action at this time is to move forward with         About the Food and Drug
                                                  Nathaniel J. Davis, Sr.,
                                                                                                          these standards and, assuming the                      Administration Regulation; Small
                                                  Deputy Secretary.
                                                                                                          Commission ultimately proceeds to Final
                                                                                                                                                                 Entity Compliance Guide; Availability
                                                  Attachment                                              Rule, improve them over time as needed.
                                                                                                             In that regard, I believe the Commission is         AGENCY:    Food and Drug Administration,
                                                  LaFLEUR, Commissioner concurring:
                                                                                                          appropriately proposing to direct a                    HHS.
                                                     In today’s order, the Commission proposes            modification to the proposed standards to              ACTION:   Notification of availability.
                                                  to approve the supply chain risk management             address an identified reliability gap regarding
                                                  standards filed by the North American                                                                          SUMMARY:   The Food and Drug
                                                  Electric Reliability Corporation (NERC), and            Electronic Access Control and Monitoring
                                                                                                          Systems. I also support the proposal to                Administration (FDA, the Agency, or
                                                  direct certain modifications to those
                                                  standards. I write separately to explain my             require NERC to include Physical Access                we) is announcing the availability of a
                                                  vote in support of today’s order, given my              Controls and Protected Cyber Assets within             guidance for industry entitled ‘‘Foreign
                                                  dissent on the Commission order that                    its ongoing assessment of the supply chain             Supplier Verification Programs for
                                                  directed the development of these                       risks posed by low-impact Bulk Electric                Importers of Food for Humans and
                                                  standards.1                                             System Cyber Systems, which will help the              Animals: What You Need to Know
                                                     As I stated in my dissent, I shared the              Commission and NERC determine whether                  About the FDA Regulation; Small Entity
                                                  Commission’s concern about supply chain                                                                        Compliance Guide.’’ The small entity
                                                                                                          further revisions to the standards are needed.
                                                  threats and supported continued Commission
                                                  attention to those threats. Indeed, I remain               More so than with most standards, I                 compliance guide (SECG) is intended to
                                                  concerned that the supply chain is a                    believe that whether these standards are               help small entities comply with the
                                                  significant cyber vulnerability for the bulk            effective will only reveal itself over time as         final rule entitled ‘‘Foreign Supplier
                                                  power system. However, I believed that the              we gain additional experience with them. I             Verification Programs for Importers of
                                                  Commission was proceeding too quickly to                am therefore particularly interested in                Food for Humans and Animals.’’
                                                  require a supply chain standard, without                feedback from commenters on how the                    DATES: The announcement of the
                                                  having sufficiently worked with NERC,                   Commission, NERC, and industry should
                                                  industry, and other stakeholders on how to
                                                                                                                                                                 guidance is published in the Federal
                                                                                                          assess these standards, including any                  Register on January 25, 2018.
                                                  design an effective, auditable, and
                                                                                                          reporting obligations that might be                    ADDRESSES: You may submit either
                                                  enforceable standard. In my view, the
                                                  directive that resulted was insufficiently              appropriate.3 In addition, given the very              electronic or written comments on
                                                  developed and created a risk that needed                general process-oriented nature of the
                                                                                                                                                                 Agency guidances at any time as
                                                  protections against supply threats would be             standard, I also support the proposal to
                                                                                                                                                                 follows:
                                                  delayed, due in large part to the nature of the         shorten the implementation date for the new
                                                  NERC standards process.                                 standards. If ultimately adopted, the revised          Electronic Submissions
                                                     Given the limited guidance and timeline              deadline will allow industry, NERC, and the
                                                  provided by the Commission in Order No.
                                                                                                                                                                   Submit electronic comments in the
                                                                                                          Commission to put the standards in place               following way:
                                                  829, the proposed standards are,
                                                  unsurprisingly, quite general, focusing
                                                                                                          sooner while continuing to evaluate how best             • Federal eRulemaking Portal:
                                                                                                          to protect the bulk power system against               https://www.regulations.gov. Follow the
                                                  primarily ‘‘on the processes Responsible
                                                  Entities implement to consider and address              supply chain threats.                                  instructions for submitting comments.
                                                  cyber security risks from vendor products or               For these reasons, I respectfully concur.           Comments submitted electronically,
                                                  services during BES Cyber System planning               Cheryl A. LaFleur,                                     including attachments, to https://
                                                  and procurement, not on the outcome of                  Commissioner.                                          www.regulations.gov will be posted to
                                                  those processes . . .’’ 2 The proposed
                                                  standards would provide significant                     [FR Doc. 2018–01247 Filed 1–24–18; 8:45 am]            the docket unchanged. Because your
                                                  flexibility to registered entities to determine         BILLING CODE 6717–01–P
                                                                                                                                                                 comment will be made public, you are
                                                  how best to comply with their requirements.                                                                    solely responsible for ensuring that your
                                                  In my view, that flexibility presents both                                                                     comment does not include any
                                                  potential risks and benefits. It could allow                                                                   confidential information that you or a
                                                  effective, adaptable approaches to flourish, or                                                                third party may not wish to be posted,
                                                  allow compliance plans that meet the letter                                                                    such as medical information, your or
                                                  of the standards but do not effectively
                                                                                                                                                                 anyone else’s Social Security number, or
                                                  address supply chain threats. I hope that we
                                                  will see more of the former, but I believe the                                                                 confidential business information, such
                                                  Commission, NERC, and the Regional                                                                             as a manufacturing process. Please note
                                                                                                                                                                 that if you include your name, contact
sradovich on DSK3GMQ082PROD with PROPOSALS




                                                  Entities should closely monitor
                                                  implementation if the standards are                                                                            information, or other information that
                                                                                                            3 I note that NERC has also developed draft
                                                  ultimately approved.                                                                                           identifies you in the body of your
                                                     In voting for today’s order, I recognize that        implementation guidance that provides additional
                                                                                                                                                                 comments, that information will be
                                                  the choice before the Commission today is               detail regarding possible compliance approaches.
                                                                                                          As NERC and the Regional Entities gain additional
                                                                                                                                                                 posted on https://www.regulations.gov.
                                                    1 Revised Critical Infrastructure Protection          experience with assessing compliance under these
                                                                                                                                                                   • If you want to submit a comment
                                                  Reliability Standards, Order No. 829, 156 FERC ¶        standards, updating this implementation guidance       with confidential information that you
                                                  61,050 (2016) (LaFleur, Comm’r, dissenting).            could be an effective approach for quickly             do not wish to be made available to the
                                                    2 NERC Petition at 27.                                disseminating best practices and lessons learned.      public, submit the comment as a


                                             VerDate Sep<11>2014   16:54 Jan 24, 2018   Jkt 244001   PO 00000   Frm 00036   Fmt 4702   Sfmt 4702   E:\FR\FM\25JAP1.SGM   25JAP1



Document Created: 2018-01-25 08:50:32
Document Modified: 2018-01-25 08:50:32
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionProposed Rules
ActionNotice of proposed rulemaking.
DatesComments are due March 26, 2018.
ContactSimon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected] Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected]
FR Citation83 FR 3433 

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR