83_FR_54200 83 FR 53992 - Supply Chain Risk Management Reliability Standards

83 FR 53992 - Supply Chain Risk Management Reliability Standards

DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission

Federal Register Volume 83, Issue 208 (October 26, 2018)

Page Range53992-54005
FR Document2018-23201

The Federal Energy Regulatory Commission (Commission) approves supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security-- Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security-- Configuration Change Management and Vulnerability Assessments) submitted by the North American Electric Reliability Corporation (NERC). In addition, the Commission directs NERC to develop and submit modifications to the supply chain risk management Reliability Standards so that the scope of the Reliability Standards include Electronic Access Control and Monitoring Systems.

Federal Register, Volume 83 Issue 208 (Friday, October 26, 2018)
[Federal Register Volume 83, Number 208 (Friday, October 26, 2018)]
[Rules and Regulations]
[Pages 53992-54005]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-23201]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM17-13-000; Order No. 850]


Supply Chain Risk Management Reliability Standards

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) approves 
supply chain risk management Reliability Standards CIP-013-1 (Cyber 
Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security--
Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security--
Configuration Change Management and Vulnerability Assessments) 
submitted by the North American Electric Reliability Corporation 
(NERC). In addition, the Commission directs NERC to develop and submit 
modifications to the supply chain risk management Reliability Standards 
so that the scope of the Reliability Standards include Electronic 
Access Control and Monitoring Systems.

DATES: This rule is effective December 26, 2018.

FOR FURTHER INFORMATION CONTACT: 
    Simon Slobodnik (Technical Information) Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502-6707, [email protected].
    Patricia Eke (Technical Information) Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502-8388, [email protected].
    Kevin Ryan (Legal Information) Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE, Washington, 
DC 20426, (202) 502-6840, [email protected].

SUPPLEMENTARY INFORMATION: 

    Before Commissioners: Cheryl A. LaFleur, Neil Chatterjee, and 
Richard Glick.

    1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), 
the Commission approves supply chain risk management Reliability 
Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), 
CIP-005-6 (Cyber Security--Electronic Security Perimeter(s)) and CIP-
010-3 (Cyber Security--Configuration Change Management and 
Vulnerability Assessments).\1\ The North American Electric Reliability 
Corporation (NERC), the Commission-certified Electric Reliability 
Organization (ERO), submitted the supply chain risk management 
Reliability Standards for approval in response to a Commission 
directive in Order No. 829.\2\ As discussed below, we approve the 
supply chain risk management Reliability Standards as they are 
responsive to Order No. 829 and improve the electric industry's 
cybersecurity posture by requiring that entities mitigate certain 
cybersecurity risks associated with the supply chain for BES Cyber 
Systems.\3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(d)(2).
    \2\ Revised Critical Infrastructure Protection Reliability 
Standards, Order No. 829, 156 FERC ] 61,050, at P 43 (2016).
    \3\ BES Cyber System is defined as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' Glossary of Terms 
Used in NERC Reliability Standards (NERC Glossary), http://www.nerc.com/files/glossary_of_terms.pdf. The acronym BES refers to 
the bulk electric system.

---------------------------------------------------------------------------

[[Page 53993]]

    2. The Commission has previously explained that the global supply 
chain affords significant benefits to customers, including low cost, 
interoperability, rapid innovation, and a variety of product features 
and choice.\4\ Despite these benefits, the global supply chain creates 
opportunities for adversaries to directly or indirectly affect the 
management or operations of companies with potential risks to end 
users. Supply chain risks include insertion of counterfeits or 
malicious software, unauthorized production, tampering, or theft, as 
well as poor manufacturing and development practices. Based on the 
record in this proceeding, we conclude that the supply chain risk 
management Reliability Standards largely address these supply chain 
cybersecurity risks as set out within the scope of Order No. 829. Among 
other things, the supply chain risk management Reliability Standards 
are forward-looking and objective-based and require each affected 
entity to develop and implement a plan that includes security controls 
for supply chain management for industrial control system hardware, 
software, and services associated with bulk electric system 
operations.\5\ Consistent with Order No. 829, the Reliability Standards 
focus on the following four security objectives: (1) Software integrity 
and authenticity; (2) vendor remote access protections; (3) information 
system planning; and (4) vendor risk management and procurement 
controls.
---------------------------------------------------------------------------

    \4\ Revised Critical Infrastructure Protection Reliability 
Standards, Notice of Proposed Rulemaking, 152 FERC ] 61,054, at PP 
61-62 (2015).
    \5\ Order No. 829, 156 FERC ] 61,050 at P 2.
---------------------------------------------------------------------------

    3. The Commission also approves the supply chain risk management 
Reliability Standards' associated violation risk factors and violation 
severity levels. Regarding the Reliability Standards' implementation 
plan and effective date, we approve NERC's proposed implementation 
period of 18 months following the effective date of a Commission order. 
The NOPR proposed to reduce the implementation period to 12 months.\6\ 
However, as discussed below, the NOPR comments provide sufficient 
justification for adopting the 18-month implementation period proposed 
by NERC. Specifically, the comments clarify that technical upgrades are 
likely necessary to meet the Reliability Standards' security 
objectives, which could involve longer time-horizon capital budgets and 
planning cycles.
---------------------------------------------------------------------------

    \6\ Supply Chain Risk Management Reliability Standards, Notice 
of Proposed Rulemaking, 83 FR 3433 (January 25, 2018), 162 FERC ] 
61,044 (2018) (NOPR).
---------------------------------------------------------------------------

    4. While the supply chain risk management Reliability Standards 
address the Commission's directive in Order No. 829, we determine that 
there remains a significant cybersecurity risk associated with the 
supply chain for BES Cyber Systems because the approved Reliability 
Standards do not address Electronic Access Control and Monitoring 
Systems (EACMS).\7\ As we observed in the NOPR, it is widely recognized 
that the types of access and monitoring functions that are included 
within NERC's definition of EACMS, such as firewalls, are integral to 
protecting industrial control systems.\8\ Moreover, as stated in Order 
No. 848, EACMS, which include, for example, firewalls, authentication 
servers, security event monitoring systems, intrusion detection systems 
and alerting systems, control electronic access into Electronic 
Security Perimeters (ESP), play a significant role in the protection of 
high and medium impact BES Cyber Systems.\9\ Once an EACMS is 
compromised, an attacker could more easily enter the ESP and 
effectively control the BES Cyber System or Protected Cyber Asset.\10\ 
For example, the Department of Homeland Security's Industrial Control 
Systems Cyber Emergency Response Team (ICS-CERT) identifies firewalls 
as ``the first line of defense within an ICS network environment'' that 
``keep the intruder out while allowing the authorized passage of data 
necessary to run the organization.'' \11\ ICS-CERT further explains 
that firewalls ``act as sentinels, or gatekeepers, between zones . . . 
[and] [w]hen properly configured, they will only let essential traffic 
cross security boundaries[,] . . . [i]f they are not properly 
configured, they could easily pass unauthorized or malicious users or 
content.'' \12\ Accordingly, if EACMS are compromised, that could 
adversely affect the reliable operation of associated BES Cyber 
Systems.\13\ Given the significant role that EACMS play in the 
protection scheme for medium and high impact BES Cyber Systems, we 
determine that EACMS should be within the scope of the supply chain 
risk management Reliability Standards to provide minimum protection 
against supply chain attack vectors.
---------------------------------------------------------------------------

    \7\ EACMS are defined as ``Cyber Assets that perform electronic 
access control or electronic access monitoring of the Electronic 
Security Perimeter(s) or BES Cyber Systems. This includes 
Intermediate Systems.'' NERC Glossary. Reliability Standard CIP-002-
5.1a (Cyber Security -- BES Cyber System Categorization) states that 
examples of EACMS include ``Electronic Access Points, Intermediate 
Systems, authentication servers (e.g., RADIUS servers, Active 
Directory servers, Certificate Authorities), security event 
monitoring systems, and intrusion detection systems.'' Reliability 
Standard CIP-002-5.1a (Cyber Security -- BES Cyber System 
Categorization) Section A.6 at 6.
    \8\ NOPR, 162 FERC ] 61,044 at P 37.
    \9\ Cyber Security Incident Reporting Reliability Standards, 
Order No. 848, 164 FERC ] 61,033, at P 10 (2018). ESP is defined as 
``[t]he logical border surrounding a network to which BES Cyber 
Systems are connected using a routable protocol.'' NERC Glossary.
    \10\ Order No. 848, 164 FERC ] 61,033 at P 10.
    \11\ ICS-CERT, Recommended Practice: Improving Industrial 
Control System Cybersecurity with Defense-in-Depth Strategies at 23, 
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf.
    \12\ Id.
    \13\ NOPR, 162 FERC ] 61,044 at P 37.
---------------------------------------------------------------------------

    5. To address this gap, pursuant to section 215(d)(5) of the 
FPA,\14\ the Commission directs NERC to develop modifications to 
include EACMS associated with medium and high impact BES Cyber Systems 
within the scope of the supply chain risk management Reliability 
Standards.\15\ We direct NERC to submit the directed modifications 
within 24 months of the effective date of this final rule.
---------------------------------------------------------------------------

    \14\ 16 U.S.C. 824o(d)(5).
    \15\ Reliability Standard CIP-002-5.1a (Cyber Security System 
Categorization) provides a ``tiered'' approach to cybersecurity 
requirements, based on classifications of high, medium and low 
impact BES Cyber Systems.
---------------------------------------------------------------------------

    6. Further, the NERC proposal does not address Physical Access 
Control Systems (PACS) \16\ and Protected Cyber Assets (PCA),\17\ with 
the exception of the modifications in Reliability Standard CIP-005-6, 
which apply to PCAs. We remain concerned that the exclusion of these 
components may leave a gap in the supply chain risk management 
Reliability Standards. Nevertheless, in contrast to EACMS, we believe 
that more study is necessary to determine the impact of PACS and PCAs 
in the context of the supply chain risk management Reliability 
Standards.

[[Page 53994]]

We distinguish among EACMS and the other Cyber Assets because 
compromise of PACS and PCAs are less likely. For example, a compromise 
of a PACS, which would potentially grant an attacker physical access to 
a BES Cyber System or PCA, is less likely since physical access is also 
required. In addition, PCAs typically become vulnerable to remote 
compromise only once EACMS have been compromised. Thus, we accept 
NERC's commitment to evaluate the cybersecurity supply chain risks 
presented by PACS and PCAs in the study of cybersecurity supply chain 
risks directed by the NERC Board of Trustees (BOT) in its resolutions 
of August 10, 2017.\18\ The Commission further directs NERC to file the 
BOT-directed final report with the Commission upon its completion.\19\
---------------------------------------------------------------------------

    \16\ PACS are defined as ``Cyber Assets that control, alert, or 
log access to the Physical Security Perimeter(s), exclusive of 
locally mounted hardware or devices at the Physical Security 
Perimeter such as motion sensors, electronic lock control 
mechanisms, and badge readers.'' NERC Glossary. Reliability Standard 
CIP-002-5.1a states that examples include ``authentication servers, 
card systems, and badge control systems.''Id.
    \17\ PCAs are defined as ``[o]ne or more Cyber Assets connected 
using a routable protocol within or on an Electronic Security 
Perimeter that is not part of the highest impact BES Cyber System 
within the same Electronic Security Perimeter. The impact rating of 
Protected Cyber Assets is equal to the highest rated BES Cyber 
System in the same [Electronic Security Perimeter].'' NERC Glossary. 
Reliability Standard CIP-002-5.1a states that examples include, to 
the extent they are within the Electronic Security Perimeter, ``file 
servers, ftp servers, time servers, LAN switches, networked 
printers, digital fault recorders, and emission monitoring 
systems.'' Id.
    \18\ NERC Board of Trustees, Proposed Additional Resolutions for 
Agenda Item 9.a: Cyber Security--Supply Chain Risk Management--CIP-
005-6, CIP-010-3, and CIP-013-1 (August 10, 2017).
    \19\ As discussed later in this final rule, the NOPR proposed to 
direct NERC to file the BOT-directed interim report, due 12 months 
from the date of the BOT resolutions, as well as the final report, 
which is due 18 months from the date of the BOT resolutions. On 
September 7, 2018, NERC filed the BOT-directed interim report in 
this docket.
---------------------------------------------------------------------------

I. Background

A. Section 215 and Mandatory Reliability Standards

    7. Section 215 of the FPA requires a Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Reliability Standards may be enforced 
by the ERO, subject to Commission oversight, or by the Commission 
independently.\20\ Pursuant to section 215 of the FPA, the Commission 
established a process to select and certify an ERO,\21\ and 
subsequently certified NERC.\22\
---------------------------------------------------------------------------

    \20\ 16 U.S.C. 824o(e).
    \21\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \22\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Order No. 829

    8. In Order No. 829, the Commission directed NERC to develop a new 
or modified Reliability Standard that addresses supply chain risk 
management for industrial control system hardware, software and 
computing and networking services associated with bulk electric system 
operations.\23\ Specifically, the Commission directed NERC to develop a 
forward-looking, objective-based Reliability Standard that would 
require responsible entities to develop and implement a plan with 
supply chain management security controls focused on four security 
objectives: (1) Software integrity and authenticity; (2) vendor remote 
access; (3) information system planning; and (4) vendor risk management 
and procurement controls.\24\
---------------------------------------------------------------------------

    \23\ Order No. 829, 156 FERC ] 61,050 at P 43.
    \24\ Id. P 45.
---------------------------------------------------------------------------

    9. The Commission explained that verification of software integrity 
and authenticity is intended to reduce the likelihood that an attacker 
could exploit legitimate vendor patch management processes to deliver 
compromised software updates or patches to a BES Cyber System.\25\ For 
vendor remote access, the Commission stated that the objective is 
intended to address the threat that vendor credentials could be stolen 
and used to access a BES Cyber System without the responsible entity's 
knowledge, as well as the threat that a compromise at a trusted vendor 
could traverse over an unmonitored connection into a responsible 
entity's BES Cyber System.\26\ As to information system planning, Order 
No. 829 indicated that the objective is intended to address the risk 
that responsible entities could unintentionally plan to procure and 
install unsecure equipment or software within their information 
systems, or could unintentionally fail to anticipate security issues 
that may arise due to their network architecture or during technology 
and vendor transitions.\27\ For vendor risk management and procurement 
controls, the Commission explained that this objective is intended to 
address the risk that responsible entities could enter into contracts 
with vendors that pose significant risks to the responsible entities' 
information systems, as well as the risk that products procured by a 
responsible entity fail to meet minimum security criteria. This 
objective also addresses the risk that a compromised vendor would not 
provide adequate notice and related incident response to responsible 
entities with whom that vendor is connected.\28\
---------------------------------------------------------------------------

    \25\ Id. P 49.
    \26\ Id. P 52.
    \27\ Id. P 57.
    \28\ Id. P 60.
---------------------------------------------------------------------------

    10. Order No. 829 stated that while responsible entities should be 
required to develop and implement a plan, NERC need not impose any 
specific controls or ``one-size-fits-all'' requirements.\29\ In 
addition, the Commission stated that NERC's response to the Order No. 
829 directive should respect the Commission's jurisdiction under FPA 
section 215 by only addressing the obligations of responsible entities 
and not by directly imposing any obligations on non-jurisdictional 
suppliers, vendors or other entities that provide products or services 
to responsible entities.\30\
---------------------------------------------------------------------------

    \29\ Id. P 13.
    \30\ Id. P 21.
---------------------------------------------------------------------------

C. NERC Petition and Proposed Reliability Standards

    11. On September 26, 2017, NERC submitted for Commission approval 
proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 and 
their associated violation risk factors and violation severity levels, 
implementation plan, and effective date.\31\ NERC states that the 
purpose of the Reliability Standards is to enhance the cybersecurity 
posture of the electric industry by requiring responsible entities to 
take additional actions to address cybersecurity risks associated with 
the supply chain for BES Cyber Systems. NERC explains that the 
Reliability Standards are designed to augment the existing controls 
required in the currently-effective CIP Reliability Standards that help 
mitigate supply chain risks, providing increased attention on 
minimizing the attack surfaces of information and communications 
technology products and services procured to support reliable bulk 
electric system operations, consistent with Order No. 829.
---------------------------------------------------------------------------

    \31\ Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 
are not attached to this final rule. The Reliability Standards are 
available on the Commission's eLibrary document retrieval system in 
Docket No. RM17-13-000 and on the NERC website, www.nerc.com.
---------------------------------------------------------------------------

    12. NERC states that the supply chain risk management Reliability 
Standards apply only to medium and high impact BES Cyber Systems. NERC 
explains that the goal of the CIP Reliability Standards is to ``focus[] 
industry resources on protecting those BES Cyber Systems with 
heightened risks to the [bulk electric system] . . . [and] that the 
requirements applicable to low impact BES Cyber Systems, given their 
lower risk profile, should not be overly burdensome to divert resources 
from the protection of medium and high impact BES Cyber Systems.'' \32\ 
NERC further maintains that the standard drafting team chose to limit 
the applicability of the Reliability Standards to medium and high 
impact BES Cyber Systems because the supply chain risk management 
Reliability Standards are ``consistent with the type of existing CIP 
cybersecurity requirements applicable

[[Page 53995]]

to high and medium impact BES Cyber Systems as opposed to those 
applicable to low impact BES Cyber Systems.'' \33\
---------------------------------------------------------------------------

    \32\ NERC Petition at 16-17.
    \33\ Id. at 18.
---------------------------------------------------------------------------

    13. NERC states that the standard drafting team also excluded 
EACMS, PACS, and PCAs from the scope of the supply chain risk 
management Reliability Standards, with the exception of the 
modifications in Reliability Standard CIP-005-6, which apply to PCAs. 
NERC explains that although certain requirements in the existing CIP 
Reliability Standards apply to EACMS, PACS, and PCAs due to their 
association with BES Cyber Systems (either by function or location), 
the standard drafting team determined that the supply chain risk 
management Reliability Standards should focus on high and medium impact 
BES Cyber Systems only. NERC states that this determination was based 
on the conclusion that applying the proposed Reliability Standards to 
EACMS, PACS, and PCAs ``would divert resources from protecting medium 
and high BES Cyber Systems.'' \34\
---------------------------------------------------------------------------

    \34\ Id. at 20.
---------------------------------------------------------------------------

    14. NERC asserts that with respect to low impact BES Cyber Systems 
and EACMS, PACS, and PCAs, while not mandatory, NERC expects that these 
assets will likely be subject to responsible entity supply chain risk 
management plans required by Reliability Standard CIP-013-1. 
Specifically, NERC explains that ``[r]esponsible [e]ntities may 
implement a single process for procuring products and services 
associated with their operational environments.'' \35\ NERC contends 
that ``by requiring that entities implement supply chain cybersecurity 
risk management plans for high and medium impact BES Cyber Systems, 
those plans would likely also cover their low impact BES Cyber 
Systems.'' \36\ NERC also claims that responsible entities ``may also 
use the same vendors for procuring PACS, EACMS, and PCAs as they do for 
their high and medium impact BES Cyber Systems such that the same 
security considerations may be addressed for those Cyber Assets.'' \37\
---------------------------------------------------------------------------

    \35\ Id.
    \36\ Id. at 19.
    \37\ Id. at 20.
---------------------------------------------------------------------------

Proposed Reliability Standard CIP-013-1
    15. NERC states that the focus of proposed Reliability Standard 
CIP-013-1 is on the steps that responsible entities must take ``to 
consider and address cybersecurity risks from vendor products and 
services during BES Cyber System planning and procurement.'' \38\ NERC 
explains that proposed Reliability Standard CIP-013-1 does not require 
any specific controls or mandate ``one-size-fits-all'' requirements due 
to the differences in needs and characteristics of responsible entities 
and the diversity of bulk electric system environments, technologies, 
and risks. NERC states that the goal of the proposed Reliability 
Standard is ``to help ensure that responsible entities establish 
organizationally-defined processes that integrate a cybersecurity risk 
management framework into the system development lifecycle.'' \39\ NERC 
observes that, among other things, proposed Reliability Standard CIP-
013-1 addresses the risk associated with information system planning, 
as well as vendor risk management and procurement controls, the third 
and fourth objectives outlined in Order No. 829.
---------------------------------------------------------------------------

    \38\ Id. at 22.
    \39\ Id. at 23.
---------------------------------------------------------------------------

    16. NERC maintains that, consistent with Order No. 829, responsible 
entities need not apply their supply chain risk management plans to the 
acquisition of vendor products or services under contracts executed 
prior to the effective date of Reliability Standard CIP-013-1, nor 
would such contracts need to be renegotiated or abrogated to comply 
with the Reliability Standard. In addition, NERC indicates that, 
consistent with the development of a forward looking Reliability 
Standard, it would not expect entities in the middle of procurement 
activities for an applicable product or service at the time of the 
effective date of Reliability Standard CIP-013-1 to begin those 
activities anew to implement their supply chain cybersecurity risk 
management plan.
    17. With regard to assessing compliance with Reliability Standard 
CIP-013-1, NERC states that NERC and Regional Entities would focus on 
whether responsible entities: (1) Developed processes reasonably 
designed to (i) identify and assess risks associated with vendor 
products and services in accordance with Part 1.1 and (ii) ensure that 
the security items listed in Part 1.2 are an integrated part of 
procurement activities; and (2) implemented those processes in good 
faith. NERC explains that NERC and Regional Entities will evaluate the 
steps a responsible entity took to assess risks posed by a vendor and 
associated products or services and, based on that risk assessment, the 
steps the entity took to mitigate those risks, including the 
negotiation of security provisions in its agreements with the vendor.
Proposed Modifications in Reliability Standard CIP-005-6
    18. Proposed Reliability Standard CIP-005-6 includes two new parts, 
Parts 2.4 and 2.5, to address vendor remote access, which is the second 
objective discussed in Order No. 829. NERC explains that the new parts 
work in tandem with proposed Reliability Standard CIP-013-1, 
Requirement R1.2.6, which requires responsible entities to address 
Interactive Remote Access and system-to-system remote access when 
procuring industrial control system hardware, software, and computing 
and networking services associated with bulk electric system 
operations. NERC states that proposed Reliability Standard CIP-005-6, 
Requirement R2.4 requires one or more methods for determining active 
vendor remote access sessions, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. NERC explains that the 
security objective of Requirement R2.4 is to provide awareness of all 
active vendor remote access sessions, both Interactive Remote Access 
and system[hyphen]to[hyphen]system remote access, that are taking place 
on a responsible entity's system.
Proposed Modifications in Reliability Standard CIP-010-3
    19. Proposed Reliability Standard CIP-010-3 includes a new part, 
Part 1.6, to address software integrity and authenticity, the first 
objective addressed in Order No. 829, by requiring that the publisher 
is identified and the integrity of all software and patches are 
confirmed. NERC explains that proposed Reliability Standard CIP-010-3, 
Requirement R1.6 requires responsible entities to verify software 
integrity and authenticity prior to a change from the existing baseline 
configuration, if the software source provides a method to do so. 
Specifically, NERC states that proposed Reliability Standard CIP-010-3, 
Requirement R1.6 requires that responsible entities verify the identity 
of the software source and the integrity of the software obtained by 
the software sources prior to installing software that changes 
established baseline configurations, when methods are available to do 
so. NERC asserts that the security objective of proposed Requirement 
R1.6 is to ensure that the software being installed in the BES Cyber 
System was not modified without the awareness of the software supplier 
and is not counterfeit. NERC contends that these steps help reduce the

[[Page 53996]]

likelihood that an attacker could exploit legitimate vendor patch 
management processes to deliver compromised software updates or patches 
to a BES Cyber System.
BOT Resolutions
    20. In the petition, NERC states that in conjunction with the 
adoption of the supply chain risk management Reliability Standards, on 
August 10, 2017, the BOT adopted resolutions regarding supply chain 
risk management. In particular, the BOT directed NERC management, in 
collaboration with appropriate NERC technical committees, industry 
representatives, and appropriate experts, including representatives of 
industry vendors, to further study the nature and complexity of 
cybersecurity supply chain risks, including risks associated with low 
impact assets not currently subject to the supply chain risk management 
Reliability Standards. The BOT further directed NERC to develop 
recommendations for follow-up actions that will best address any issues 
identified. Finally, the BOT directed that NERC management provide an 
interim progress report no later than 12 months after the adoption of 
these resolutions (i.e., by August 10, 2018) and a final report no 
later than 18 months after the adoption of the resolutions (i.e., by 
February 10, 2019). In its petition, NERC states that ``over the next 
18 months, NERC, working with various stakeholders, will continue to 
assess whether supply chain risks related to low impact BES Cyber 
Systems, PACS, EACMS and PCA necessitate further consideration for 
inclusion in a mandatory Reliability Standard.'' \40\
---------------------------------------------------------------------------

    \40\ Id. at 20-21.
---------------------------------------------------------------------------

Implementation Plan
    21. NERC's proposed implementation plan provides that the supply 
chain risk management Reliability Standards become effective on the 
first day of the first calendar quarter that is 18 months after the 
effective date of a Commission order approving them. NERC states that 
the proposed implementation period is designed to afford responsible 
entities sufficient time to develop and implement their supply chain 
cybersecurity risk management plans required under proposed Reliability 
Standard CIP-013-1 and implement the new controls required in proposed 
Reliability Standards CIP-005-6 and CIP-010-3.

D. Notice of Proposed Rulemaking

    22. On January 18, 2018, the Commission issued a NOPR proposing to 
approve supply chain risk management Reliability Standards CIP-013-1, 
CIP-005-6, and CIP-010-3 (83 FR 3422, January 25, 2018). The NOPR 
stated that the supply chain risk management Reliability Standards 
``will enhance existing protections for bulk electric system 
reliability by addressing the four objectives set forth in Order No. 
829: (1) Software integrity and authenticity; (2) vendor remote access; 
(3) information system planning; and (4) vendor risk management and 
procurement controls.'' \41\ Accordingly, the NOPR proposed to 
determine that the supply chain risk management Reliability Standards 
constitute substantial progress in addressing the supply chain 
cybersecurity risks identified by the Commission in Order No. 829.\42\
---------------------------------------------------------------------------

    \41\ NOPR, 162 FERC ] 61,044 at P 29.
    \42\ Id. P 30.
---------------------------------------------------------------------------

    23. The NOPR proposed to approve the supply chain risk management 
Reliability Standards' associated violation risk factors and violation 
severity levels. However, with respect to the implementation plan and 
effective date, the NOPR proposed to reduce the implementation period 
from the first day of the first calendar quarter that is 18 months 
following the effective date of a Commission order approving the 
proposed Reliability Standards, as proposed by NERC, to the first day 
of the first calendar quarter that is 12 months following the effective 
date of a Commission order.\43\
---------------------------------------------------------------------------

    \43\ Id. P 44.
---------------------------------------------------------------------------

    24. The NOPR proposed to determine that a significant cybersecurity 
risk associated with the supply chain for BES Cyber Systems persists 
because the proposed supply chain risk management Reliability Standards 
exclude EACMS, PACS, and PCAs, with the exception of the modifications 
in Reliability Standard CIP-005-6, which apply to PCAs. To address this 
gap, pursuant to section 215(d)(5) of the FPA, the NOPR proposed to 
direct NERC to develop modifications to the CIP Reliability Standards 
to include EACMS associated with medium and high impact BES Cyber 
Systems within the scope of the supply chain risk management 
Reliability Standards. In addition, the Commission proposed to direct 
that NERC evaluate the cybersecurity supply chain risks presented by 
PACS and PCAs in the study of cybersecurity supply chain risks directed 
by the NERC BOT in its resolutions of August 10, 2017.
    25. The Commission received fifteen comments on the NOPR.

E. Interim BOT-Directed Report

    26. On September 7, 2018, NERC submitted to the Commission an 
informational filing containing the BOT-directed interim report 
prepared by the Electric Power Research Institute (EPRI).\44\ The 
interim report explains that EPRI analyzed:
---------------------------------------------------------------------------

    \44\ NERC, Informational Filing regarding Proposed Supply Chain 
Risk Management Reliability Standards, Docket No. RM17-13-000 
(September 7, 2018) (NERC Interim Report).
---------------------------------------------------------------------------

    (1) Information regarding bulk electric system products and 
manufacturers; (2) emerging vendor practices and industry standards; 
and (3) the applicability of the CIP Reliability Standards to supply 
chain risks. The interim report concludes with three categories of 
identified next steps for further analysis and investigation.
    27. First, EPRI identifies four noteworthy industry practices, not 
already required by the CIP Reliability Standards, which may 
potentially reduce future supply chain risks if implemented correctly: 
(1) Third-party accreditation processes; (2) secure hardware delivery; 
(3) threat-informed procurement language; and (4) processes related to 
unsupported or open-source technology. Second, EPRI recommends further 
study in modeling and assessing the potential impact of common-mode 
vulnerabilities, especially those targeting low-impact BES Cyber 
Systems. EPRI states that ``risks of common-mode vulnerabilities . . . 
can be mitigated if supply chain security practices are applied 
uniformly across cyber asset types.'' \45\ Finally, EPRI recommends 
various methods to obtain additional data on industry practices. These 
methods included issuing pre-audit surveys and questionnaires; 
targeting outreach to bulk electric system vendors; developing standard 
vendor data sheets related to the CIP Reliability Standards; and 
independently testing legacy assets. In its accompanying filing, NERC 
states its intention to continue to study supply chain risks over the 
coming months, develop recommendations for follow-up actions, and 
present a final report to the NERC BOT at its February 2019 meeting.
---------------------------------------------------------------------------

    \45\ Id. at 5-1.
---------------------------------------------------------------------------

II. Discussion

    28. Pursuant to section 215(d)(2) of the FPA, the Commission 
approves supply chain risk management Reliability Standards CIP-013-1, 
CIP-005-6, and CIP-010-3 as just, reasonable, not unduly discriminatory

[[Page 53997]]

or preferential, and in the public interest. We determine that the 
supply chain risk management Reliability Standards will enhance 
existing protections for bulk electric system reliability by addressing 
the four objectives identified in Order No. 829: (1) Software integrity 
and authenticity; (2) vendor remote access; (3) information system 
planning; and (4) vendor risk management and procurement controls.
    29. Reliability Standard CIP-013-1 addresses information system 
planning and vendor risk management and procurement controls by 
requiring that responsible entities develop and implement one or more 
documented supply chain cybersecurity risk management plan(s) for high 
and medium impact BES Cyber Systems. The required plans must address, 
as applicable, a baseline set of six security concepts: (1) Vendor 
security event notification; (2) coordinated incident response; (3) 
vendor personnel termination notification; (4) product/services 
vulnerability disclosures; (5) verification of software integrity and 
authenticity; and (6) coordination of vendor remote access controls. 
Reliability Standard CIP-005-6 addresses vendor remote access by 
creating two new requirements for determining active vendor remote 
access sessions and for having one or more methods to disable active 
vendor remote access sessions. Reliability Standard CIP-010-3 addresses 
software authenticity and integrity by creating a new requirement that 
responsible entities verify the identity of the software source and the 
integrity of the software obtained from the software source prior to 
installing software that changes established baseline configurations, 
when methods are available to do so.
    30. While we determine that the approved supply chain risk 
management Reliability Standards constitute substantial progress in 
addressing the supply chain cybersecurity risks identified in Order No. 
829, as discussed below, we find that the exclusion of EACMS from the 
scope of the Reliability Standards presents risks to the cybersecurity 
of the bulk electric system. As explained in Order No. 848, EACMS are 
defined in the NERC Glossary as ``Cyber Assets that perform electronic 
access control or electronic access monitoring of the Electronic 
Security Perimeter(s) or BES Cyber Systems. This includes Intermediate 
Systems.'' Among other things, EACMS include firewalls, authentication 
servers, security event monitoring systems, intrusion detection systems 
and alerting systems. The purpose of an ESP, in turn, is to manage 
electronic access to BES Cyber Systems to support the protection of the 
BES Cyber Systems against compromise that could lead to misoperation or 
instability in the bulk electric system.\46\ The record indicates that 
the vulnerabilities associated with EACMS are well understood and 
appropriate for mitigation. Thus, pursuant to section 215(d)(5) of the 
FPA, we direct NERC to develop modifications to the CIP Reliability 
Standards to include EACMS within the scope of the supply chain risk 
management Reliability Standards. We direct NERC to submit the directed 
modifications within 24 months of the effective date of this final 
rule.
---------------------------------------------------------------------------

    \46\ Order No. 848, 164 FERC ] 61,033 at PP 39-40.
---------------------------------------------------------------------------

    31. In addition, while PACS and PCAs also present concerns, we 
agree with NERC and others that further study is warranted with regard 
to the impacts and benefits of directing that the ERO address the risks 
associated with PACS and PCAs in the supply chain risk management 
Reliability Standards. Accordingly, we accept NERC's commitment to 
evaluate the cybersecurity supply chain risks presented by PACS and 
PCAs in the cybersecurity supply chain risks study directed by the BOT. 
The Commission further directs NERC to file the BOT-directed final 
report with the Commission upon its completion.
    32. In the sections below, we discuss the following issues: (A) 
Inclusion of EACMS in the supply chain risk management Reliability 
Standards; (B) inclusion of PACS and PCAs in the BOT-directed study on 
cybersecurity supply chain risks and filing of the BOT-directed final 
report with the Commission; (C) supply chain risk management 
Reliability Standards' implementation plan and effective date; and (D) 
other issues raised in the NOPR comments.

A. Inclusion of EACMS in CIP Reliability Standards

1. NOPR
    33. The NOPR observed that the supply chain risk management 
Reliability Standards do not apply to low impact BES Cyber Systems or 
Cyber Assets associated with medium and high impact BES Cyber Systems 
(i.e., EACMS, PACS, and PCAs). The NOPR, however, recognized that the 
BOT-directed study on cybersecurity supply chain risks will examine the 
risks posed by low impact BES Cyber Systems.\47\ While acknowledging 
NERC's commitment to study these issues, as evinced by the BOT-directed 
study, the NOPR proposed to direct NERC to modify the supply chain risk 
management Reliability Standards to include within their scope EACMS 
associated with medium and high impact BES Cyber Systems.\48\
---------------------------------------------------------------------------

    \47\ NOPR, 162 FERC ] 61,044 at P 33.
    \48\ Id. P 39.
---------------------------------------------------------------------------

    34. Specifically, the NOPR explained that BES Cyber Systems have 
associated Cyber Assets, which, if compromised, pose a threat to the 
BES Cyber System by virtue of, inter alia, the security control 
function they perform.\49\ In particular, EACMS support BES Cyber 
Systems and are part of the network and security architecture that 
allows BES Cyber Systems to work as intended by performing electronic 
access control or electronic access monitoring of the ESP or BES Cyber 
Systems.
---------------------------------------------------------------------------

    \49\ Reliability Standard CIP-002-5.1a (Cyber Security--BES 
Cyber System Categorization), Background at 6.
---------------------------------------------------------------------------

    35. The NOPR indicated that since EACMS support and enable BES 
Cyber System operation, misoperation and unavailability of EACMS that 
support a given BES Cyber System could also contribute to misoperation 
of a BES Cyber System or render it unavailable, which could adversely 
affect bulk electric system reliability. The NOPR also explained that 
EACMS control electronic access, including interactive remote access, 
into the ESP that protects high and medium impact BES Cyber Systems. As 
the NOPR further noted, an attacker does not need physical access to 
the facility housing a BES Cyber System in order to gain access to a 
BES Cyber System or PCA via an EACMS compromise. The NOPR concluded 
that EACMS represent the most likely route an attacker would take to 
access a BES Cyber System or PCA within an ESP.\50\
---------------------------------------------------------------------------

    \50\ NOPR, 162 FERC ] 61,044 at P 35.
---------------------------------------------------------------------------

2. Comments
    36. NERC does not support the proposed directive to include EACMS 
within the scope of the supply chain risk management Reliability 
Standards at this time. NERC indicates that it is currently analyzing 
supply chain risks associated with EACMS, among other things, as part 
of the BOT-directed study of supply chain risks related to low impact 
BES Cyber Systems. NERC explains that the ``study will help identify 
and differentiate the risks presented by various types of EACMS'' to 
help in any directed standards development process.\51\ NERC requests 
that the Commission refrain from issuing a directive on EACMS until the 
results of the BOT-directed study to

[[Page 53998]]

assess supply chain risks associated with EACMS are received.\52\
---------------------------------------------------------------------------

    \51\ NERC Comments at 6.
    \52\ Id. at 4-6.
---------------------------------------------------------------------------

    37. Most commenters agree with NERC that the Commission should 
approve the supply chain risk management Reliability Standards as filed 
and not direct the inclusion of EACMS at this time. Instead, Trade 
Associations, EEI, ITC, IRC, and MISO TOs support evaluating in the 
BOT-directed study the possibility of including EACMS in the supply 
chain risk management Reliability Standards.\53\
---------------------------------------------------------------------------

    \53\ Trade Associations Comments at 10, EEI Comments at 10, ITC 
Comments at 5, IRC Comments at 3.
---------------------------------------------------------------------------

    38. Trade Associations contend that first allowing completion of 
the BOT-directed study would allow NERC to assess the diversity of 
EACMS that perform control or monitoring functions with varying risk 
levels and ``is likely to provide more specific information and 
analysis concerning whether any category of EACMS might be 
appropriately included within the scope of the supply chain Reliability 
Standards.'' \54\ Trade Associations also maintain that first having 
the BOT-directed study results will facilitate a more efficient and 
effective standards development process.
---------------------------------------------------------------------------

    \54\ Trade Associations Comments at 10.
---------------------------------------------------------------------------

    39. While also supportive of awaiting the results of the BOT-
directed study, EEI asserts that EACMS are protected under existing CIP 
Reliability Standards. EEI cites Reliability Standards CIP-005-5, 
Requirements R1, Part 1.3 and R2, Parts 2.1-2.3, CIP-007-6, 
Requirements R1, Part 1.1, R2, R3, R4, and R5, and CIP-010-2, 
Requirement 2, Part 2.1 as protecting EACMS against compromise.\55\ 
Moreover, EEI states that the likelihood of compromise of an EACMS from 
potential supply chain-derived threats was not addressed in the NOPR 
and ``should be evaluated before directing a CIP Standard scope 
expansion.'' \56\ Even so, EEI supports further evaluating the 
feasibility, as well as the benefits, of adding EACMS to the supply 
chain risk management Reliability Standards. EEI contends that waiting 
for the BOT-directed study will allow industry time to gain experience 
implementing the supply chain risk management Reliability Standard 
requirements as well as help identify potential follow-up actions.\57\
---------------------------------------------------------------------------

    \55\ EEI Comments at 8.
    \56\ Id.
    \57\ Id. at 10.
---------------------------------------------------------------------------

    40. MISO TOs likewise aver that EACMS, while important, are ``not 
unprotected'' under currently-effective CIP Reliability Standards. MISO 
TOs, like EEI, reference Reliability Standard CIP-007-6 (Cyber Security 
-- System Security Management), which requires responsible entities to 
manage system security by specifying select technical, operational, and 
procedural requirements in support of protecting BES Cyber Systems. 
MISO TOs state that this Reliability Standard applies to EACMS. AECC 
also contends that the existing CIP Reliability Standards already 
sufficiently cover any risks associated with EACMS.\58\ In particular, 
AECC states that ``CIP-005-6 already addresses vendor-initiated remote 
access . . . [and] developing technology services for BEC Cyber Systems 
under CIP-010-3 inherently already requires coverage for EACMS, PACS, 
and PCAs due to the nature of the technology.'' \59\
---------------------------------------------------------------------------

    \58\ AECC Comments at 2-3.
    \59\ Id. at 3.
---------------------------------------------------------------------------

    41. ITC, IRC, and MISO TOs assert that including EACMS within the 
supply chain risk management Reliability Standards would constitute a 
substantial expansion of the Reliability Standards and would require 
significant additional resources for compliance, without a commensurate 
improvement in bulk electric system reliability. According to ITC, the 
record does not contradict NERC's technical assessment that inclusion 
of EACMS within the supply chain risk management Reliability Standards 
is not justified. ITC claims that the NOPR, while ``descriptively 
accurate,'' misunderstands the purpose and function of EACMS, which, 
ITC states, are intended to protect the ESP and the BES Cyber Assets 
contained therein and are not intended to provide a reliability 
function. ITC concludes that misoperation of an EACMS, while serious, 
does not rise to the level of a direct threat to the reliability of the 
bulk electric system.
    42. IRC similarly believes that including EACMS within the scope of 
the supply chain risk management Reliability Standards would require 
``significant resources and effort'' and because EACMS vendors supply 
such systems to a larger market than just the power sector there would 
need to be coordination with other industries before implementing a 
supply chain risk management Reliability Standard for EACMS.\60\ MISO 
TOs also contend that including EACMS would affect numerous pieces of 
equipment and assets, with associated costs, system changes, and other 
burdens, without showing commensurate benefits.\61\
---------------------------------------------------------------------------

    \60\ IRC Comments at 2-3.
    \61\ MISO TO Comments at 16.
---------------------------------------------------------------------------

    43. Idaho Power, for its part, does not believe that EACMS should 
be included in the scope of the supply chain risk management 
Reliability Standards based on its view that EACMS are used in other 
industries and are not specific to critical infrastructure. Instead, 
Idaho Power states that the focus should be on correctly configuring 
EACMS devices as opposed to addressing procurement practices.\62\
---------------------------------------------------------------------------

    \62\ Idaho Power Comments at 2.
---------------------------------------------------------------------------

    44. Appelbaum, Reclamation, Resilient Societies, Isologic, Mabee, 
and MPUC support the NOPR directive regarding EACMS associated with 
medium and high impact BES Cyber Systems. In addition, the commenters 
urge the Commission to extend the scope of the supply chain risk 
management Reliability Standards to low impact BES Cyber Systems.\63\ 
MPUC states, for example, that the supply chain risk management 
Reliability Standards should apply to all BES Cyber System assets, 
unless the specific asset can be shown to be completely isolated from 
the bulk electric system.\64\ Resilient Societies states that the 
supply chain risk management Reliability Standards should apply to low 
impact BES Cyber Systems since the compromise of a low impact BES Cyber 
System could lead to the compromise of medium or high impact BES Cyber 
Systems.\65\
---------------------------------------------------------------------------

    \63\ Appelbaum Comments at 6, Reclamation Comments at 7, 
Resilient Societies Comments at 3-4, Isologic Comments at 3, Mabee 
Comments at 4, MPUC Comments at 6.
    \64\ MPUC Comments at 6.
    \65\ Resilient Societies Comments at 3.
---------------------------------------------------------------------------

    45. APS states that it supports the NOPR proposal to direct NERC to 
modify the supply chain risk management Reliability Standards to 
include EACMS associated with medium and high impact BES Cyber Systems. 
However, APS contends that the Commission should delay their inclusion 
until NERC and industry complete their analysis of the potential need 
to separate the functions reflected in the current EACMS definition 
(e.g., electronic access control versus electronic access monitoring). 
APS states that, including EACMS that perform electronic access control 
functions within the scope of the supply chain risk management 
Reliability Standards ``represents good cybersecurity posture . . . 
[h]owever, at this time, the definition of EACMS is not sufficiently 
mature to make the necessary distinction discussed above.'' \66\
---------------------------------------------------------------------------

    \66\ APS Comments at 5.

---------------------------------------------------------------------------

[[Page 53999]]

3. Commission Determination
    46. Pursuant to section 215(d)(5) of the FPA, we adopt the NOPR 
proposal and direct NERC to develop modifications to include EACMS 
associated with medium and high impact BES Cyber Systems within the 
scope of the supply chain risk management Reliability Standards. While 
we are sensitive to the position taken by NERC and other commenters 
that the Commission should not issue a directive until after completion 
of the BOT-directed final report, we conclude that the record before us 
supports directing NERC to include at least some subset of EACMS 
associated with medium and high impact BES Cyber Systems at this time. 
We are not persuaded by comments advocating delay in view of the 
forthcoming BOT-directed final report because the standard drafting 
team will have the benefit of the BOT-directed final report, which is 
due in February 2019, when developing the directed Reliability Standard 
modifications.\67\
---------------------------------------------------------------------------

    \67\ As we have imposed a 24-month deadline for NERC to file the 
modified supply chain risk management Reliability Standards, the 
standard drafting team will have ample time to review and 
incorporate the findings in the BOT-directed final report.
---------------------------------------------------------------------------

    47. We continue to believe that EACMS represent the most likely 
route an attacker would take to access a BES Cyber System or PCA within 
an ESP based on the functions they perform.\68\ EACMS support BES Cyber 
Systems and are part of the network and security architecture that 
allows BES Cyber Systems to work as intended because they perform 
electronic access control or electronic access monitoring of the ESP or 
BES Cyber Systems. In particular, EACMS control electronic access, 
including interactive remote access, into the ESP that protects high 
and medium impact BES Cyber Systems. One specific function of 
electronic access control is to prevent malware or malicious actors 
from gaining access to the BES Cyber Systems and PCAs within the 
ESP.\69\ Given the significant role that EACMS play in the protection 
scheme for medium and high impact BES Cyber Systems, we determine that 
EACMS should be within the scope of the supply chain risk management 
Reliability Standards to provide minimum protection against supply 
chain attack vectors.
---------------------------------------------------------------------------

    \68\ See NOPR, 162 FERC ] 61,044 at P 35.
    \69\ Id.
---------------------------------------------------------------------------

    48. No commenter disagreed with the NOPR that misoperation or 
unavailability of EACMS that support a given BES Cyber System could 
contribute to the misoperation of the BES Cyber System or render it 
unavailable, which could pose a significant risk to reliable operation. 
Instead, commenters generally agree that EACMS perform important 
security-related functions.\70\ For example, NERC states that a 
compromised firewall ``may allow unfettered access to the ESP.'' \71\ 
EEI also agrees that the compromise of certain EACMS that control 
access could adversely affect the reliable operation of an associated 
BES Cyber System, although EEI asserts that other CIP Reliability 
Standards adequately protect those EACMS.\72\ Although some commenters, 
as discussed below, maintain that the reliability benefit of including 
EACMS in the supply chain risk management Reliability Standards is 
outweighed by the perceived costs, these commenters do not challenge 
the proposition that misoperation or unavailability of EACMS has 
negative reliability ramifications. For example, ITC, while opposing 
the NOPR directive, recognizes that misoperation of an EACMS is 
``serious'' and ``[w]ere CIP resources infinite, it would no doubt 
increase BES reliability by some degree to include EACMS within this 
Standard.'' \73\
---------------------------------------------------------------------------

    \70\ See NERC Comments at 5-6, Appelbaum Comments at 5-6, APS 
Comments at 5, EEI Comments at 7-8, IRC Comments at 3, Idaho Power 
Comments at 2, MPUC Comments at 6.
    \71\ NERC Comments at 5.
    \72\ EEI Comments at 7-8.
    \73\ ITC Comments at 5.
---------------------------------------------------------------------------

    49. We disagree with the comments asserting that existing CIP 
Reliability Standards adequately protect EACMS against supply chain-
based threats. While existing CIP Reliability Standards include 
requirements that address aspects of supply chain risk management, 
existing Reliability Standards do not adequately protect EACMS based on 
the four security objectives in Order No. 829.\74\ The CIP Reliability 
Standards cited by EEI, MISO TOs and AECC address aspects of electronic 
access control, systems security management, and configuration 
monitoring, but they do not address protection from supply chain 
threats such as insertion of counterfeits or malicious software, 
unauthorized production, tampering, or theft, as well as poor 
manufacturing and development practices. By contrast, the supply chain 
risk management Reliability Standards approved in this final rule 
specifically address the above listed supply chain threats, and, we 
determine, should be extended to at least some subset of EACMS.
---------------------------------------------------------------------------

    \74\ Order No. 829, 156 FERC ] 61,050 at P 71.
---------------------------------------------------------------------------

    50. Specifically, the goal of the supply chain risk management 
Reliability Standards is ``to help ensure that responsible entities 
establish organizationally-defined processes that integrate a 
cybersecurity risk management framework into the system development 
life cycle.'' \75\ The current CIP Reliability Standards identified in 
the comments, however, do not adequately address supply chain risks. 
For example, while Reliability Standard CIP-005-5 provides a level of 
electronic access protection for an ESP through controls applied to an 
Electronic Access Point associated with an EACMS, those controls would 
only apply after an asset is procured and deployed on a responsible 
entity's system. In this situation, the EACMS at issue could already 
contain built-in vulnerabilities making it susceptible to compromise 
or, in the worst-case scenario, could have been compromised before 
acquisition.
---------------------------------------------------------------------------

    \75\ NERC Comments at 23.
---------------------------------------------------------------------------

    51. Given the documented risks to the cyber posture of the bulk 
electric system associated with EACMS, we are not persuaded to await 
the completion of the BOT-directed final report before issuing a 
directive regarding EACMS.\76\ Instead, it is reasonable to initiate 
modification of the supply chain risk management Reliability Standards 
based on the conclusion that at least some categories of EACMS should 
be included. As discussed above, we are convinced that EACMS in general 
are a known risk that should be protected under the supply chain risk 
management Reliability Standards. But we leave it to the standard 
drafting team to assess the various types of EACMS and their associated 
levels of risk. We are confident that the standard drafting team will 
be able to develop modifications that include only those EACMS whose 
compromise by way of the cybersecurity supply chain can affect the 
reliable operation of high and medium impact BES Cyber Systems. While 
it will no doubt inform the standard drafting team's work, the BOT-
directed final report is not, in our view, likely to alter the 
conclusion that at least some EACMS functions should be included in the 
supply chain risk management Reliability Standards.\77\
---------------------------------------------------------------------------

    \76\ See NERC Comments at 4-6, EEI Comments at 7-10, IRC 
Comments at 3, ITC Comments at 5, Trade Associations at 8-12, MISO 
TOs Comments at 16-18.
    \77\ The BOT-directed interim report provides the example of a 
situation where a firewall used to protect BES Cyber Systems within 
an ESP was compromised due to supply chain vulnerability, noting 
that each system within the ESP could be exposed due to its logical 
proximity to the compromised firewalls. NERC Interim Report at 4-4.

---------------------------------------------------------------------------

[[Page 54000]]

    52. The record does not support delaying a directive to modify the 
CIP Reliability Standards to include EACMS. While commenters opposing 
the NOPR proposal contend that the Commission should not act until NERC 
has the results of the BOT-directed final report, we note that: (1) 
NERC will have 24 months from the effective date of this final rule to 
develop and submit the modified Reliability Standards; and (2) the BOT-
directed final report is due in the near term (i.e., February 2019). 
Nothing in our directive prevents the standard drafting team from using 
the findings in the BOT-directed final report to refine its 
understanding of which types of EACMS functions present the greatest 
risk and are worthy of inclusion in the supply chain risk management 
Reliability Standards. Indeed, as discussed below, in view of the BOT-
directed study and the Commission's guidance, the standard drafting 
team could modify the supply chain risk management Reliability 
Standards to include an appropriate subset of EACMS functions similar 
to the approach in Order No. 848.\78\
---------------------------------------------------------------------------

    \78\ Order No. 848, 164 FERC ] 61,033 at PP 53-54.
---------------------------------------------------------------------------

    53. As we have indicated above, including EACMS within the scope of 
the supply chain risk management Reliability Standards is consistent 
with the approach in Order No. 848 regarding cybersecurity incident 
reporting. In Order No. 848, the Commission determined that EACMS that 
perform certain functions are significant to bulk electric system 
reliability so as to justify their being within the scope of the 
cybersecurity incident reporting Reliability Standards. Specifically, 
Order No. 848 addressed the identification of EACMS that should be 
subject to mandatory reporting requirements:

    With regard to identifying EACMS for reporting purposes, NERC's 
reporting threshold should encompass the functions that various 
electronic access control and monitoring technologies provide. Those 
functions must include, at a minimum: (1) Authentication; (2) 
monitoring and logging; (3) access control; (4) interactive remote 
access; and (5) alerting.\79\

    \79\ Id. P 54.
---------------------------------------------------------------------------

    54. As with cybersecurity incident reporting, in the context of 
this proceeding, if, for example, a vulnerability in the supply chain 
for EACMS is found, we determine that responsible entities should have 
processes in place to be notified of such vulnerabilities by the 
vendor, as required by Reliability Standard CIP-013-1, Requirement 
R1.2.4. We recognize that including EACMS within the scope of the 
supply chain risk management Reliability Standards will impose a burden 
on responsible entities. Nonetheless, the burden of possible 
procurement inefficiencies or resource constraints must be weighed 
against the significant risk of a cyber incident resulting from 
unmitigated supply chain vulnerabilities.\80\
---------------------------------------------------------------------------

    \80\ EEI Comments at 9, MISO TOs Comments at 16-17, ITC Comments 
at 5.
---------------------------------------------------------------------------

    55. It is also important to consider that in Order No. 848 the 
Commission determined that the modified reporting Reliability Standard 
need not include all EACMS as currently defined and, instead, the 
standard drafting team may analyze the matter to determine an 
appropriate subset of EACMS for reporting purposes.\81\ Likewise, the 
standard drafting team that is formed in response to our present 
directive may determine, based on the work done in response to Order 
No. 848 as well as the results of the BOT-directed study, what EACMS 
functions are most important to the reliable operation of the Bulk-
Power System and therefore should be included in the supply chain risk 
management Reliability Standards.
---------------------------------------------------------------------------

    \81\ Order No. 848, 164 FERC ] 61,033 at P 53.
---------------------------------------------------------------------------

    56. We find the remaining objections to our directive unpersuasive. 
BES Cyber Systems rely on EACMS to enable and secure the communications 
capability that these systems depend on to control their assigned 
portion of the bulk electric system. Commenters opposing the NOPR 
directive fail to provide convincing examples of why EACMS should not 
receive the same level of protection as the BES Cyber Systems with 
which they are associated. In addition, contrary to EEI's assertion 
that the ``likelihood of compromise'' is unclear, ample evidence exists 
that supply chain vulnerabilities are an active issue for vendors, whom 
malicious parties have intentionally targeted.\82\ By contrast, 
commenters supporting the NOPR directive provided examples where 
notable vendors of EACMS functions announced vulnerabilities, 
specifically in firewall firmware.\83\ Reliability Standard CIP-013-1, 
Requirement R1, Part 1.2.1, when applied to certain EACMS functions, 
will require that responsible entities have processes to require 
notification by the vendor of the discovery of such vulnerabilities, 
representing a clear enhancement of the protections provided by the CIP 
Reliability Standards.
---------------------------------------------------------------------------

    \82\ EEI Comments at 8-9.
    \83\ Resilient Societies Comments at 3 (noting a February 2016 
Cisco ``critical'' security advisory on a vulnerability that could 
allow an unauthenticated, remote attacker to obtain full control of 
its Industrial Security Appliance line of firewalls, and a December 
2015 Juniper ``out-of-cycle security advisory'' on unauthorized code 
identified in a specific operating system that could allow an 
attacker to access some firewalls).
---------------------------------------------------------------------------

    57. Although some commenters question the importance of the EACMS 
monitoring function, we note that these systems work in concert with 
access control systems to alert of possible intrusion.\84\ Standard 
monitoring systems such as intrusion detection systems are an essential 
component designed to recognize suspicious activity and collect data 
used for incident reporting. A compromised intrusion detection system 
may provide false information and generate false alarms. Indeed, a 
compromised intrusion detection system may not only negate the value of 
the reported information, but could also potentially provide misleading 
information. Various intrusion detection system modules collect user 
logs, provide audit trails and indicate whether suspicious activity is 
malicious or normal. An attacker could change the various settings, 
removing or inserting false information. A compromised intrusion 
detection system may also allow the attacker to manipulate the system 
continuously without generating an alarm. In addition, an attacker may 
alter the compromised system such that it will deny legitimate activity 
and accept malicious activity.\85\
---------------------------------------------------------------------------

    \84\ EEI Comments at 7, APS Comments at 3-5, MISO TOs Comments 
17-18.
    \85\ International Journal of Information Sciences and 
Techniques (IJIST) Vol.6, No.1/2, March 2016, Cyber Attacks on 
Intrusion Detection Systems at P 195, http://aircconline.com/ijist/V6N2/6216ijist20.pdf.
---------------------------------------------------------------------------

    58. For the reasons discussed above, we adopt the NOPR proposal 
and, pursuant to section 215(d)(5) of the FPA, direct NERC to develop 
modifications to the CIP Reliability Standards to include EACMS 
associated with medium and high impact BES Cyber Systems within the 
scope of the supply chain risk management Reliability Standards. We 
direct NERC to submit the directed modifications within 24 months of 
the effective date of this final rule.

B. Study of PACS and PCAs in the BOT-Directed Cybersecurity Supply 
Chain Risk Study

1. NOPR
    59. The NOPR stated that it would be appropriate to await the 
findings from the BOT-directed study on cybersecurity supply chain 
risks before considering

[[Page 54001]]

whether low impact BES Cyber Systems should be addressed in the supply 
chain risk management Reliability Standards. The NOPR explained that 
the BOT resolutions stated that the BOT-directed study should examine 
the risks posed by low impact BES Cyber Systems, but the BOT 
resolutions did not identify PACS and PCAs as subjects of the study. 
The NOPR noted, however, that NERC's petition suggests that NERC will 
evaluate PACS and PCAs as part of the BOT-directed study.\86\
---------------------------------------------------------------------------

    \86\ NOPR, 162 FERC ] 61,044 at P 27 (citing NERC Petition at 21 
(``over the next 18 months, NERC, working with various stakeholders, 
will continue to assess whether supply chain risks related to low 
impact BES Cyber Systems, PACS, EACMS, and PCA necessitate further 
consideration for inclusion in a mandatory Reliability Standard'')).
---------------------------------------------------------------------------

    60. The NOPR proposed to direct that NERC, consistent with the 
representation made in NERC's petition, include PACS and PCAs in the 
BOT-directed study and to await the findings of the study's final 
report before considering further action. The NOPR indicated that the 
risks posed by EACMS also apply to varying degrees to PACS and PCAs. 
However, the NOPR explained the distinction between EACMS and the other 
Cyber Assets: For example, a compromise of a PACS through the supply 
chain, which would potentially grant an attacker physical access to a 
BES Cyber System or PCA, is more difficult since it would also require 
physical access. Physical access is not required to take advantage of a 
compromised EACMS. Accordingly, the NOPR proposed immediate action to 
provide for the protection of EACMS, because they represent the most 
likely route an attacker would take to access a BES Cyber System or PCA 
within an ESP, while possible action on other Cyber Assets can await 
completion of the BOT-directed study's final report.\87\
---------------------------------------------------------------------------

    \87\ NOPR, 162 FERC ] 61,044 at P 42.
---------------------------------------------------------------------------

    61. In addition to proposing to direct NERC to include PACS and 
PCAs in the BOT-directed study, the NOPR proposed to direct that NERC 
file the study's interim and final reports with the Commission upon 
their completion.\88\
---------------------------------------------------------------------------

    \88\ Id. P 43.
---------------------------------------------------------------------------

2. Comments
    62. NERC concurs with the NOPR proposal and states that the 
Commission should ``await the results of the Board-requested study 
before considering whether low impact BES Cyber Systems, PACS, and PCAs 
should be addressed in the proposed Reliability Standards.'' \89\ NERC 
maintains that the BOT-directed report will help determine whether the 
supply chain risk management Reliability Standards are appropriately 
scoped to mitigate the risks identified by the Commission.\90\
---------------------------------------------------------------------------

    \89\ NERC Comments at 4.
    \90\ Id. at 5.
---------------------------------------------------------------------------

    63. EEI and Trade Associations support the supply chain risk 
management Reliability Standards' exclusion of low impact BES Cyber 
Systems. EEI agrees with the NOPR proposal to wait for NERC to study 
the supply chain risks posed by low impact BES Cyber Systems as well as 
PACS and PCAs before directing further modifications.\91\ Trade 
Associations also ``strongly support'' limiting the supply chain risk 
management Reliability Standards' applicability to medium and high 
impact BES Cyber Systems.\92\
---------------------------------------------------------------------------

    \91\ EEI Comments at 3.
    \92\ Trade Associations Comments at 7.
---------------------------------------------------------------------------

    64. Other commenters contend that low impact BES Cyber Systems pose 
a significant risk and disagree with the view that excluding such 
assets will focus industry resources on protecting systems with 
heightened risk, while not being overly burdensome. For example, 
Resilient Societies maintains that cyber attackers could use low impact 
BES Cyber Systems as network entry points to attack high and medium 
impact BES Cyber Systems, with a potential coordinated cyberattack on 
multiple low impact facilities causing a cascading collapse.\93\ 
Similarly, Appelbaum asserts that ``if a large number of [low impact 
BES Cyber Systems] are compromised, then the effort to correct or 
replace the compromised assets could be significant.'' \94\ Reclamation 
also recommends including low impact BES Cyber Systems in the proposed 
Reliability Standards in order to avoid gaps that could compromise bulk 
electric system security.\95\
---------------------------------------------------------------------------

    \93\ Resilient Societies Comments at 3-4.
    \94\ Appelbaum Comments at 6.
    \95\ Reclamation Comments at 1.
---------------------------------------------------------------------------

    65. MPUC states that many of the concerns identified in the NOPR 
apply to all classifications of BES Cyber Systems and that responsible 
entities should be required to apply the supply chain risk management 
Reliability Standards to all BES Cyber System assets, unless the 
entities can show the assets in question to be completely isolated.\96\ 
Reclamation has similar concerns and states that the supply chain risk 
management Reliability Standards should apply to all BES Cyber System 
impact ratings, including low impact.\97\ Mabee cautions against giving 
industry the discretion to determine which cyber systems are ``easy'' 
to protect and which are ``burdensome'' to protect.\98\ Isologic also 
disagrees with the exclusion of low impact BES Cyber Systems and 
contends that awaiting the BOT-directed final report would unduly delay 
an examination by the Commission of risks involving the ``massive array 
of unprotected [low impact] transmission substations.'' \99\
---------------------------------------------------------------------------

    \96\ MPUC Comments at 6.
    \97\ Reclamation Comments at 1.
    \98\ Mabee Comments at 4.
    \99\ Isologic Comments at 5.
---------------------------------------------------------------------------

3. Commission Determination
    66. We accept NERC's commitment to evaluate the cybersecurity 
supply chain risks presented by low impact BES Cyber Systems, PACS, and 
PCAs in the study of cybersecurity supply chain risks directed by the 
NERC BOT. In light of that commitment, we conclude it is not necessary 
to separately direct that NERC expand the scope of the BOT-directed 
study. However, we adopt the NOPR proposal to direct NERC to file the 
BOT-directed study's final report with the Commission upon its 
completion.
    67. We continue to believe that it is appropriate to await the 
findings from the BOT-directed final report on cybersecurity risks 
before considering whether low impact BES Cyber Systems, PACS and PCAs 
should be addressed in modified supply chain risk management 
Reliability Standards.\100\ While we do not prejudge the findings from 
the forthcoming final report, at this time we find that NERC is taking 
adequate and timely steps to study whether low impact BES Cyber 
Systems, PACS and PCAs should be included in the supply chain risk 
management Reliability Standards. Given that the BOT-directed final 
report is scheduled to be completed in February 2019, we do not view 
our determination as unduly delaying consideration of this important 
issue. Once NERC submits the BOT-directed final report, the Commission 
will be in a better position to consider what further steps, if any, 
should be taken to provide for the reliability of the bulk electric 
system.
---------------------------------------------------------------------------

    \100\ NOPR, 162 FERC ] 61,044 at P 40.
---------------------------------------------------------------------------

C. Implementation Plan

1. NOPR
    68. The NOPR stated that the 18-month implementation period 
proposed by NERC may not be justified based on the anticipated effort 
required to develop and implement a supply chain risk management plan. 
The NOPR explained that while, according to NERC, the proposed 
implementation period is ``designed to afford responsible entities 
sufficient time to develop and implement their supply

[[Page 54002]]

chain cybersecurity risk management plans required under proposed 
Reliability Standard CIP-013-1 and implement the new controls required 
in proposed Reliability Standards CIP-005-6 and CIP-010-3,'' the 
security objectives of the proposed Reliability Standards are process-
based and do not prescribe technology that might justify an extended 
implementation period.\101\ Accordingly, the NOPR proposed to reduce 
the time for implementation such that the supply chain risk management 
Reliability Standards would become effective the first day of the first 
calendar quarter that is 12 months, as opposed to NERC's 18 months, 
following the effective date of a Commission order approving the 
Reliability Standards.
---------------------------------------------------------------------------

    \101\ NOPR, 162 FERC ] 61,044 at P 44 (citing NERC Petition at 
35).
---------------------------------------------------------------------------

2. Comments
    69. NERC does not support the NOPR proposal to reduce the 
implementation period for the supply chain risk management Reliability 
Standards to 12 months. NERC states that the proposed 18-month 
implementation period is intended to give responsible entities adequate 
time to develop and implement a supply chain risk management plan 
required under proposed Reliability Standard CIP-013-1, as well as to 
implement new controls required under proposed Reliability Standards 
CIP-005-6 and CIP-010-3. NERC explains that although proposed 
Reliability Standard CIP-013-1 is process-based, the development and 
implementation of the underlying Reliability Standard requirements 
``involves performing a complex risk assessment process for planning 
and procuring BES Cyber Systems.'' \102\
---------------------------------------------------------------------------

    \102\ NERC Comments at 7.
---------------------------------------------------------------------------

    70. Other commenters support NERC's proposed 18-month 
implementation period and contend that 12 months is not enough time for 
responsible entities to develop and implement the plan and controls 
required under the supply chain risk management Reliability Standards. 
EEI, Idaho Power, IRSC, MISO TOs, and Trade Associations contend that 
while the Commission is correct that the requirements in the 
Reliability Standards are process-based, certain requirements will 
require technology enhancements, as well as coordination with 
vendors.\103\ For example, Trade Associations state that Reliability 
Standard CIP-005-6 will require work with vendors to facilitate the 
ability to disable vendor remote access, while Reliability Standard 
CIP-010-3 will also require technology upgrades.\104\ APS does not 
agree with the NOPR's assessment that a 12-month implementation period 
is reasonable, noting the potential need for new technology and the 
limitations imposed by capital budget and planning cycles.\105\ ITC and 
MISO TOs argue that the Commission does not have the legal authority to 
modify the implementation period unilaterally for a proposed 
Reliability Standard.
---------------------------------------------------------------------------

    \103\ See EEI Comments at 3-4, Idaho Power Comments at 3-4, IRC 
Comments at 4, Trade Associations Comments at 12-13.
    \104\ Trade Associations Comments at 12-13 (citing NOPR, 152 
FERC ] 61,054 at P 44).
    \105\ APS Comments at 5-7.
---------------------------------------------------------------------------

    71. Appelbaum supports a shortened implementation period for 
proposed Reliability Standards CIP-010-3 and CIP-005-6, for the reasons 
stated in the NOPR, but contends that an 18-month implementation period 
for proposed Reliability Standard CIP-013-1 is more appropriate. 
Specifically, Appelbaum notes that the proposed Reliability Standard 
includes new risk planning and documentation requirements that will 
take time to implement. Appelbaum also contends that the risk 
assessment will likely involve multiple vendors and various different 
assets. Appelbaum states that an 18-month implementation period would 
provide the time to develop a supply chain risk management policy and 
associated processes, and then apply the processes to current and 
future procurement activities.\106\
---------------------------------------------------------------------------

    \106\ Appelbaum Comments at 4.
---------------------------------------------------------------------------

3. Commission Determination
    72. We do not adopt the NOPR proposal to reduce the implementation 
period and instead approve the implementation plan and effective date 
as proposed by NERC. The NOPR proposal was largely based on the premise 
that the security objectives of the supply chain risk management 
Reliability Standards are process-based and do not prescribe technology 
that might justify a longer implementation period. However, based on 
the comments, we are persuaded that technical upgrades are likely 
necessary to meet the security objectives of the supply chain risk 
management Reliability Standards, which could involve longer time-
horizon capital budgets and planning cycles.
    73. While the Commission could, as Appelbaum suggests, direct an 
18-month implementation period for Reliability Standard CIP-013-1 and a 
12-month period for Reliability Standards CIP-005-6 and CIP-010-3, we 
conclude that different timelines could complicate implementation and 
potentially increase the administrative burden of implementation 
without a commensurate improvement in security.
    74. Based on the discussion above, we do not adopt the NOPR 
proposal and approve NERC's proposed implementation plan whereby the 
supply chain risk management Reliability Standards will be effective on 
the first day of the first calendar quarter that is 18 months following 
the effective date of this final rule.

D. Other Issues

1. Comments
    75. Certain commenters raised additional issues not addressed in 
the NOPR. MISO TOs, APS, and Trade Associations request clarification 
regarding the term ``vendor.'' Specifically, APS seeks clarification of 
the definition of ``vendor'' and on the applicability of Reliability 
Standard CIP-013-1 to those vendors that would only provide services 
associated with a BES Cyber System that is already procured and in 
service.\107\ APS also seeks clarification on whether responsible 
entities are required to perform individualized vendor assessments for 
every in-scope procurement activity.\108\
---------------------------------------------------------------------------

    \107\ APS Comments at 9-11.
    \108\ Id.
---------------------------------------------------------------------------

    76. MISO TOs contend that the Commission should clarify that the 
supply chain risk management Reliability Standards do not apply to 
vendors and that responsible entities will not be responsible for 
vendor noncompliance. MISO TOs also request that the Commission clarify 
that responsible entities do not have any obligation to work only with 
compliant vendors.\109\
---------------------------------------------------------------------------

    \109\ MISO TOs Comments at 7-9.
---------------------------------------------------------------------------

    77. APS also seeks clarification regarding the scope of access 
intended within the term ``system-to-system access.'' \110\ As an 
example, APS asserts that, although there is a connection, User 
Datagram Protocol would not qualify as ``system-to-system access'' and 
seeks clarification regarding the scope of connections that would 
qualify as ``system-to-system access.'' \111\
---------------------------------------------------------------------------

    \110\ APS Comments at 9-11.
    \111\ Id.
---------------------------------------------------------------------------

2. Commission Determination
    78. The Supplemental Materials for Reliability Standard CIP-013-1 
explain the meaning of the term ``vendor.'' Specifically, the 
Supplemental Materials state that a vendor ``is limited to those 
persons, companies, or other organizations with whom the

[[Page 54003]]

[r]esponsible [e]ntity, or its affiliates, contracts with to supply BES 
Cyber Systems and related services.'' \112\ The Supplemental Materials 
also note that a vendor, for purposes of the supply chain risk 
management Reliability Standards, may include: (i) Developers or 
manufacturers of information systems, system components, or information 
system services; (ii) product resellers; or (iii) system 
integrators.\113\
---------------------------------------------------------------------------

    \112\ Reliability Standard CIP-013-1 at 12.
    \113\ Id.
---------------------------------------------------------------------------

    79. With regard to vendor-related compliance concerns, vendors are 
not subject to the supply chain risk management Reliability Standards. 
As NERC explains, ``the proposed Reliability Standards apply only to 
registered entities and do not directly impose obligations on 
suppliers, vendors or other entities that provide products or services 
to registered entities.'' \114\ This is consistent with the 
Commission's guidance in Order No. 829 that ``any action taken by NERC 
in response to the Commission's directive to address the supply chain-
related reliability gap should respect `section 215 jurisdiction by 
only addressing the obligations of responsible entities' and `not 
directly impose obligations on suppliers, vendors or other entities 
that provide products or services to responsible entities.' '' \115\
---------------------------------------------------------------------------

    \114\ NERC Petition at 14.
    \115\ Order No. 829, 156 FERC ] 61,050 at P 21.
---------------------------------------------------------------------------

    80. As to the question of responsible entity liability for vendor 
noncompliance, NERC explains that ``any resulting obligation that a 
supplier, vendor or other entity accepts in providing products or 
services to the registered entity is a contractual matter between the 
registered entity and the third party outside the scope of the proposed 
Reliability Standard[.]'' \116\ The security objective of the supply 
chain risk management Reliability Standards is to ``ensure that 
[r]esponsible [e]ntities consider the security, integrity, quality, and 
resilience of the supply chain, and take appropriate mitigating action 
when procuring BES Cyber Systems to address threats and vulnerabilities 
in the supply chain.'' \117\ Therefore, while a responsible entity is 
not directly liable for vendor actions, the responsible entity is 
required to mitigate any resulting risks. Finally, the supply chain 
risk management Reliability Standards do not dictate a responsible 
entity's contracting decision.
---------------------------------------------------------------------------

    \116\ NERC Petition at 17.
    \117\ Id. at 13.
---------------------------------------------------------------------------

    81. As to the term ``system-to-system,'' NERC explains that the 
objective of Reliability Standard CIP-005-6, Requirement R2.4 is for 
entities to have visibility of active vendor remote access sessions, 
including Interactive Remote Access and system-to-system remote access, 
taking place on their system.\118\ Reliability Standard CIP-005-6 
requires entities to have a method to determine all active vendor 
remote access sessions.\119\
---------------------------------------------------------------------------

    \118\ Id. at 31.
    \119\ See Reliability Standard CIP-005-6 at 28.
---------------------------------------------------------------------------

III. Information Collection Statement

    82. The FERC-725B information collection requirements contained in 
this final rule are subject to review by the Office of Management and 
Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 
1995.\120\ OMB's regulations require approval of certain information 
collection requirements imposed by agency rules.\121\ Upon approval of 
a collection of information, OMB will assign an OMB control number and 
expiration date. Respondents subject to the filing requirements of this 
rule will not be penalized for failing to respond to these collections 
of information unless the collections of information display a valid 
OMB control number. In the NOPR, the Commission solicited comments on 
the Commission's need for this information, whether the information 
will have practical utility, the accuracy of the burden estimates, ways 
to enhance the quality, utility, and clarity of the information to be 
collected or retained, and any suggested methods for minimizing 
respondents' burden, including the use of automated information 
techniques. The Commission did not receive any comments on the specific 
burden estimates discussed below.
---------------------------------------------------------------------------

    \120\ 44 U.S.C. 3507(d).
    \121\ 5 CFR 1320.11.
---------------------------------------------------------------------------

    83. The Commission bases its paperwork burden estimates on the 
changes in paperwork burden presented by the approved CIP Reliability 
Standard CIP-013-1 and the approved revisions to CIP Reliability 
Standard CIP-005-6 and CIP-010-3 as compared to the current Commission-
approved Reliability Standards CIP-005-5 and CIP-010-2, respectively. 
As discussed above, the final rule addresses several areas of the CIP 
Reliability Standards through Reliability Standard CIP-013-1, 
Requirements R1, R2, and R3. Under Requirement R1, responsible entities 
would be required to have one or more processes to address the 
following baseline set of security concepts, as applicable, in their 
procurement activities for high and medium impact BES Cyber Systems: 
(1) Vendor security event notification processes (Part 1.2.1); (2) 
coordinated incident response activities (Part 1.2.2); (3) vendor 
personnel termination notification for employees with access to remote 
and onsite systems (Part 1.2.3); (4) product/services vulnerability 
disclosures (Part 1.2.4); (5) verification of software integrity and 
authenticity (Part 1.2.5); and (6) coordination of vendor remote access 
controls (Part 1.2.6). Requirement R2 mandates that each responsible 
entity implement its supply chain cybersecurity risk management plan. 
Requirement R3 requires a responsible entity to review and obtain the 
CIP Senior Manager's approval of its supply chain risk management plan 
at least once every 15 calendar months in order to ensure that the plan 
remains up-to-date.
    84. Separately, Reliability Standard CIP-005-6, Requirement R2.4 
requires one or more methods for determining active vendor remote 
access sessions, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. Reliability Standard CIP-
005-6, Requirement R2.5 requires one or more methods to disable active 
vendor remote access, including Interactive Remote Access and 
system[hyphen]to[hyphen]system remote access. Reliability Standard CIP-
010-3, Requirement R1.6 requires responsible entities to verify 
software integrity and authenticity in the operational phase, if the 
software source provides a method to do so.
    85. The NERC Compliance Registry, as of December 2017, identifies 
approximately 1,250 unique U.S. entities that are subject to mandatory 
compliance with Reliability Standards. Of this total, we estimate that 
288 entities will face an increased paperwork burden under the approved 
Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3. Based on 
these assumptions, we estimate the following reporting burden:

[[Page 54004]]



                                                                 RM17-13-000 Final Rule
                             [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                       Annual  number
                                          Number of     of  responses   Total number     Average burden & cost     Total annual  burden      Cost per
                                         respondents         per        of responses      per  response \122\     hours  & total annual   respondent ($)
                                                         respondent                                                        cost
                                                  (1)             (2)     (1) * (2) =  (4).....................  (3) * (4) = (5)........       (5) / (1)
                                                                                  (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create supply chain risk management               288               1             288  546 hrs.; $44,226.......  157,248 hrs.;                   $44,226
 plan (one-time) \123\ (CIP-013-1 R1).                                                                            $12,737,088.
Updates and reviews of supply chain               288               1             288  30 hrs.; 2,430..........  8,640 hrs.; 699,840....           2,430
 risk management plan (ongoing) \124\
 (CIP-013-1 R2).
Develop Procedures to update remote               288               1             288  50 hrs.; 4,050..........  14,400 hrs.; 1,166,400.           4,050
 access requirements (one time) (CIP-
 005-6 R1-R4).
Develop procedures for software                   288               1             288  50 hrs.; 4,050..........  14,400 hrs.; 1,166,400.           4,050
 integrity and authenticity
 requirements (one time) (CIP-010-3
 R1-R4).
    Total (one-time).................  ..............  ..............             864  ........................  186,048 hrs.;            ..............
                                                                                                                  15,069,888.
    Total (ongoing)..................  ..............  ..............             288  ........................  8,640 hrs.; 699,840....  ..............
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The one-time burden of 186,048 hours will be averaged over three 
years (186,048 hours / 3 = 62,016 hours/year over three years).
---------------------------------------------------------------------------

    \122\ The loaded hourly wage figure (includes benefits) is based 
on the average of the occupational categories for 2017 found on the 
Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm):
    Legal (Occupation Code: 23-0000): $143.68.
    Information Security Analysts (Occupation Code 15-1122): $61.55.
    Computer and Information Systems Managers (Occupation Code: 11-
3021): $96.51.
    Management (Occupation Code: 11-0000): $94.28.
    Electrical Engineer (Occupation Code: 17-2071): $66.90.
    Management Analyst (Code: 43-0000): $63.32.
    These various occupational categories are weighted as follows: 
[($94.28)(.10) + ($61.55)(.315) + ($66.90)(.02) + ($143.68)(.15) + 
($96.51)(.10) + ($63.32)(.315)] = $81.30. The figure is rounded to 
$81.00 for use in calculating wage figures in this final rule.
    \123\ One-time burdens apply in Year One only.
    \124\ Ongoing burdens apply in Year 2 and beyond..
---------------------------------------------------------------------------

    The ongoing burden of 8,640 hours applies to only Years 2 and 
beyond.
    The number of responses is also average over three years (864 
responses (one-time) + (288 responses (Year 2) + 288 responses (Year 
3)) / 3 = 480 responses.
    The responses and burden for Years 1-3 will total respectively as 
follows:

 Year 1: 480 responses; 62,016 hours
 Year 2: 480 responses; 62,016 hours + 8,640 hours = 70,656 
hours
 Year 3: 480 responses; 62,016 hours + 8,640 hours = 70,656 
hours.

    86. The following shows the annual cost burden for each year, based 
on the burden hours in the table above:
     Year 1: $15,069,888
     Years 2 and beyond: $699,840
     The paperwork burden estimate includes costs associated 
with the initial development of a policy to address requirements 
relating to: (1) Developing the supply chain risk management plan; (2) 
updating the procedures related to remote access requirements (3) 
developing the procedures related to software integrity and 
authenticity. Further, the estimate reflects the assumption that costs 
incurred in year 1 will pertain to plan and procedure development, 
while costs in years 2 and 3 will reflect the burden associated with 
maintaining the supply chain risk management plan and modifying it as 
necessary on a 15-month basis.
    87. Title: FERC-725B (Mandatory Reliability Standards, Revised 
Critical Infrastructure Protection Reliability Standards).
    Action: Information Collection, FERC-725B (Supply Chain Risk 
Management Reliability Standards).
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This final rule approves the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. As discussed above, the Commission approves 
NERC's CIP Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 
pursuant to section 215(d)(2) of the FPA because they improve upon the 
currently-effective suite of cybersecurity CIP Reliability Standards.
    Internal Review: The Commission has reviewed the approved 
Reliability Standards and made a determination that its action is 
necessary to implement section 215 of the FPA.
    88. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen 
Brown, Office of the Executive Director, email: [email protected], 
phone: (202) 502-8663, fax: (202) 273-0873].
    89. For submitting comments concerning the collection(s) of 
information and the associated burden estimate(s), please send your 
comments to the Commission, and to the Office of Management and Budget, 
Office of Information and Regulatory Affairs, 725 17th Street NW, 
Washington, DC 20503 [Attention: Desk Officer for the Federal Energy 
Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-7285]. For 
security reasons, comments to OMB should be submitted by email to: 
[email protected]. Comments submitted to OMB should include 
Docket Number RM17-13-000 and OMB Control Number 1902-0248.

IV. Environmental Analysis

    90. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human

[[Page 54005]]

environment.\125\ The Commission has categorically excluded certain 
actions from this requirement as not having a significant effect on the 
human environment. Included in the exclusion are rules that are 
clarifying, corrective, or procedural or that do not substantially 
change the effect of the regulations being amended.\126\ The actions 
taken herein fall within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \125\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
    \126\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act Analysis

    91. The Regulatory Flexibility Act of 1980 (RFA) generally requires 
a description and analysis of proposed rules that will have significant 
economic impact on a substantial number of small entities.\127\ The 
Small Business Administration's (SBA) Office of Size Standards develops 
the numerical definition of a small business.\128\ The SBA revised its 
size standard for electric utilities (effective January 22, 2014) to a 
standard based on the number of employees, including affiliates (from 
the prior standard based on megawatt hour sales).\129\
---------------------------------------------------------------------------

    \127\ 5 U.S.C. 601-12.
    \128\ 13 CFR 121.101.
    \129\ 13 CFR 121.201, Subsector 221.
---------------------------------------------------------------------------

    92. Reliability Standards CIP-013-1, CIP-005-6, CIP-010-3 are 
expected to impose an additional burden on 288 entities \130\ 
(reliability coordinators, generator operators, generator owners, 
interchange coordinators or authorities, transmission operators, 
balancing authorities, and transmission owners).
---------------------------------------------------------------------------

    \130\ Public utilities may fall under one of several different 
categories, each with a size threshold based on the company's number 
of employees, including affiliates, the parent company, and 
subsidiaries. For the analysis in this NOPR, we are using a 500 
employee threshold due to each affected entity falling within the 
role of Electric Bulk Power Transmission and Control (NAISC Code: 
221121).
---------------------------------------------------------------------------

    93. Of the 288 affected entities discussed above, we estimate that 
approximately 248 or 86.2 percent of the affected entities are small 
entities. We estimate that each of the 248 small entities to whom the 
approved modifications to Reliability Standards CIP-013-1, CIP-005-6, 
and CIP-010-3 apply will incur one-time costs of approximately $52,326 
per entity to implement the approved Reliability Standards, as well as 
the ongoing paperwork burden reflected in the Information Collection 
Statement (approximately $2,430 per year per entity). We do not 
consider the estimated costs for these 248 small entities to be a 
significant economic impact. Accordingly, we certify that Reliability 
Standards CIP-013-1, CIP-005-6, and CIP-010-3 will not have a 
significant economic impact on a substantial number of small entities.

VI. Document Availability

    94. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, 
Washington, DC 20426.
    95. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number of this document, excluding the last three digits, in 
the docket number field. User assistance is available for eLibrary and 
the Commission's website during normal business hours from the 
Commission's Online Support at (202) 502-6652 (toll free at 1-866-208-
3676) or email at [email protected], or the Public Reference 
Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference 
Room at [email protected].

VII. Effective Date and Congressional Notification

    96. The final rule is effective December 26, 2018. The Commission 
has determined that this final rule imposes no substantial effect upon 
either NERC or NERC registered entities \131\ and, with the concurrence 
of the Administrator of the Office of Information and Regulatory 
Affairs of OMB, that this rule is not a ``major rule'' as defined in 
section 351 of the Small Business Regulatory Enforcement Fairness Act 
of 1996. This final rule is being submitted to the Senate, House, and 
Government Accountability Office.
---------------------------------------------------------------------------

    \131\ 5 U.S.C. 804(3)c.

    By the Commission. Chairman McIntyre was not present at the 
Commission Meeting held on October 18, 2018 and did not vote on this 
---------------------------------------------------------------------------
item.

    Issued: October 18, 2018.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

    Note: The following appendix will not appear in the Code of 
Federal Regulations.

Appendix Commenters

------------------------------------------------------------------------
           Abbreviation                           Commenter
------------------------------------------------------------------------
AECC..............................  Arkansas Electric Cooperative
                                     Corporation.
Appelbaum.........................  Jonathan Appelbaum.
APS...............................  Arizona Public Service Company.
EEI...............................  Edison Electric Institute.
Idaho Power.......................  Idaho Power Company.
IRC...............................  ISO/RTO Council.
Isologic..........................  Isologic LLC.
ITC...............................  International Transmission Company.
Mabee.............................  Michael Mabee.
MISO TOs..........................  MISO Transmission Owners.
MPUC..............................  Maine Public Utilities Commission.
NERC..............................  North American Electric Reliability
                                     Corporation.
Reclamation.......................  U.S. Bureau of Reclamation.
Resilient Societies...............  Foundation for Resilient Societies.
Trade Associations................  American Public Power Association,
                                     Electricity Consumers Resource
                                     Council, Large Public Power
                                     Council, National Rural Electric
                                     Cooperative Association, and
                                     Transmission Access Policy Study
                                     Group.
------------------------------------------------------------------------


[FR Doc. 2018-23201 Filed 10-25-18; 8:45 am]
 BILLING CODE 6717-01-P



                                             53992               Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                             enactment of the Act, which is                            data because of reliability concerns, in             Assessments) submitted by the North
                                             December 4, 2018. Accordingly, airlines                   the interest of providing air travel                 American Electric Reliability
                                             determined by the Department’s Office                     consumers with access to reliable                    Corporation (NERC). In addition, the
                                             of Airline Information (OAI) as                           mishandled baggage data, the                         Commission directs NERC to develop
                                             accounting for at least 1 percent of                      Enforcement Office expects that the                  and submit modifications to the supply
                                             domestic scheduled passenger revenues                     airline will accurately report                       chain risk management Reliability
                                             for calendar year 2018 3 must submit                      mishandled baggage data to the                       Standards so that the scope of the
                                             mishandled baggage data to the                            Department using the prior mishandled                Reliability Standards include Electronic
                                             Department using the new mishandled                       bag reporting methodology (i.e., the total           Access Control and Monitoring Systems.
                                             baggage methodology and must                              number of passengers enplaned and the                DATES: This rule is effective December
                                             separately report statistics for                          total number of MBRs filed with the                  26, 2018.
                                             mishandled wheelchairs and scooters                       airline in the manner described in 14                FOR FURTHER INFORMATION CONTACT:
                                             for domestic scheduled flights they                       CFR 234.6(a) and OAI Technical                         Simon Slobodnik (Technical
                                             operate beginning December 4, 2018 and                    Reporting Directive #29A, for the flights            Information) Office of Electric
                                             through December 31, 2018. See 81 FR                      it operates December 1 through 31,                   Reliability, Federal Energy Regulatory
                                             73000 (November 2, 2016). The airlines                    2018). Even if an airline indicates an               Commission, 888 First Street NE,
                                             must submit this data to the Department                   inability to report accurately the total             Washington, DC 20426, (202) 502–6707,
                                             no later than January 15, 2019.4 The                      number of mishandled bags and                        simon.slobodnik@ferc.gov.
                                             data would consist of: (1) Operating                      enplaned bags, the Enforcement Office                  Patricia Eke (Technical Information)
                                             carrier code; (2) month and year of data;                 will expect the airline to accurately                Office of Electric Reliability, Federal
                                             (3) number of mishandled bags; (4)                        report the total number of mishandled                Energy Regulatory Commission, 888
                                             number of bags enplaned; (5) number of                    wheelchairs and scooters and total                   First Street NE, Washington, DC 20426,
                                             mishandled wheelchairs and scooters;                      number of wheelchair and scooters                    (202) 502–8388, patricia.eke@ferc.gov.
                                             (6) number of wheelchairs and scooters                    enplaned. Because the Enforcement                      Kevin Ryan (Legal Information) Office
                                             enplaned; (7) certification that to the                   Office expects that airlines should be               of the General Counsel, Federal Energy
                                             best of the signing official’s knowledge                  able to accurately report mishandled                 Regulatory Commission, 888 First Street
                                             and belief the data is true, correct, and                 wheelchair and scooter data, the                     NE, Washington, DC 20426, (202) 502–
                                             complete; and (8) date of submission,                     Enforcement Office requests a detailed               6840, kevin.ryan@ferc.gov.
                                             name of airline representative, and                       explanation no later than January 3,                 SUPPLEMENTARY INFORMATION:
                                             signature.                                                2019, from any airline asserting that it              Before Commissioners: Cheryl A. LaFleur,
                                               If a reporting carrