83 FR 3433 - Supply Chain Risk Management Reliability Standards
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 83, Issue 17 (January 25, 2018)
Federal Energy Regulatory Commission
Federal Register Volume 83, Issue 17 (January 25, 2018)
| Page Range | 3433-3442 | |
| FR Document | 2018-01247 |
[Federal Register Volume 83, Number 17 (Thursday, January 25, 2018)] [Proposed Rules] [Pages 3433-3442] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-01247] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM17-13-000] Supply Chain Risk Management Reliability Standards AGENCY: Federal Energy Regulatory Commission, Department of Energy. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes to approve supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security--Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security--Configuration Change Management and Vulnerability [[Page 3434]] Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, submitted the proposed Reliability Standards for Commission approval in response to a Commission directive. In addition, the Commission proposes that NERC develop and submit certain modifications to the supply chain risk management Reliability Standards. DATES: Comments are due March 26, 2018. ADDRESSES: Comments, identified by docket number, may be filed in the following ways:Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document. FOR FURTHER INFORMATION CONTACT: Simon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected]. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected]. SUPPLEMENTARY INFORMATION: 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ the Commission proposes to approve supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security--Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security--Configuration Change Management and Vulnerability Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standards for Commission approval in response to a Commission directive in Order No. 829.\2\ The proposed Reliability Standards are intended to augment the currently-effective CIP Reliability Standards to mitigate cybersecurity risks associated with the supply chain for BES Cyber Systems.\3\ --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(2). \2\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 829, 156 FERC ] 61,050, at P 43 (2016). \3\ BES Cyber System is defined as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' Glossary of Terms Used in NERC Reliability Standards (NERC Glossary), http://www.nerc.com/files/glossary_of_terms.pdf. The acronym BES refers to the bulk electric system. --------------------------------------------------------------------------- 2. As the Commission previously recognized, the global supply chain provides the opportunity for significant benefits to customers, including low cost, interoperability, rapid innovation, a variety of product features and choice.\4\ However, the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to end users. Supply chain risks may include the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices. We propose to determine that the supply chain risk management Reliability Standards submitted by NERC constitute substantial progress in addressing the supply chain cyber security risks identified by the Commission. --------------------------------------------------------------------------- \4\ Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 80 FR 43354 (July, 22, 2015), 152 FERC ] 61,054, at PP 61-62 (2015). --------------------------------------------------------------------------- 3. The Commission also proposes to approve the proposed Reliability Standards' associated violation risk factors and violation severity levels. With respect to the proposed Reliability Standards' implementation plan and effective date, the Commission proposes to reduce the implementation period from the first day of the first calendar quarter that is 18 months following the effective date of a Commission order approving the proposed Reliability Standards, as proposed by NERC, to the first day of the first calendar quarter that is 12 months following the effective date of a Commission order. 4. While the Commission proposes to determine that the proposed Reliability Standards address most aspects of the Commission's directive in Order No. 829, there remains a significant cyber security risk associated with the supply chain for BES Cyber Systems because the proposed Reliability Standards exclude Electronic Access Control and Monitoring Systems (EACMS),\5\ Physical Access Control Systems (PACS),\6\ and Protected Cyber Assets (PCAs),\7\ with the exception of the modifications in proposed Reliability Standard CIP-005-6, which apply to PCAs. To address this gap, pursuant to section 215(d)(5) of the FPA,\8\ the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards.\9\ In addition, the Commission proposes to direct NERC to evaluate the cyber security supply chain risks presented by PACS and PCAs in the study of cyber security supply chain risks requested by the NERC Board of Trustees (BOT) in its resolutions of August 10, 2017.\10\ The Commission further proposes to direct NERC to file the BOT-requested study's interim and final reports with the Commission upon their completion. --------------------------------------------------------------------------- \5\ EACMS are defined as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' NERC Glossary. Reliability Standard CIP-002- 5.1a (Cyber Security--BES Cyber System Categorization) states that examples of EACMS include ``Electronic Access Points, Intermediate Systems, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems.'' Reliability Standard CIP-002-5.1a (Cyber Security--BES Cyber System Categorization) Section A.6 at 6. \6\ PACS are defined as ``Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.'' NERC Glossary. Reliability Standard CIP-002-5.1a states that examples include ``authentication servers, card systems, and badge control systems.'' Id. \7\ PCAs are defined as ``[o]ne or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same [Electronic Security Perimeter].'' NERC Glossary. Reliability Standard CIP-002-5.1a states that examples include, to the extent they are within the Electronic Security Perimeter, ``file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems.'' Id. \8\ 16 U.S.C. 824o(d)(5). \9\ Reliability Standard CIP-002-5.1a (Cyber Security System Categorization) provides a ``tiered'' approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. \10\ Proposed Additional Resolutions for Agenda Item 9.a: Cyber Security--Supply Chain Risk Management--CIP-005-6, CIP-010-3, and CIP-013-1 (August 10, 2017), http://www.nerc.com/gov/bot/Agenda%20highlights%20and%20Mintues%202013/Proposed%20Resolutions%20re%20Supply%20Chain%20Follow-Up%20v2.pdf. --------------------------------------------------------------------------- [[Page 3435]] I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\11\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\12\ and subsequently certified NERC.\13\ --------------------------------------------------------------------------- \11\ 16 U.S.C. 824o(e). \12\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \13\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Order No. 829 6. In Order No. 829, the Commission directed NERC to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software and computing and networking services associated with bulk electric system operations.\14\ Specifically, the Commission directed NERC to develop a forward-looking, objective-based Reliability Standard that would require responsible entities to develop and implement a plan with supply chain management security controls focused on four security objectives: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls.\15\ --------------------------------------------------------------------------- \14\ Order No. 829, 156 FERC ] 61,050 at P 43. \15\ Id. P 45. --------------------------------------------------------------------------- 7. The Commission explained that the first objective, verification of software integrity and authenticity, is intended to reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System.\16\ --------------------------------------------------------------------------- \16\ Id. P 49. --------------------------------------------------------------------------- 8. With respect to the second objective, vendor remote access, the Commission stated that the objective is intended to address the threat that vendor credentials could be stolen and used to access a BES Cyber System without the responsible entity's knowledge, as well as the threat that a compromise at a trusted vendor could traverse over an unmonitored connection into a responsible entity's BES Cyber System.\17\ --------------------------------------------------------------------------- \17\ Id. P 52. --------------------------------------------------------------------------- 9. For the third objective, information system planning, Order No. 829 indicated that the objective is intended to address the risk that responsible entities could unintentionally plan to procure and install unsecure equipment or software within their information systems, or could unintentionally fail to anticipate security issues that may arise due to their network architecture or during technology and vendor transitions.\18\ --------------------------------------------------------------------------- \18\ Id. P 57. --------------------------------------------------------------------------- 10. Vendor risk management and procurement controls, the fourth objective, the Commission explained, are intended to address the risk that responsible entities could enter into contracts with vendors that pose significant risks to the responsible entities' information systems, as well as the risk that products procured by a responsible entity fail to meet minimum security criteria. This objective also addresses the risk that a compromised vendor would not provide adequate notice and related incident response to responsible entities with whom that vendor is connected.\19\ --------------------------------------------------------------------------- \19\ Id. P 60. --------------------------------------------------------------------------- 11. Order No. 829 stated that while responsible entities should be required to develop and implement a plan, the Commission did not require NERC to impose any specific controls or ``one-size-fits-all'' requirements.\20\ In addition, the Commission stated that NERC's response to the Order No. 829 directive should respect the Commission's jurisdiction under FPA section 215 by only addressing the obligations of responsible entities and not by directly imposing any obligations on non-jurisdictional suppliers, vendors or other entities that provide products or services to responsible entities.\21\ --------------------------------------------------------------------------- \20\ Id. P 13. \21\ Id. P 21. --------------------------------------------------------------------------- C. NERC Petition and Proposed Reliability Standards 12. On September 26, 2017, NERC submitted for Commission approval proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 and their associated violation risk factors and violation severity levels, implementation plans, and effective dates.\22\ NERC states that the purpose of the proposed Reliability Standards is to enhance the cybersecurity posture of the electric industry by requiring responsible entities to take additional actions to address cybersecurity risks associated with the supply chain for BES Cyber Systems. NERC explains that the proposed Reliability Standards are designed to augment the existing controls required in the currently-effective CIP Reliability Standards that help mitigate supply chain risks, providing increased attention on minimizing the attack surfaces of information and communications technology products and services procured to support reliable bulk electric system operations, consistent with Order No. 829. Each proposed Reliability Standard is summarized below. --------------------------------------------------------------------------- \22\ Proposed Reliability Standards CIP-013-1, CIP-005-6 and CIP-010-3 are not attached to this notice of proposed rulemaking (NOPR). The proposed Reliability Standards are available on the Commission's eLibrary document retrieval system in Docket No. RM17- 13-000 and on the NERC website, www.nerc.com. --------------------------------------------------------------------------- 13. NERC states that the proposed Reliability Standards apply only to medium and high impact BES Cyber Systems. NERC explains that the goal of the CIP Reliability Standards is to ``focus[ ] industry resources on protecting those BES Cyber Systems with heightened risks to the [bulk electric system] . . . [and] that the requirements applicable to low impact BES Cyber Systems, given their lower risk profile, should not be overly burdensome to divert resources from the protection of medium and high impact BES Cyber Systems.'' \23\ NERC further maintains that the standard drafting team chose to apply the proposed Reliability Standards only to medium and high impact BES Cyber Systems because the proposed Reliability Standards are ``consistent with the type of existing CIP cybersecurity requirements applicable to high and medium impact BES Cyber Systems as opposed to those applicable to low impact BES Cyber Systems.'' \24\ --------------------------------------------------------------------------- \23\ NERC Petition at 16-17. \24\ Id. at 18. --------------------------------------------------------------------------- 14. NERC states that the standard drafting team also excluded EACMS, PACS, and PCAs from the scope of the proposed Reliability Standards, with the exception of the modifications in proposed Reliability Standard CIP-005-6, which apply to PCAs. NERC explains that although certain requirements in the existing CIP Reliability Standards apply to EACMS, PACS, and PCAs due to their association with BES Cyber Systems (either by function or location), the standard drafting team determined that the proposed supply chain risk management Reliability Standards should focus on high and medium impact BES Cyber Systems only. NERC states that this determination was based on the conclusion that applying the [[Page 3436]] proposed Reliability Standards to EACMS, PACS, and PCAs ``would divert resources from protecting medium and high BES Cyber Systems.'' \25\ --------------------------------------------------------------------------- \25\ Id. at 20. --------------------------------------------------------------------------- 15. NERC maintains that with respect to low impact BES Cyber Systems and EACMS, PACS, and PCAs, while not mandatory, NERC expects that these assets will likely be subject to responsible entity supply chain risk management plans required by proposed Reliability Standard CIP-013-1. Specifically, NERC asserts that ``Responsible Entities may implement a single process for procuring products and services associated with their operational environments.'' \26\ NERC contends that ``by requiring that entities implement supply chain cybersecurity risk management plans for high and medium impact BES Cyber Systems, those plans would likely also cover their low impact BES Cyber Systems.'' \27\ NERC also claims that responsible entities ``may also use the same vendors for procuring PACS, EACMS, and PCAs as they do for their high and medium impact BES Cyber Systems such that the same security considerations may be addressed for those Cyber Assets.'' \28\ --------------------------------------------------------------------------- \26\ Id. \27\ Id. at 19. \28\ Id. at 20. --------------------------------------------------------------------------- Proposed Reliability Standard CIP-013-1 16. NERC states that the focus of proposed Reliability Standard CIP-013-1 is on the steps that responsible entities take ``to consider and address cybersecurity risks from vendor products and services during BES Cyber System planning and procurement.'' \29\ NERC explains that proposed Reliability Standard CIP-013-1 does not require any specific controls or mandate ``one-size-fits-all'' requirements due to the differences in needs and characteristics of responsible entities and the diversity of bulk electric system environments, technologies, and risks. NERC states that the goal of the proposed Reliability Standard is ``to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.'' \30\ NERC explains that, among other things, proposed Reliability Standard CIP- 013-1 addresses the risk associated with information system planning, as well as vendor risk management and procurement controls, the third and fourth objectives outlined in Order No. 829. --------------------------------------------------------------------------- \29\ Id. at 22. \30\ Id. at 23. --------------------------------------------------------------------------- 17. NERC states that, consistent with the Commission's FPA section 215 jurisdiction and Order No. 829, the proposed Reliability Standard applies only to responsible entities and does not directly impose obligations on suppliers, vendors, or other entities that provide products or services to responsible entities. NERC explains that the focus of the proposed Reliability Standard is on the steps responsible entities take to account for security issues during the planning and procurement phase of high and medium impact BES Cyber Systems. NERC also explains that any resulting obligation that a supplier, vendor, or other entity accepts in providing products or services to the responsible entity is a contractual matter between the responsible entity and third parties, which is outside the scope of the proposed Reliability Standard. 18. NERC explains that the term ``vendor'' is used broadly to refer to any person, company or other organization with whom the responsible entity, or an affiliate, contracts with to supply BES Cyber Systems and related services to the responsible entity. NERC states that the use of the term ``vendor,'' however, ``was not intended to bring registered entities that provide reliability services to other registered entities as part of their functional obligations under NERC's Reliability Standards (e.g., a Balancing Authority providing balancing services for registered entities in its Balancing Authority Area) within the scope of the proposed Reliability Standards.'' \31\ --------------------------------------------------------------------------- \31\ Id. at 21. --------------------------------------------------------------------------- 19. NERC maintains that, consistent with Order No. 829, responsible entities need not apply their supply chain risk management plans to the acquisition of vendor products or services under contracts executed prior to the effective date of Reliability Standard CIP-013-1, nor would such contracts need to be renegotiated or abrogated to comply with the proposed Reliability Standard. In addition, NERC indicates that, consistent with the development of a forward looking Reliability Standard, if entities are in the middle of procurement activities for an applicable product or service at the time of the effective date of proposed Reliability Standard CIP-013-1, NERC would not expect entities to begin those activities anew to implement their supply chain cybersecurity risk management plan to comply with proposed Reliability Standard CIP-013-1. 20. NERC explains that, under Requirement R1 of this Reliability Standard, responsible entities would be required to have one or more processes to address, as applicable, the following baseline set of security concepts in their procurement activities for high and medium impact BES Cyber Systems: (1) Vendor security event notification processes (Part 1.2.1); (2) coordinated incident response activities (Part 1.2.2); (3) vendor personnel termination notification for employees with access to remote and onsite systems (Part 1.2.3); (4) product/services vulnerability disclosures (Part 1.2.4); (5) verification of software integrity and authenticity (Part 1.2.5); and (6) coordination of vendor remote access controls (Part 1.2.6). NERC states that the intent of Part 1.2 of Requirement R1 is not to require that every contract with a vendor include provisions for each of the listed items, but to ensure that these security items are an integrated part of procurement activities, such as a request for proposal or in the contract negotiation process. 21. NERC states that Requirement R2 mandates that each responsible entity implement its supply chain cybersecurity risk management plan. NERC explains that the actual terms and conditions of a procurement contract and vendor performance under a contract are outside the scope of proposed Reliability Standard CIP-013-1. NERC states that the focus of proposed Reliability Standard CIP-013-1 is ``on the processes Responsible Entities implement to consider and address cyber security risks from vendor products or services during BES Cyber System planning and procurement, not on the outcome of those processes. . . .'' \32\ NERC maintains that responsible entities must make a business decision on whether and how to proceed with an acquisition after weighing the risks associated with a vendor or product and making a good faith effort to include security controls in any agreement with a vendor, as required by proposed Reliability Standard CIP-013-1. In addition, NERC states that vendor performance is outside the scope of the proposed Reliability Standards and, while NERC expects responsible entities to enforce the provisions of their contracts, ``a Responsible Entity should not be held responsible under the proposed Reliability Standard for actions (or inactions) of the vendor.'' \33\ --------------------------------------------------------------------------- \32\ Id. at 27. \33\ Id. at 28. --------------------------------------------------------------------------- 22. With regard to assessing compliance with proposed Reliability [[Page 3437]] Standard CIP-013-1, NERC states that NERC and Regional Entities would focus on whether responsible entities: (1) Developed processes reasonably designed to (i) identify and assess risks associated with vendor products and services in accordance with Part 1.1 and (ii) ensure that the security items listed in Part 1.2 are an integrated part of procurement activities; and (2) implemented those processes in good faith. NERC explains that NERC and Regional Entities will evaluate the steps a responsible entity took to assess risks posed by a vendor and associated products or services and, based on that risk assessment, the steps the entity took to mitigate those risks, including the negotiation of security provisions in its agreements with the vendor. 23. Finally, NERC explains that Requirement R3 requires a responsible entity to review and obtain the CIP Senior Manager's approval of its supply chain risk management plan at least once every 15 calendar months in order to ensure that the plan remains up-to-date. Proposed Modifications in Reliability Standard CIP-005-6 24. Proposed Reliability Standard CIP-005-6 includes two new parts, Parts 2.4 and 2.5, to address vendor remote access, which is the second objective discussed in Order No. 829. NERC explains that the new parts work in tandem with proposed Reliability Standard CIP-013-1, Requirement R1.2.6, which requires responsible entities to address Interactive Remote Access and system-to-system remote access when procuring industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. NERC states that proposed Reliability Standard CIP-005-6, Requirement R2.4 requires one or more methods for determining active vendor remote access sessions, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. NERC explains that the security objective of Requirement R2.4 is to provide awareness of all active vendor remote access sessions, both Interactive Remote Access and system[hyphen]to[hyphen]system remote access, that are taking place on a responsible entity's system. 25. NERC maintains that proposed Reliability Standard CIP-005-6, Requirement R2.5 requires one or more methods to disable active vendor remote access, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. NERC explains that the security objective of Requirement R2.5 is to provide the ability to disable active remote access sessions in the event of a system breach. In addition, NERC explains that Requirement R2 was modified to only reference Interactive Remote Access where appropriate. Specifically, Requirements R2.1, R2.2, and R2.3 apply to Interactive Remote access only, while Requirements R2.4 and R2.5 apply both to Interactive Remote Access and system-to-system remote access. Proposed Modifications in Reliability Standard CIP-010-3 26. Proposed Reliability Standard CIP-010-3 includes a new part, Part 1.6, to address software integrity and authenticity, the first objective addressed in Order No. 829, by requiring the identification of the publisher and confirming the integrity of all software and patches. NERC explains that proposed Reliability Standard CIP-010-3, Requirement R1.6 requires responsible entities to verify software integrity and authenticity in the operational phase, if the software source provides a method to do so. Specifically, NERC states that proposed Reliability Standard CIP-010-3, Requirement R1.6 requires that responsible entities must verify the identity of the software source and the integrity of the software obtained by the software sources prior to installing software that changes established baseline configurations, when methods are available to do so. NERC asserts that the security objective of proposed Requirement R1.6 is to ensure that the software being installed in the BES Cyber System was not modified without the awareness of the software supplier and is not counterfeit. NERC contends that these steps help reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System. BOT Resolutions 27. In the petition, NERC states that in conjunction with the adoption of the proposed Reliability Standards, on August 10, 2017 the BOT adopted resolutions regarding supply chain risk management. In particular, the BOT requested that NERC management, in collaboration with appropriate NERC technical committees, industry representatives, and appropriate experts, including representatives of industry vendors, further study the nature and complexity of cyber security supply chain risks, including risks associated with low impact assets not currently subject to the proposed supply chain risk management Reliability Standards. The BOT further requested NERC to develop recommendations for follow-up actions that will best address any issues identified. Finally, the BOT requested that NERC management provide an interim progress report no later than 12 months after the adoption of these resolutions and a final report no later than 18 months after the adoption of the resolutions. In its petition, NERC states that ``over the next 18 months, NERC, working with various stakeholders, will continue to assess whether supply chain risks related to low impact BES Cyber Systems, PACS, EACMS and PCA necessitate further consideration for inclusion in a mandatory Reliability Standard.'' \34\ --------------------------------------------------------------------------- \34\ Id. at 20-21. --------------------------------------------------------------------------- Implementation Plan 28. NERC's proposed implementation plan provides that the proposed Reliability Standards become effective on the first day of the first calendar quarter that is 18 months after the effective date of a Commission order approving them. NERC states that the proposed implementation period is designed to afford responsible entities sufficient time to develop and implement their supply chain cybersecurity risk management plans required under proposed Reliability Standard CIP-013-1 and implement the new controls required in proposed Reliability Standards CIP-005-6 and CIP-010-3. II. Discussion 29. Pursuant to section 215(d)(2) of the FPA, the Commission proposes to approve supply chain risk management Reliability Standards CIP-013-1, CIP-005-6 and CIP-010-3 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. The proposed Reliability Standards will enhance existing protections for bulk electric system reliability by addressing the four objectives set forth in Order No. 829: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. 30. The proposed Reliability Standards address the four objectives discussed in Order No. 829. Proposed Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. [[Page 3438]] The required plans must address, as applicable, a baseline set of six security concepts: Vendor security event notification; coordinated incident response; vendor personnel termination notification; product/ services vulnerability disclosures; verification of software integrity and authenticity; and coordination of vendor remote access controls. Proposed Reliability Standard CIP-005-6 addresses vendor remote access by creating two new requirements: for determining active vendor remote access sessions and for having one or more methods to disable active vendor remote access sessions. Proposed Reliability Standard CIP-010-3 addresses software authenticity and integrity by creating a new requirement that responsible entities verify the identity of the software source and the integrity of the software obtained from the software source prior to installing software that changes established baseline configurations, when methods are available to do so. Taken together, the proposed Reliability Standards constitute substantial progress in addressing the supply chain cyber security risks identified in Order No. 829. 31. While the Commission proposes to approve the proposed Reliability Standards, certain cyber security risks associated with the supply chain for BES Cyber Systems may not be adequately addressed by the NERC proposal. In particular, as discussed below, the Commission is concerned with the exclusion of EACMS, PACS, and PCAs from the scope of the proposed Reliability Standards.\35\ To address this risk, pursuant to section 215(d)(5) of the FPA, the Commission proposes that NERC develop modifications to the CIP Reliability Standards to include EACMS within the scope of the supply chain risk management Reliability Standards. In addition, the Commission proposes to direct NERC to evaluate the cyber security supply chain risks presented by PACS and PCAs in the cyber security supply chain risks study requested by the BOT. The Commission further proposes to direct NERC to file the BOT- requested study's interim and final reports with the Commission upon their completion. --------------------------------------------------------------------------- \35\ As we noted previously, the only exceptions are the modifications in proposed Reliability Standard CIP-005-6, which apply to PCAs. --------------------------------------------------------------------------- 32. Below, we discuss the following issues: (A) Inclusion of EACMS in the supply chain risk management Reliability Standards; (B) inclusion of PACS and PCAs in the BOT-requested study on cyber security supply chain risks and filing of the study's interim and final reports with the Commission; and (C) NERC's proposed implementation plan. A. Inclusion of EACMS in CIP Reliability Standards 33. The proposed Reliability Standards only apply to medium and high impact BES Cyber Systems; they do not apply to low impact BES Cyber Systems or Cyber Assets associated with medium and high impact BES Cyber Systems (i.e., EACMS, PACS, and PCAs). The BOT-requested study on cyber security supply chain risks will examine the risks posed by low impact BES Cyber Systems and, as discussed in the following section, we believe it is appropriate to await the outcome of that study's final report before considering whether low impact BES Cyber Systems should be addressed in the supply chain risk management Reliability Standards. 34. With respect to Cyber Assets associated with medium and high impact BES Cyber Systems, and EACMS in particular, we propose further action than what is requested in the BOT resolutions.\36\ As explained in current Reliability Standard CIP-002-5.1a, BES Cyber Systems have associated Cyber Assets, which, if compromised, pose a threat to the BES Cyber System by virtue of: (1) Their location within the Electronic Security Perimeter (i.e., PCAs), or (2) the security control function they perform (i.e., EACMS and PACS).\37\ EACMS support BES Cyber Systems and are part of the network and security architecture that allow BES Cyber Systems to work as intended by performing electronic access control or electronic access monitoring of the Electronic Security Perimeter (ESP) or BES Cyber Systems. --------------------------------------------------------------------------- \36\ We address PACS and PCAs in the following section. \37\ Reliability Standard CIP-002-5.1a (Cyber Security--BES Cyber System Categorization), Background at 6. --------------------------------------------------------------------------- 35. Since EACMS support and enable BES Cyber System operation, misoperation and unavailability of EACMS that support a given BES Cyber System could also contribute to misoperation of a BES Cyber System or render it unavailable, which could adversely affect bulk electric system reliability. EACMS control electronic access, including interactive remote access, into the ESP that protects high and medium impact BES Cyber Systems. One function of electronic access control is to prevent malware or malicious actors from gaining access to the BES Cyber Systems and PCAs within the ESP. Once an EACMS is compromised, the attacker may gain control of the BES Cyber System or PCA. An attacker does not need physical access to the facility housing a BES Cyber System in order to gain access to a BES Cyber System or PCA via an EACMS compromise. By contrast, compromise of PACS, which could potentially grant an attacker physical access to a BES Cyber System, requires physical access. Further, PCAs typically become vulnerable to remote compromise once EACMS have been compromised. Therefore, EACMS represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP. 36. Currently-effective Reliability Standard CIP-010-2 applies to EACMS and the modifications proposed in Reliability Standard CIP-010-3 maintain the current coverage of EACMS, except for new Part 1.6 of Requirement R1, which addresses software integrity and authenticity. Moreover, NERC's petition acknowledges that requirements in the existing CIP Reliability Standards ``require Responsible Entities to apply certain protections to PACS, EACMS, and PCAs, given their association with BES Cyber Systems either by function or location.'' \38\ This statement suggests a recognition by NERC that EACMS, PACS, and PCAs warrant certain protections. We agree with NERC's statement, but we believe that the most important focus is on EACMS for the reasons described above. --------------------------------------------------------------------------- \38\ NERC Petition at 19. --------------------------------------------------------------------------- 37. In addition, while EACMS is a term unique to NERC-developed Reliability Standards, it is widely recognized that the types of access and monitoring functions that are included within NERC's definition of EACMS, such as firewalls, are integral to protecting industrial control systems. For example, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identifies firewalls as ``the first line of defense within an ICS network environment'' that ``keep the intruder out while allowing the authorized passage of data necessary to run the organization.'' \39\ ICS-CERT further explains that firewalls ``act as [[Page 3439]] sentinels, or gatekeepers, between zones . . . [and] [w]hen properly configured, they will only let essential traffic cross security boundaries[,] . . . [i]f they are not properly configured, they could easily pass unauthorized or malicious users or content.'' Accordingly, if EACMS are compromised, that could adversely affect the reliable operation of associated BES Cyber Systems. --------------------------------------------------------------------------- \39\ ICS-CERT, Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies, at 23 (September 2016), https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf. See also NIST, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, Revision 2, at Section 5 (ICS Security Architecture) (May 2015) (discussing importance of technologies and strategies, including firewalls, to secure industrial control systems), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf. --------------------------------------------------------------------------- 38. NERC explains that the standard drafting team chose to limit the scope of the proposed Reliability Standards to medium and high impact BES Cyber Systems, but not their associated Cyber Assets (e.g., EACMS), in order not to ``divert resources from protecting medium and high BES Cyber Systems.'' \40\ As noted above, EACMS include ``authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems'' that are integral to the security of the medium and high impact BES Cyber Systems to which they are associated.\41\ While NERC states that it will continue to assess whether supply chain risks related to low impact BES Cyber Systems, PACS, EACMS, and PCAs necessitate further consideration for inclusion in a mandatory Reliability Standard, in view of the discussion above, we propose to determine that a sufficient basis currently exists to include EACMS associated with medium and high impact BES Cyber Systems in the supply chain risk management Reliability Standards. --------------------------------------------------------------------------- \40\ Id. at 20. \41\ Reliability Standard CIP-002-5.1a (Cyber Security--BES Cyber System Categorization), Section A.6 at 6. --------------------------------------------------------------------------- 39. Accordingly, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards. The Commission seeks comment on this proposal. B. BOT-Requested Cyber Security Supply Chain Risks Study 40. As discussed above, we believe it is appropriate to await the findings from the BOT-requested study on cyber security supply chain risks before considering whether low impact BES Cyber Systems should be addressed in the supply chain risk management Reliability Standards. 41. We note that while the BOT resolutions explicitly stated that the BOT-requested study should examine the risks posed by low impact BES Cyber Systems, the BOT resolutions did not identify PACS and PCAs as subjects of the study. However, NERC's petition suggests that NERC will be evaluating PACS and PCAs as part of the BOT-requested study.\42\ --------------------------------------------------------------------------- \42\ NERC Petition at 21 (``over the next 18 months, NERC, working with various stakeholders, will continue to assess whether supply chain risks related to low impact BES Cyber Systems, PACS, EACMS, and PCA necessitate further consideration for inclusion in a mandatory Reliability Standard''). --------------------------------------------------------------------------- 42. While many of the concerns expressed in the previous section with respect to the risks posed by EACMS also apply to varying degrees to PACS and PCAs, we propose to direct NERC, consistent with the representation made in NERC's petition, to include PACS and PCAs in the BOT-requested study and to await the findings of the study's final report before considering further action. We distinguish among EACMS and the other Cyber Assets because, for example, a compromise of a PACS, which would potentially grant an attacker physical access to a BES Cyber System or PCA, is less likely since physical access is also required. Therefore, while we believe that EACMS require immediate action, because they represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP, possible action on other Cyber Assets can await completion of the BOT-requested study's final report. 43. In addition to proposing to direct NERC to include PACS and PCAs in the BOT-requested study, we propose to direct that NERC file the study's interim and final reports with the Commission upon their completion. The Commission seeks comment on these proposals. C. Implementation Plan 44. The 18-month implementation period proposed by NERC does not appear to be justified based on the anticipated effort required to develop and implement a supply chain risk management plan.\43\ While NERC maintains that the proposed implementation period is ``designed to afford responsible entities sufficient time to develop and implement their supply chain cybersecurity risk management plans required under proposed Reliability Standard CIP-013-1 and implement the new controls required in proposed Reliability Standards CIP-005-6 and CIP-010-3,'' \44\ the security objectives of the proposed Reliability Standards are process-based and do not prescribe technology that might justify an extended implementation period. Instead, we propose that the proposed Reliability Standards become effective the first day of the first calendar quarter that is 12 months following the effective date of a Commission order approving the Reliability Standards. Our proposed implementation period is reasonable, given the nature of the requirements in the proposed Reliability Standards, and provides enhanced security for the bulk electric system in a timelier manner. We seek comment on this proposal. --------------------------------------------------------------------------- \43\ The 18-month implementation plan proposed by NERC may be longer given NERC's request that the effective date of the proposed Reliability Standards falls on the first day of the first calendar quarter that is 18 months after the effective date of a Commission order approving the proposed Reliability Standards. \44\ NERC Petition at 35. --------------------------------------------------------------------------- III. Information Collection Statement 45. The FERC-725B information collection requirements contained in this notice of proposed rulemaking are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\45\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\46\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission's need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. --------------------------------------------------------------------------- \45\ 44 U.S.C. 3507(d). \46\ 5 CFR 1320.11. --------------------------------------------------------------------------- 46. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the newly proposed CIP Reliability Standard CIP-013-1 and the proposed revisions to CIP Reliability Standard CIP-005-6 and CIP-010-3 as compared to the current Commission-approved Reliability Standards CIP-005-5 and CIP-010-2, respectively. As discussed above, the notice of proposed rulemaking addresses several areas of the CIP Reliability Standards through proposed Reliability Standard CIP-013-1, Requirements R1, R2, and R3. Under Requirement R1, responsible entities [[Page 3440]] would be required to have one or more processes to address the following baseline set of security concepts, as applicable, in their procurement activities for high and medium impact BES Cyber Systems: (1) Vendor security event notification processes (Part 1.2.1); (2) coordinated incident response activities (Part 1.2.2); (3) vendor personnel termination notification for employees with access to remote and onsite systems (Part 1.2.3); (4) product/services vulnerability disclosures (Part 1.2.4); (5) verification of software integrity and authenticity (Part 1.2.5); and (6) coordination of vendor remote access controls (Part 1.2.6). Requirement R2 mandates that each responsible entity implement its supply chain cybersecurity risk management plan. Requirement R3 requires a responsible entity to review and obtain the CIP Senior Manager's approval of its supply chain risk management plan at least once every 15 calendar months in order to ensure that the plan remains up-to-date. 47. Separately, proposed Reliability Standard CIP-005-6, Requirement R2.4 requires one or more methods for determining active vendor remote access sessions, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. Proposed Reliability Standard CIP-005-6, Requirement R2.5 requires one or more methods to disable active vendor remote access, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. Proposed Reliability Standard CIP-010-3, Requirement R1.6 requires responsible entities to verify software integrity and authenticity in the operational phase, if the software source provides a method to do so. 48. The NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 288 entities will face an increased paperwork burden under proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3. Based on these assumptions, we estimate the following reporting burden: RM17-13-000 NOPR [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards] -------------------------------------------------------------------------------------------------------------------------------------------------------- Annual number Total annual burden Cost per Number of of responses Total number Average burden and cost hours and total annual respondent respondents per respondent of responses per response 47 cost ($) (1) (2) (1) * (2) = (4)..................... (3) * (4) = (5)........ (5) / (1) (3) -------------------------------------------------------------------------------------------------------------------------------------------------------- Create supply chain risk management 288 1 288 546 hrs.; $44,772....... 157,248 hrs.; 44,772 plan (one-time) 48 (CIP-013-1 R1). $12,894,336. Updates and reviews of supply chain 288 1 288 30 hrs.; $2,460......... 8,640 hrs.; $708,480... 2,460 risk management plan (ongoing) 49 (CIP-013-1 R2). Develop Procedures to update remote 288 1 288 50 hrs.; $4,100......... 14,400 hrs.; $1,180,800 4,100 access requirements (one time) (CIP- 005-6 R1-R4). Develop procedures for software 288 1 288 50 hrs.; $4,100......... 14,400 hrs.; $1,180,800 4,100 integrity and authenticity requirements (one time) (CIP-010-3 R1-R4). ------------------------------------------------------------------------------------------------------------------ Total (one-time)................. .............. .............. 864 ........................ 186,048 hrs.; .............. $15,255,936. Total (ongoing).................. .............. .............. 288 ........................ 8,640 hrs.; $708,340... .............. -------------------------------------------------------------------------------------------------------------------------------------------------------- The one-time burden of 186,048 hours will be averaged over three years (186,048 hours / 3 = 62,016 hours/year over three years). --------------------------------------------------------------------------- \47\ The loaded hourly wage figure (includes benefits) is based on the average of the occupational categories for 2016 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23-0000): $143.68. Information Security Analysts (Occupation Code 15-1122): $66.34. Computer and Information Systems Managers (Occupation Code: 11- 3021): $100.68. Management (Occupation Code: 11-0000): $81.52. Electrical Engineer (Occupation Code: 17-2071): $68.12. Management Analyst( Code: 43-0000): $63.49. These various occupational categories are weighted as follows: [($81.52)(.10) + $66.34(.315) + $68.12(.02) + $143.68(.15) + $100.68(.10) + $63.49(.315)] = $82.03. The figure is rounded to $82.00 for use in calculating wage figures in this NOPR. \48\ One-time burdens apply in Year One only. \49\ Ongoing burdens apply in Year 2 and beyond. --------------------------------------------------------------------------- The ongoing burden of 8,640 hours applies to only Years 2 and beyond. The number of responses is also average over three years (864 responses (one-time) + (288 responses (Year 2) + 288 responses (Year 3)) / 3 = 480 responses. The responses and burden for Years 1-3 will total respectively as follows: Year 1: 480 responses; 62,016 hours Year 2: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours Year 3: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours 49. The following shows the annual cost burden for each year, based on the burden hours in the table above: Year 1: $15,255,936 Years 2 and beyond: $708,480 The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) Developing the supply chain risk management plan; (2) updating the procedures related to remote access requirements (3) developing the procedures related to software integrity and authenticity. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to plan and procedure development, while costs in years 2 and 3 will reflect the burden associated with maintaining the SCRM plan and modifying it as necessary on a 15 month basis. [[Page 3441]] 50. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Protection Reliability Standards. Action: Proposed Collection FERC-725B. OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This notice of proposed rulemaking proposes to approve the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission proposes to approve NERC's proposed CIP Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 pursuant to section 215(d)(2) of the FPA because they improve upon the currently- effective suite of cyber security CIP Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standards and made a determination that its action is necessary to implement section 215 of the FPA. 51. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, e-mail: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 52. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons, comments to OMB should be submitted by e-mail to: [email protected]. Comments submitted to OMB should include Docket Number RM17-13-000. IV. Environmental Analysis 53. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\50\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\51\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \50\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \51\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act Analysis 54. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities.\52\ The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\53\ The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).\54\ --------------------------------------------------------------------------- \52\ 5 U.S.C. 601-12. \53\ 13 CFR 121.101. \54\ 13 CFR 121.201, Subsection 221. --------------------------------------------------------------------------- 55. Proposed Reliability Standards CIP-013-1, CIP-005-6, CIP-010-3 are expected to impose an additional burden on 288 entities \55\ (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, and transmission owners). --------------------------------------------------------------------------- \55\ Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this NOPR, we are using a 500 employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). --------------------------------------------------------------------------- 56. Of the 288 affected entities discussed above, we estimate that approximately 248 or 86.2 percent of the affected entities are small entities. We estimate that each of the 248 small entities to whom the proposed modifications to Reliability Standards CIP-013-1, CIP-005-6, CIP-010-3 apply will incur one-time costs of approximately $52,972 per entity to implement the proposed Reliability Standards, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $2,460 per year per entity). We do not consider the estimated costs for these 248 small entities to be a significant economic impact. Accordingly, we certify that proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 will not have a significant economic impact on a substantial number of small entities. VI. Comment Procedures 57. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due March 26, 2018. Comments must refer to Docket No. RM17-13-000, and must include the commenter's name, the organization they represent, if applicable, and address. 58. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 59. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. 60. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. VII. Document Availability 61. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 62. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. 63. User assistance is available for eLibrary and the Commission's website during normal business hours from the [[Page 3442]] Commission's Online Support at (202) 502-6652 (toll free at 1-866-208- 3676) or e-mail at [email protected], or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. E-mail the Public Reference Room at [email protected]. By direction of the Commission. Commissioner LaFleur is concurring with a separate statement attached. Issued: January 18, 2018. Nathaniel J. Davis, Sr., Deputy Secretary. Attachment LaFLEUR, Commissioner concurring: In today's order, the Commission proposes to approve the supply chain risk management standards filed by the North American Electric Reliability Corporation (NERC), and direct certain modifications to those standards. I write separately to explain my vote in support of today's order, given my dissent on the Commission order that directed the development of these standards.\1\ --------------------------------------------------------------------------- \1\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 829, 156 FERC ] 61,050 (2016) (LaFleur, Comm'r, dissenting). --------------------------------------------------------------------------- As I stated in my dissent, I shared the Commission's concern about supply chain threats and supported continued Commission attention to those threats. Indeed, I remain concerned that the supply chain is a significant cyber vulnerability for the bulk power system. However, I believed that the Commission was proceeding too quickly to require a supply chain standard, without having sufficiently worked with NERC, industry, and other stakeholders on how to design an effective, auditable, and enforceable standard. In my view, the directive that resulted was insufficiently developed and created a risk that needed protections against supply threats would be delayed, due in large part to the nature of the NERC standards process. Given the limited guidance and timeline provided by the Commission in Order No. 829, the proposed standards are, unsurprisingly, quite general, focusing primarily ``on the processes Responsible Entities implement to consider and address cyber security risks from vendor products or services during BES Cyber System planning and procurement, not on the outcome of those processes . . .'' \2\ The proposed standards would provide significant flexibility to registered entities to determine how best to comply with their requirements. In my view, that flexibility presents both potential risks and benefits. It could allow effective, adaptable approaches to flourish, or allow compliance plans that meet the letter of the standards but do not effectively address supply chain threats. I hope that we will see more of the former, but I believe the Commission, NERC, and the Regional Entities should closely monitor implementation if the standards are ultimately approved. --------------------------------------------------------------------------- \2\ NERC Petition at 27. --------------------------------------------------------------------------- In voting for today's order, I recognize that the choice before the Commission today is not the same as it was in July 2016. I acknowledge that a significant amount of time and effort have been committed to the development of these standards in response to a duly voted Commission order. Most importantly, I agree that they are an improvement over the status quo. I do not believe that remanding these standards or the larger supply chain issue to the NERC standards process would be a prudent step at this point. Rather, I believe the better course of action at this time is to move forward with these standards and, assuming the Commission ultimately proceeds to Final Rule, improve them over time as needed. In that regard, I believe the Commission is appropriately proposing to direct a modification to the proposed standards to address an identified reliability gap regarding Electronic Access Control and Monitoring Systems. I also support the proposal to require NERC to include Physical Access Controls and Protected Cyber Assets within its ongoing assessment of the supply chain risks posed by low-impact Bulk Electric System Cyber Systems, which will help the Commission and NERC determine whether further revisions to the standards are needed. More so than with most standards, I believe that whether these standards are effective will only reveal itself over time as we gain additional experience with them. I am therefore particularly interested in feedback from commenters on how the Commission, NERC, and industry should assess these standards, including any reporting obligations that might be appropriate.\3\ In addition, given the very general process-oriented nature of the standard, I also support the proposal to shorten the implementation date for the new standards. If ultimately adopted, the revised deadline will allow industry, NERC, and the Commission to put the standards in place sooner while continuing to evaluate how best to protect the bulk power system against supply chain threats. --------------------------------------------------------------------------- \3\ I note that NERC has also developed draft implementation guidance that provides additional detail regarding possible compliance approaches. As NERC and the Regional Entities gain additional experience with assessing compliance under these standards, updating this implementation guidance could be an effective approach for quickly disseminating best practices and lessons learned. --------------------------------------------------------------------------- For these reasons, I respectfully concur. Cheryl A. LaFleur, Commissioner. [FR Doc. 2018-01247 Filed 1-24-18; 8:45 am] BILLING CODE 6717-01-P
![Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules 3433
SCHEDULE OF MATERIALS ANNUAL FEES AND FEES FOR GOVERNMENT AGENCIES LICENSED BY NRC—Continued
[See footnotes at end of table]
Annual
Category of materials licenses fees 1 2 3
B. Uranium Mill Tailings Radiation Control Act (UMTRCA) activities .......................................................................................... 188,000
1 Annual fees will be assessed based on whether a licensee held a valid license with the NRC authorizing possession and use of radioactive
material during the current FY. The annual fee is waived for those materials licenses and holders of certificates, registrations, and approvals who
either filed for termination of their licenses or approvals or filed for possession only/storage licenses before October 1 of the current FY, and per-
manently ceased licensed activities entirely before this date. Annual fees for licensees who filed for termination of a license, downgrade of a li-
cense, or for a possession-only license during the FY and for new licenses issued during the FY will be prorated in accordance with the provi-
sions of § 171.17. If a person holds more than one license, certificate, registration, or approval, the annual fee(s) will be assessed for each li-
cense, certificate, registration, or approval held by that person. For licenses that authorize more than one activity on a single license (e.g.,
human use and irradiator activities), annual fees will be assessed for each category applicable to the license.
2 Payment of the prescribed annual fee does not automatically renew the license, certificate, registration, or approval for which the fee is paid.
Renewal applications must be filed in accordance with the requirements of parts 30, 40, 70, 71, 72, or 76 of this chapter.
3 Each FY, fees for these materials licenses will be calculated and assessed in accordance with § 171.13 and will be published in the Federal
Register for notice and comment.
4 Other facilities include licenses for extraction of metals, heavy metals, and rare earths.
5 There are no existing NRC licenses in these fee categories. If NRC issues a license for these categories, the Commission will consider es-
tablishing an annual fee for this type of license.
6 Standardized spent fuel facilities, 10 CFR parts 71 and 72 Certificates of Compliance and related Quality Assurance program approvals, and
special reviews, such as topical reports, are not assessed an annual fee because the generic costs of regulating these activities are primarily at-
tributable to users of the designs, certificates, and topical reports.
7 Licensees in this category are not assessed an annual fee because they are charged an annual fee in other categories while they are li-
censed to operate.
8 No annual fee is charged because it is not practical to administer due to the relatively short life or temporary nature of the license.
9 Separate annual fees will not be assessed for pacemaker licenses issued to medical institutions that also hold nuclear medicine licenses
under fee categories 7.A, 7.B. or 7.C.
10 This includes Certificates of Compliance issued to the U.S. Department of Energy that are not funded from the Nuclear Waste Fund.
11 See § 171.15(c).
12 See § 171.15(c).
13 No annual fee is charged for this category because the cost of the general license registration program applicable to licenses in this cat-
egory will be recovered through 10 CFR part 170 fees.
14 Persons who possess radium sources that are used for operational purposes in another fee category are not also subject to the fees in this
category. (This exception does not apply if the radium sources are possessed for storage only.)
15 Licensees subject to fees under categories 1.A., 1.B., 1.E., 2.A., and licensees paying fees under fee category 17 must pay the largest ap-
plicable fee and are not subject to additional fees listed in this table.
16 Licensees paying fees under 3.C. are not subject to fees under 2.B. for possession and shielding authorized on the same license.
17 Licensees paying fees under 7.C. are not subject to fees under 2.B. for possession and shielding authorized on the same license.
18 Licensees paying fees under 3.N. are not subject to paying fees under 3.P. for calibration or leak testing services authorized on the same li-
cense.
19 Licensees paying fees under 7.B. are not subject to paying fees under 7.C. for broad scope license licenses issued under parts 30, 35, 40,
and 70 of this chapter for human use of byproduct material, source material, and/or special nuclear material, except licenses for byproduct mate-
rial, source material, or special nuclear material in sealed sources contained in teletherapy devices authorized on the same license.
20 Licensees are exempt from paying annual fees under this fee category when they are licensed under multiple fee categories.
21 No annual fee is charged for a materials license (or part of a materials license) that has transitioned to this fee category because the de-
commissioning costs will be recovered through 10 CFR part 170 fees, but annual fees may be charged for other activities authorized under the li-
cense that are not in decommissioning status.
(e) The fee-relief adjustment allocated § 171.17 Proration. DEPARTMENT OF ENERGY
to annual fees includes the budgeted * * * * *
resources for the activities listed in Federal Energy Regulatory
(a) Reactors, 10 CFR part 72 licensees Commission
paragraph (e)(1) of this section, plus the who do not hold 10 CFR part 50
total budgeted resources for the licenses, and materials licenses with
activities included in paragraphs (e)(2) 18 CFR Part 40
annual fees of $100,000 or greater for a
and (3) of this section, as reduced by the single fee category. The NRC will base [Docket No. RM17–13–000]
appropriations the NRC receives for the proration of annual fees for
these types of activities. If the NRC’s Supply Chain Risk Management
terminated and downgraded licensees Reliability Standards
appropriations for these types of on the fee rule in effect at the time the
activities are greater than the budgeted action is official. The NRC will base the AGENCY: Federal Energy Regulatory
resources for the activities included in determinations on the proration Commission, Department of Energy.
paragraphs (e)(2) and (3) of this section requirements under paragraphs (a)(2) ACTION: Notice of proposed rulemaking.
for a given fiscal year, a negative fee- and (3) of this section.
relief adjustment (or annual fee SUMMARY: The Federal Energy
reduction) will be allocated to annual * * * * * Regulatory Commission (Commission)
sradovich on DSK3GMQ082PROD with PROPOSALS
fees. The activities comprising the FY Dated at Rockville, Maryland, this 10th day proposes to approve supply chain risk
2018 fee-relief adjustment are as of January 2018. management Reliability Standards CIP–
follows: For the Nuclear Regulatory Commission. 013–1 (Cyber Security—Supply Chain
* * * * * Maureen E. Wylie, Risk Management), CIP–005–6 (Cyber
Security—Electronic Security
■ 12. In § 171.17, revise paragraph (a) Chief Financial Officer.
Perimeter(s)) and CIP–010–3 (Cyber
introductory text to read as follows: [FR Doc. 2018–01065 Filed 1–24–18; 8:45 am]
Security—Configuration Change
BILLING CODE 7590–01–P Management and Vulnerability
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00027 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/1.svg)
![3434 Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules
Assessments). The North American Order No. 829.2 The proposed Monitoring Systems (EACMS),5 Physical
Electric Reliability Corporation (NERC), Reliability Standards are intended to Access Control Systems (PACS),6 and
the Commission-certified Electric augment the currently-effective CIP Protected Cyber Assets (PCAs),7 with
Reliability Organization, submitted the Reliability Standards to mitigate the exception of the modifications in
proposed Reliability Standards for cybersecurity risks associated with the proposed Reliability Standard CIP–005–
Commission approval in response to a supply chain for BES Cyber Systems.3 6, which apply to PCAs. To address this
Commission directive. In addition, the 2. As the Commission previously gap, pursuant to section 215(d)(5) of the
Commission proposes that NERC recognized, the global supply chain FPA,8 the Commission proposes to
develop and submit certain provides the opportunity for significant direct NERC to develop modifications to
modifications to the supply chain risk benefits to customers, including low the CIP Reliability Standards to include
management Reliability Standards. cost, interoperability, rapid innovation, EACMS associated with medium and
DATES: Comments are due March 26, a variety of product features and high impact BES Cyber Systems within
2018. choice.4 However, the global supply the scope of the supply chain risk
ADDRESSES: Comments, identified by chain also enables opportunities for management Reliability Standards.9 In
docket number, may be filed in the adversaries to directly or indirectly addition, the Commission proposes to
following ways: affect the management or operations of direct NERC to evaluate the cyber
• Electronic Filing through http:// companies that may result in risks to security supply chain risks presented by
www.ferc.gov. Documents created end users. Supply chain risks may PACS and PCAs in the study of cyber
electronically using word processing include the insertion of counterfeits, security supply chain risks requested by
software should be filed in native unauthorized production, tampering, the NERC Board of Trustees (BOT) in its
applications or print-to-PDF format and theft, or insertion of malicious software, resolutions of August 10, 2017.10 The
not in a scanned format. as well as poor manufacturing and Commission further proposes to direct
• Mail/Hand Delivery: Those unable development practices. We propose to NERC to file the BOT-requested study’s
to file electronically may mail or hand- determine that the supply chain risk interim and final reports with the
deliver comments to: Federal Energy management Reliability Standards Commission upon their completion.
Regulatory Commission, Secretary of the submitted by NERC constitute
Commission, 888 First Street NE, substantial progress in addressing the 5 EACMS are defined as ‘‘Cyber Assets that
Washington, DC 20426. supply chain cyber security risks perform electronic access control or electronic
Instructions: For detailed instructions identified by the Commission. access monitoring of the Electronic Security
Perimeter(s) or BES Cyber Systems. This includes
on submitting comments and additional 3. The Commission also proposes to Intermediate Systems.’’ NERC Glossary. Reliability
information on the rulemaking process, approve the proposed Reliability Standard CIP–002–5.1a (Cyber Security—BES Cyber
see the Comment Procedures Section of Standards’ associated violation risk System Categorization) states that examples of
this document. factors and violation severity levels. EACMS include ‘‘Electronic Access Points,
Intermediate Systems, authentication servers (e.g.,
FOR FURTHER INFORMATION CONTACT: With respect to the proposed Reliability RADIUS servers, Active Directory servers,
Simon Slobodnik (Technical Standards’ implementation plan and Certificate Authorities), security event monitoring
Information), Office of Electric effective date, the Commission proposes systems, and intrusion detection systems.’’
to reduce the implementation period Reliability Standard CIP–002–5.1a (Cyber
Reliability, Federal Energy Regulatory Security—BES Cyber System Categorization)
Commission, 888 First Street NE, from the first day of the first calendar Section A.6 at 6.
Washington, DC 20426, (202) 502– quarter that is 18 months following the 6 PACS are defined as ‘‘Cyber Assets that control,
6707, simon.slobodnik@ferc.gov. effective date of a Commission order alert, or log access to the Physical Security
Kevin Ryan (Legal Information), Office approving the proposed Reliability Perimeter(s), exclusive of locally mounted hardware
Standards, as proposed by NERC, to the or devices at the Physical Security Perimeter such
of the General Counsel, Federal as motion sensors, electronic lock control
Energy Regulatory Commission, 888 first day of the first calendar quarter that mechanisms, and badge readers.’’ NERC Glossary.
First Street NE, Washington, DC is 12 months following the effective date Reliability Standard CIP–002–5.1a states that
20426, (202) 502–6840, kevin.ryan@ of a Commission order. examples include ‘‘authentication servers, card
systems, and badge control systems.’’ Id.
ferc.gov. 4. While the Commission proposes to 7 PCAs are defined as ‘‘[o]ne or more Cyber Assets
determine that the proposed Reliability connected using a routable protocol within or on an
SUPPLEMENTARY INFORMATION:
Standards address most aspects of the Electronic Security Perimeter that is not part of the
1. Pursuant to section 215(d)(2) of the highest impact BES Cyber System within the same
Commission’s directive in Order No.
Federal Power Act (FPA),1 the Electronic Security Perimeter. The impact rating of
829, there remains a significant cyber
Commission proposes to approve Protected Cyber Assets is equal to the highest rated
security risk associated with the supply BES Cyber System in the same [Electronic Security
supply chain risk management
chain for BES Cyber Systems because Perimeter].’’ NERC Glossary. Reliability Standard
Reliability Standards CIP–013–1 (Cyber CIP–002–5.1a states that examples include, to the
the proposed Reliability Standards
Security—Supply Chain Risk extent they are within the Electronic Security
exclude Electronic Access Control and
Management), CIP–005–6 (Cyber Perimeter, ‘‘file servers, ftp servers, time servers,
Security—Electronic Security LAN switches, networked printers, digital fault
2 Revised Critical Infrastructure Protection recorders, and emission monitoring systems.’’ Id.
Perimeter(s)) and CIP–010–3 (Cyber Reliability Standards, Order No. 829, 156 FERC ¶ 8 16 U.S.C. 824o(d)(5).
Security—Configuration Change 61,050, at P 43 (2016). 9 Reliability Standard CIP–002–5.1a (Cyber
Management and Vulnerability 3 BES Cyber System is defined as ‘‘[o]ne or more Security System Categorization) provides a ‘‘tiered’’
Assessments). The North American BES Cyber Assets logically grouped by a approach to cybersecurity requirements, based on
sradovich on DSK3GMQ082PROD with PROPOSALS
Electric Reliability Corporation (NERC), responsible entity to perform one or more reliability classifications of high, medium and low impact BES
tasks for a functional entity.’’ Glossary of Terms Cyber Systems.
the Commission-certified Electric Used in NERC Reliability Standards (NERC 10 Proposed Additional Resolutions for Agenda
Reliability Organization (ERO), Glossary), http://www.nerc.com/files/glossary_of_ Item 9.a: Cyber Security—Supply Chain Risk
submitted the proposed Reliability terms.pdf. The acronym BES refers to the bulk Management—CIP–005–6, CIP–010–3, and CIP–
Standards for Commission approval in electric system. 013–1 (August 10, 2017), http://www.nerc.com/gov/
4 Revised Critical Infrastructure Protection bot/Agenda%20highlights%20and
response to a Commission directive in Reliability Standards, Notice of Proposed %20Mintues%202013/Proposed%20
Rulemaking, 80 FR 43354 (July, 22, 2015), 152 Resolutions%20re%20Supply%20Chain
1 16 U.S.C. 824o(d)(2). FERC ¶ 61,054, at PP 61–62 (2015). %20Follow-Up%20v2.pdf.
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00028 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/2.svg)
![Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules 3435
I. Background traverse over an unmonitored the proposed Reliability Standards is to
connection into a responsible entity’s enhance the cybersecurity posture of the
A. Section 215 and Mandatory
BES Cyber System.17 electric industry by requiring
Reliability Standards 9. For the third objective, information responsible entities to take additional
5. Section 215 of the FPA requires a system planning, Order No. 829 actions to address cybersecurity risks
Commission-certified ERO to develop indicated that the objective is intended associated with the supply chain for
mandatory and enforceable Reliability to address the risk that responsible BES Cyber Systems. NERC explains that
Standards, subject to Commission entities could unintentionally plan to the proposed Reliability Standards are
review and approval. Reliability procure and install unsecure equipment designed to augment the existing
Standards may be enforced by the ERO, or software within their information controls required in the currently-
subject to Commission oversight, or by systems, or could unintentionally fail to effective CIP Reliability Standards that
the Commission independently.11 anticipate security issues that may arise help mitigate supply chain risks,
Pursuant to section 215 of the FPA, the due to their network architecture or providing increased attention on
Commission established a process to during technology and vendor minimizing the attack surfaces of
select and certify an ERO,12 and transitions.18 information and communications
subsequently certified NERC.13 10. Vendor risk management and technology products and services
procurement controls, the fourth procured to support reliable bulk
B. Order No. 829
objective, the Commission explained, electric system operations, consistent
6. In Order No. 829, the Commission are intended to address the risk that with Order No. 829. Each proposed
directed NERC to develop a new or responsible entities could enter into Reliability Standard is summarized
modified Reliability Standard that contracts with vendors that pose below.
addresses supply chain risk significant risks to the responsible 13. NERC states that the proposed
management for industrial control entities’ information systems, as well as Reliability Standards apply only to
system hardware, software and the risk that products procured by a medium and high impact BES Cyber
computing and networking services responsible entity fail to meet minimum Systems. NERC explains that the goal of
associated with bulk electric system security criteria. This objective also the CIP Reliability Standards is to
operations.14 Specifically, the addresses the risk that a compromised ‘‘focus[ ] industry resources on
Commission directed NERC to develop vendor would not provide adequate protecting those BES Cyber Systems
a forward-looking, objective-based notice and related incident response to with heightened risks to the [bulk
Reliability Standard that would require responsible entities with whom that electric system] . . . [and] that the
responsible entities to develop and vendor is connected.19 requirements applicable to low impact
implement a plan with supply chain 11. Order No. 829 stated that while BES Cyber Systems, given their lower
management security controls focused responsible entities should be required risk profile, should not be overly
on four security objectives: (1) Software to develop and implement a plan, the burdensome to divert resources from the
integrity and authenticity; (2) vendor Commission did not require NERC to protection of medium and high impact
remote access; (3) information system impose any specific controls or ‘‘one- BES Cyber Systems.’’ 23 NERC further
planning; and (4) vendor risk size-fits-all’’ requirements.20 In maintains that the standard drafting
management and procurement addition, the Commission stated that team chose to apply the proposed
controls.15 NERC’s response to the Order No. 829 Reliability Standards only to medium
7. The Commission explained that the directive should respect the and high impact BES Cyber Systems
first objective, verification of software Commission’s jurisdiction under FPA because the proposed Reliability
integrity and authenticity, is intended to section 215 by only addressing the Standards are ‘‘consistent with the type
reduce the likelihood that an attacker obligations of responsible entities and of existing CIP cybersecurity
could exploit legitimate vendor patch not by directly imposing any obligations requirements applicable to high and
management processes to deliver on non-jurisdictional suppliers, vendors medium impact BES Cyber Systems as
compromised software updates or or other entities that provide products opposed to those applicable to low
patches to a BES Cyber System.16 or services to responsible entities.21 impact BES Cyber Systems.’’ 24
8. With respect to the second 14. NERC states that the standard
C. NERC Petition and Proposed
objective, vendor remote access, the Reliability Standards drafting team also excluded EACMS,
Commission stated that the objective is PACS, and PCAs from the scope of the
intended to address the threat that 12. On September 26, 2017, NERC proposed Reliability Standards, with the
vendor credentials could be stolen and submitted for Commission approval exception of the modifications in
used to access a BES Cyber System proposed Reliability Standards CIP– proposed Reliability Standard CIP–005–
without the responsible entity’s 013–1, CIP–005–6, and CIP–010–3 and 6, which apply to PCAs. NERC explains
knowledge, as well as the threat that a their associated violation risk factors that although certain requirements in
compromise at a trusted vendor could and violation severity levels, the existing CIP Reliability Standards
implementation plans, and effective apply to EACMS, PACS, and PCAs due
11 16 U.S.C. 824o(e). dates.22 NERC states that the purpose of to their association with BES Cyber
12 Rules Concerning Certification of the Electric Systems (either by function or location),
Reliability Organization; and Procedures for the 17 Id. P 52.
Establishment, Approval, and Enforcement of 18 Id.
the standard drafting team determined
P 57.
that the proposed supply chain risk
sradovich on DSK3GMQ082PROD with PROPOSALS
Electric Reliability Standards, Order No. 672, FERC 19 Id. P 60.
Stats. & Regs. ¶ 31,204, order on reh’g, Order No. 20 Id. P 13. management Reliability Standards
672–A, FERC Stats. & Regs. ¶ 31,212 (2006). 21 Id. P 21. should focus on high and medium
13 North American Electric Reliability Corp., 116
22 Proposed Reliability Standards CIP–013–1, impact BES Cyber Systems only. NERC
FERC ¶ 61,062, order on reh’g and compliance, 117
FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc.
CIP–005–6 and CIP–010–3 are not attached to this states that this determination was based
notice of proposed rulemaking (NOPR). The on the conclusion that applying the
v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). proposed Reliability Standards are available on the
14 Order No. 829, 156 FERC ¶ 61,050 at P 43.
Commission’s eLibrary document retrieval system
15 Id. P 45. 23 NERC Petition at 16–17.
in Docket No. RM17–13–000 and on the NERC
16 Id. P 49. website, www.nerc.com. 24 Id. at 18.
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00029 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/3.svg)
![Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules 3439
sentinels, or gatekeepers, between zones the risks posed by low impact BES 3,’’ 44 the security objectives of the
. . . [and] [w]hen properly configured, Cyber Systems, the BOT resolutions did proposed Reliability Standards are
they will only let essential traffic cross not identify PACS and PCAs as subjects process-based and do not prescribe
security boundaries[,] . . . [i]f they are of the study. However, NERC’s petition technology that might justify an
not properly configured, they could suggests that NERC will be evaluating extended implementation period.
easily pass unauthorized or malicious PACS and PCAs as part of the BOT- Instead, we propose that the proposed
users or content.’’ Accordingly, if requested study.42 Reliability Standards become effective
EACMS are compromised, that could 42. While many of the concerns the first day of the first calendar quarter
adversely affect the reliable operation of expressed in the previous section with that is 12 months following the effective
associated BES Cyber Systems. respect to the risks posed by EACMS date of a Commission order approving
38. NERC explains that the standard also apply to varying degrees to PACS the Reliability Standards. Our proposed
drafting team chose to limit the scope of and PCAs, we propose to direct NERC, implementation period is reasonable,
the proposed Reliability Standards to consistent with the representation made given the nature of the requirements in
medium and high impact BES Cyber in NERC’s petition, to include PACS the proposed Reliability Standards, and
Systems, but not their associated Cyber and PCAs in the BOT-requested study provides enhanced security for the bulk
Assets (e.g., EACMS), in order not to and to await the findings of the study’s electric system in a timelier manner. We
‘‘divert resources from protecting final report before considering further seek comment on this proposal.
medium and high BES Cyber action. We distinguish among EACMS
III. Information Collection Statement
Systems.’’ 40 As noted above, EACMS and the other Cyber Assets because, for
include ‘‘authentication servers (e.g., example, a compromise of a PACS, 45. The FERC–725B information
RADIUS servers, Active Directory which would potentially grant an collection requirements contained in
servers, Certificate Authorities), security attacker physical access to a BES Cyber this notice of proposed rulemaking are
event monitoring systems, and intrusion System or PCA, is less likely since subject to review by the Office of
detection systems’’ that are integral to physical access is also required. Management and Budget (OMB) under
the security of the medium and high Therefore, while we believe that section 3507(d) of the Paperwork
impact BES Cyber Systems to which EACMS require immediate action, Reduction Act of 1995.45 OMB’s
they are associated.41 While NERC because they represent the most likely regulations require approval of certain
states that it will continue to assess route an attacker would take to access information collection requirements
whether supply chain risks related to a BES Cyber System or PCA within an imposed by agency rules.46 Upon
low impact BES Cyber Systems, PACS, ESP, possible action on other Cyber approval of a collection of information,
EACMS, and PCAs necessitate further Assets can await completion of the OMB will assign an OMB control
consideration for inclusion in a BOT-requested study’s final report. number and expiration date.
mandatory Reliability Standard, in view 43. In addition to proposing to direct Respondents subject to the filing
of the discussion above, we propose to NERC to include PACS and PCAs in the requirements of this rule will not be
determine that a sufficient basis BOT-requested study, we propose to penalized for failing to respond to these
currently exists to include EACMS direct that NERC file the study’s interim collections of information unless the
associated with medium and high and final reports with the Commission collections of information display a
impact BES Cyber Systems in the upon their completion. The Commission valid OMB control number. The
supply chain risk management seeks comment on these proposals. Commission solicits comments on the
Reliability Standards. Commission’s need for this information,
C. Implementation Plan whether the information will have
39. Accordingly, pursuant to section
215(d)(5) of the FPA, the Commission 44. The 18-month implementation practical utility, the accuracy of the
proposes to direct NERC to develop period proposed by NERC does not burden estimates, ways to enhance the
modifications to the CIP Reliability appear to be justified based on the quality, utility, and clarity of the
Standards to include EACMS associated anticipated effort required to develop information to be collected or retained,
with medium and high impact BES and implement a supply chain risk and any suggested methods for
Cyber Systems within the scope of the management plan.43 While NERC minimizing respondents’ burden,
supply chain risk management maintains that the proposed including the use of automated
Reliability Standards. The Commission implementation period is ‘‘designed to information techniques.
afford responsible entities sufficient 46. The Commission bases its
seeks comment on this proposal.
time to develop and implement their paperwork burden estimates on the
B. BOT-Requested Cyber Security supply chain cybersecurity risk changes in paperwork burden presented
Supply Chain Risks Study management plans required under by the newly proposed CIP Reliability
40. As discussed above, we believe it proposed Reliability Standard CIP–013– Standard CIP–013–1 and the proposed
is appropriate to await the findings from 1 and implement the new controls revisions to CIP Reliability Standard
the BOT-requested study on cyber required in proposed Reliability CIP–005–6 and CIP–010–3 as compared
security supply chain risks before Standards CIP–005–6 and CIP–010– to the current Commission-approved
considering whether low impact BES Reliability Standards CIP–005–5 and
Cyber Systems should be addressed in
42 NERC Petition at 21 (‘‘over the next 18 months, CIP–010–2, respectively. As discussed
NERC, working with various stakeholders, will above, the notice of proposed
the supply chain risk management continue to assess whether supply chain risks
sradovich on DSK3GMQ082PROD with PROPOSALS
Reliability Standards. related to low impact BES Cyber Systems, PACS,
rulemaking addresses several areas of
41. We note that while the BOT EACMS, and PCA necessitate further consideration the CIP Reliability Standards through
resolutions explicitly stated that the for inclusion in a mandatory Reliability Standard’’). proposed Reliability Standard CIP–013–
BOT-requested study should examine
43 The 18-month implementation plan proposed
1, Requirements R1, R2, and R3. Under
by NERC may be longer given NERC’s request that Requirement R1, responsible entities
the effective date of the proposed Reliability
40 Id. at 20. Standards falls on the first day of the first calendar
41 Reliability 44 NERC Petition at 35.
Standard CIP–002–5.1a (Cyber quarter that is 18 months after the effective date of
45 44 U.S.C. 3507(d).
Security—BES Cyber System Categorization), a Commission order approving the proposed
Section A.6 at 6. Reliability Standards. 46 5 CFR 1320.11.
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00033 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/7.svg)
![3440 Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules
would be required to have one or more cybersecurity risk management plan. system-to-system remote access.
processes to address the following Requirement R3 requires a responsible Proposed Reliability Standard CIP–010–
baseline set of security concepts, as entity to review and obtain the CIP 3, Requirement R1.6 requires
applicable, in their procurement Senior Manager’s approval of its supply responsible entities to verify software
activities for high and medium impact chain risk management plan at least integrity and authenticity in the
BES Cyber Systems: (1) Vendor security once every 15 calendar months in order operational phase, if the software source
event notification processes (Part 1.2.1); to ensure that the plan remains up-to- provides a method to do so.
(2) coordinated incident response date. 48. The NERC Compliance Registry,
activities (Part 1.2.2); (3) vendor 47. Separately, proposed Reliability as of December 2017, identifies
personnel termination notification for Standard CIP–005–6, Requirement R2.4 approximately 1,250 unique U.S.
employees with access to remote and requires one or more methods for entities that are subject to mandatory
onsite systems (Part 1.2.3); (4) product/ determining active vendor remote compliance with Reliability Standards.
services vulnerability disclosures (Part access sessions, including Interactive Of this total, we estimate that 288
1.2.4); (5) verification of software Remote Access and system-to-system entities will face an increased
integrity and authenticity (Part 1.2.5); remote access. Proposed Reliability paperwork burden under proposed
and (6) coordination of vendor remote Standard CIP–005–6, Requirement R2.5 Reliability Standards CIP–013–1, CIP–
access controls (Part 1.2.6). Requirement requires one or more methods to disable 005–6, and CIP–010–3. Based on these
R2 mandates that each responsible active vendor remote access, including assumptions, we estimate the following
entity implement its supply chain Interactive Remote Access and reporting burden:
RM17–13–000 NOPR
[Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
Annual Total annual
Average burden Cost per
Number of number of Total number burden hours
and cost per respondent
respondents responses per of responses and total
response 47 ($)
respondent annual cost
(1) (2) (1) * (2) = (3) (4) (3) * (4) = (5) (5) ÷ (1)
Create supply chain risk manage- 288 1 288 546 hrs.; $44,772 157,248 hrs.; 44,772
ment plan (one-time) 48 (CIP– $12,894,336.
013–1 R1).
Updates and reviews of supply 288 1 288 30 hrs.; $2,460 .. 8,640 hrs.; 2,460
chain risk management plan (on- $708,480.
going) 49 (CIP–013–1 R2).
Develop Procedures to update re- 288 1 288 50 hrs.; $4,100 .. 14,400 hrs.; 4,100
mote access requirements (one $1,180,800.
time) (CIP–005–6 R1–R4).
Develop procedures for software in- 288 1 288 50 hrs.; $4,100 .. 14,400 hrs.; 4,100
tegrity and authenticity require- $1,180,800.
ments (one time) (CIP–010–3
R1–R4).
Total (one-time) ........................ ........................ ........................ 864 ............................ 186,048 hrs.; ........................
$15,255,936.
Total (ongoing) ......................... ........................ ........................ 288 ............................ 8,640 hrs.; ........................
$708,340.
The one-time burden of 186,048 hours The ongoing burden of 8,640 hours • Year 1: $15,255,936
will be averaged over three years applies to only Years 2 and beyond. • Years 2 and beyond: $708,480
(186,048 hours ÷ 3 = 62,016 hours/year The number of responses is also
over three years). average over three years (864 responses • The paperwork burden estimate
(one-time) + (288 responses (Year 2) + includes costs associated with the
47 The loaded hourly wage figure (includes 288 responses (Year 3)) ÷ 3 = 480 initial development of a policy to
benefits) is based on the average of the occupational responses. address requirements relating to: (1)
categories for 2016 found on the Bureau of Labor The responses and burden for Years Developing the supply chain risk
Statistics website (http://www.bls.gov/oes/current/
naics2_22.htm): 1–3 will total respectively as follows: management plan; (2) updating the
Legal (Occupation Code: 23–0000): $143.68. Year 1: 480 responses; 62,016 hours procedures related to remote access
Information Security Analysts (Occupation Code Year 2: 480 responses; 62,016 hours + requirements (3) developing the
15–1122): $66.34. 8,640 hours = 70,656 hours procedures related to software
Computer and Information Systems Managers Year 3: 480 responses; 62,016 hours + integrity and authenticity. Further,
sradovich on DSK3GMQ082PROD with PROPOSALS
(Occupation Code: 11–3021): $100.68. 8,640 hours = 70,656 hours the estimate reflects the assumption
Management (Occupation Code: 11–0000): 49. The following shows the annual
$81.52. that costs incurred in year 1 will
cost burden for each year, based on the pertain to plan and procedure
Electrical Engineer (Occupation Code: 17–2071):
burden hours in the table above:
$68.12. development, while costs in years 2
Management Analyst( Code: 43–0000): $63.49. and 3 will reflect the burden
These various occupational categories are $82.00 for use in calculating wage figures in this
weighted as follows: [($81.52)(.10) + $66.34(.315) + NOPR. associated with maintaining the
$68.12(.02) + $143.68(.15) + $100.68(.10) + 48 One-time burdens apply in Year One only. SCRM plan and modifying it as
$63.49(.315)] = $82.03. The figure is rounded to 49 Ongoing burdens apply in Year 2 and beyond. necessary on a 15 month basis.
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00034 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/8.svg)
![Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules 3441
50. Title: Mandatory Reliability significant effect on the human on a substantial number of small
Standards, Revised Critical environment. Included in the exclusion entities.
Infrastructure Protection Reliability are rules that are clarifying, corrective,
VI. Comment Procedures
Standards. or procedural or that do not
Action: Proposed Collection FERC– substantially change the effect of the 57. The Commission invites interested
725B. regulations being amended.51 The persons to submit comments on the
OMB Control No.: 1902–0248. actions proposed herein fall within this matters and issues proposed in this
Respondents: Businesses or other for- categorical exclusion in the notice to be adopted, including any
profit institutions; not-for-profit Commission’s regulations. related matters or alternative proposals
institutions. that commenters may wish to discuss.
V. Regulatory Flexibility Act Analysis Comments are due March 26, 2018.
Frequency of Responses: On
Occasion. 54. The Regulatory Flexibility Act of Comments must refer to Docket No.
Necessity of the Information: This 1980 (RFA) generally requires a RM17–13–000, and must include the
notice of proposed rulemaking proposes description and analysis of proposed commenter’s name, the organization
to approve the requested modifications rules that will have significant they represent, if applicable, and
to Reliability Standards pertaining to economic impact on a substantial address.
critical infrastructure protection. As number of small entities.52 The Small 58. The Commission encourages
discussed above, the Commission Business Administration’s (SBA) Office comments to be filed electronically via
proposes to approve NERC’s proposed of Size Standards develops the the eFiling link on the Commission’s
CIP Reliability Standards CIP–013–1, numerical definition of a small web site at http://www.ferc.gov. The
CIP–005–6, and CIP–010–3 pursuant to business.53 The SBA revised its size Commission accepts most standard
section 215(d)(2) of the FPA because standard for electric utilities (effective word processing formats. Documents
they improve upon the currently- January 22, 2014) to a standard based on created electronically using word
effective suite of cyber security CIP the number of employees, including processing software should be filed in
Reliability Standards. affiliates (from the prior standard based native applications or print-to-PDF
Internal Review: The Commission has on megawatt hour sales).54 format and not in a scanned format.
reviewed the proposed Reliability 55. Proposed Reliability Standards Commenters filing electronically do not
Standards and made a determination CIP–013–1, CIP–005–6, CIP–010–3 are need to make a paper filing.
that its action is necessary to implement expected to impose an additional 59. Commenters that are not able to
section 215 of the FPA. burden on 288 entities 55 (reliability file comments electronically must send
51. Interested persons may obtain coordinators, generator operators, an original of their comments to:
information on the reporting generator owners, interchange Federal Energy Regulatory Commission,
requirements by contacting the coordinators or authorities, transmission Secretary of the Commission, 888 First
following: Federal Energy Regulatory operators, balancing authorities, and Street NE, Washington, DC 20426.
Commission, 888 First Street NE, transmission owners). 60. All comments will be placed in
Washington, DC 20426 [Attention: Ellen 56. Of the 288 affected entities the Commission’s public files and may
discussed above, we estimate that be viewed, printed, or downloaded
Brown, Office of the Executive Director,
approximately 248 or 86.2 percent of the remotely as described in the Document
e-mail: DataClearance@ferc.gov, phone:
affected entities are small entities. We Availability section below. Commenters
(202) 502–8663, fax: (202) 273–0873].
estimate that each of the 248 small on this proposal are not required to
52. For submitting comments
entities to whom the proposed serve copies of their comments on other
concerning the collection(s) of
modifications to Reliability Standards commenters.
information and the associated burden
CIP–013–1, CIP–005–6, CIP–010–3
estimate(s), please send your comments VII. Document Availability
apply will incur one-time costs of
to the Commission, and to the Office of
approximately $52,972 per entity to 61. In addition to publishing the full
Management and Budget, Office of
implement the proposed Reliability text of this document in the Federal
Information and Regulatory Affairs,
Standards, as well as the ongoing Register, the Commission provides all
Washington, DC 20503 [Attention: Desk
paperwork burden reflected in the interested persons an opportunity to
Officer for the Federal Energy
Information Collection Statement view and/or print the contents of this
Regulatory Commission, phone: (202)
(approximately $2,460 per year per document via the internet through the
395–4638, fax: (202) 395–7285]. For
entity). We do not consider the Commission’s Home Page (http://
security reasons, comments to OMB
estimated costs for these 248 small www.ferc.gov) and in the Commission’s
should be submitted by e-mail to: oira_
entities to be a significant economic Public Reference Room during normal
submission@omb.eop.gov. Comments
impact. Accordingly, we certify that business hours (8:30 a.m. to 5:00 p.m.
submitted to OMB should include
proposed Reliability Standards CIP– Eastern time) at 888 First Street NE,
Docket Number RM17–13–000.
013–1, CIP–005–6, and CIP–010–3 will Room 2A, Washington, DC 20426.
IV. Environmental Analysis not have a significant economic impact 62. From the Commission’s Home
53. The Commission is required to Page on the internet, this information is
prepare an Environmental Assessment
51 18 CFR 380.4(a)(2)(ii). available on eLibrary. The full text of
52 5 U.S.C. 601–12.
or an Environmental Impact Statement this document is available on eLibrary
53 13 CFR 121.101.
in PDF and Microsoft Word format for
sradovich on DSK3GMQ082PROD with PROPOSALS
for any action that may have a 54 13 CFR 121.201, Subsection 221.
significant adverse effect on the human 55 Public utilities may fall under one of several
viewing, printing, and/or downloading.
environment.50 The Commission has different categories, each with a size threshold To access this document in eLibrary,
categorically excluded certain actions based on the company’s number of employees, type the docket number of this
from this requirement as not having a
including affiliates, the parent company, and document, excluding the last three
subsidiaries. For the analysis in this NOPR, we are digits, in the docket number field.
using a 500 employee threshold due to each
50 Regulations Implementing the National affected entity falling within the role of Electric
63. User assistance is available for
Environmental Policy Act of 1969, Order No. 486, Bulk Power Transmission and Control (NAISC eLibrary and the Commission’s website
FERC Stats. & Regs. ¶ 30,783 (1987). Code: 221121). during normal business hours from the
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00035 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/9.svg)
![3442 Federal Register / Vol. 83, No. 17 / Thursday, January 25, 2018 / Proposed Rules
Commission’s Online Support at (202) not the same as it was in July 2016. I DEPARTMENT OF HEALTH AND
502–6652 (toll free at 1–866–208–3676) acknowledge that a significant amount of HUMAN SERVICES
or e-mail at ferconlinesupport@ferc.gov, time and effort have been committed to the
or the Public Reference Room at (202) development of these standards in response Food and Drug Administration
502–8371, TTY (202) 502–8659. E-mail to a duly voted Commission order. Most
the Public Reference Room at importantly, I agree that they are an 21 CFR Part 1
public.referenceroom@ferc.gov. improvement over the status quo. I do not
[Docket No. FDA–2011–N–0143]
believe that remanding these standards or the
By direction of the Commission.
Commissioner LaFleur is concurring with a larger supply chain issue to the NERC Foreign Supplier Verification Programs
separate statement attached. standards process would be a prudent step at for Importers of Food for Humans and
Issued: January 18, 2018. this point. Rather, I believe the better course Animals: What You Need To Know
of action at this time is to move forward with About the Food and Drug
Nathaniel J. Davis, Sr.,
these standards and, assuming the Administration Regulation; Small
Deputy Secretary.
Commission ultimately proceeds to Final
Entity Compliance Guide; Availability
Attachment Rule, improve them over time as needed.
In that regard, I believe the Commission is AGENCY: Food and Drug Administration,
LaFLEUR, Commissioner concurring:
appropriately proposing to direct a HHS.
In today’s order, the Commission proposes modification to the proposed standards to ACTION: Notification of availability.
to approve the supply chain risk management address an identified reliability gap regarding
standards filed by the North American SUMMARY: The Food and Drug
Electric Reliability Corporation (NERC), and Electronic Access Control and Monitoring
Systems. I also support the proposal to Administration (FDA, the Agency, or
direct certain modifications to those
standards. I write separately to explain my require NERC to include Physical Access we) is announcing the availability of a
vote in support of today’s order, given my Controls and Protected Cyber Assets within guidance for industry entitled ‘‘Foreign
dissent on the Commission order that its ongoing assessment of the supply chain Supplier Verification Programs for
directed the development of these risks posed by low-impact Bulk Electric Importers of Food for Humans and
standards.1 System Cyber Systems, which will help the Animals: What You Need to Know
As I stated in my dissent, I shared the Commission and NERC determine whether About the FDA Regulation; Small Entity
Commission’s concern about supply chain Compliance Guide.’’ The small entity
further revisions to the standards are needed.
threats and supported continued Commission
attention to those threats. Indeed, I remain More so than with most standards, I compliance guide (SECG) is intended to
concerned that the supply chain is a believe that whether these standards are help small entities comply with the
significant cyber vulnerability for the bulk effective will only reveal itself over time as final rule entitled ‘‘Foreign Supplier
power system. However, I believed that the we gain additional experience with them. I Verification Programs for Importers of
Commission was proceeding too quickly to am therefore particularly interested in Food for Humans and Animals.’’
require a supply chain standard, without feedback from commenters on how the DATES: The announcement of the
having sufficiently worked with NERC, Commission, NERC, and industry should
industry, and other stakeholders on how to
guidance is published in the Federal
assess these standards, including any Register on January 25, 2018.
design an effective, auditable, and
reporting obligations that might be ADDRESSES: You may submit either
enforceable standard. In my view, the
directive that resulted was insufficiently appropriate.3 In addition, given the very electronic or written comments on
developed and created a risk that needed general process-oriented nature of the
Agency guidances at any time as
protections against supply threats would be standard, I also support the proposal to
follows:
delayed, due in large part to the nature of the shorten the implementation date for the new
NERC standards process. standards. If ultimately adopted, the revised Electronic Submissions
Given the limited guidance and timeline deadline will allow industry, NERC, and the
provided by the Commission in Order No.
Submit electronic comments in the
Commission to put the standards in place following way:
829, the proposed standards are,
unsurprisingly, quite general, focusing
sooner while continuing to evaluate how best • Federal eRulemaking Portal:
to protect the bulk power system against https://www.regulations.gov. Follow the
primarily ‘‘on the processes Responsible
Entities implement to consider and address supply chain threats. instructions for submitting comments.
cyber security risks from vendor products or For these reasons, I respectfully concur. Comments submitted electronically,
services during BES Cyber System planning Cheryl A. LaFleur, including attachments, to https://
and procurement, not on the outcome of Commissioner. www.regulations.gov will be posted to
those processes . . .’’ 2 The proposed
standards would provide significant [FR Doc. 2018–01247 Filed 1–24–18; 8:45 am] the docket unchanged. Because your
flexibility to registered entities to determine BILLING CODE 6717–01–P
comment will be made public, you are
how best to comply with their requirements. solely responsible for ensuring that your
In my view, that flexibility presents both comment does not include any
potential risks and benefits. It could allow confidential information that you or a
effective, adaptable approaches to flourish, or third party may not wish to be posted,
allow compliance plans that meet the letter such as medical information, your or
of the standards but do not effectively
anyone else’s Social Security number, or
address supply chain threats. I hope that we
will see more of the former, but I believe the confidential business information, such
Commission, NERC, and the Regional as a manufacturing process. Please note
that if you include your name, contact
sradovich on DSK3GMQ082PROD with PROPOSALS
Entities should closely monitor
implementation if the standards are information, or other information that
3 I note that NERC has also developed draft
ultimately approved. identifies you in the body of your
In voting for today’s order, I recognize that implementation guidance that provides additional
comments, that information will be
the choice before the Commission today is detail regarding possible compliance approaches.
As NERC and the Regional Entities gain additional
posted on https://www.regulations.gov.
1 Revised Critical Infrastructure Protection experience with assessing compliance under these
• If you want to submit a comment
Reliability Standards, Order No. 829, 156 FERC ¶ standards, updating this implementation guidance with confidential information that you
61,050 (2016) (LaFleur, Comm’r, dissenting). could be an effective approach for quickly do not wish to be made available to the
2 NERC Petition at 27. disseminating best practices and lessons learned. public, submit the comment as a
VerDate Sep<11>2014 16:54 Jan 24, 2018 Jkt 244001 PO 00000 Frm 00036 Fmt 4702 Sfmt 4702 E:\FR\FM\25JAP1.SGM 25JAP1](https://thefederalregister.org/doc/83_FR_3450/page/10.svg)
Document Created: 2018-01-25 08:50:32
Document Modified: 2018-01-25 08:50:32
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Notice of proposed rulemaking. | |
| Dates | Comments are due March 26, 2018. | |
| Contact | Simon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected] Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected] | |
| FR Citation | 83 FR 3433 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR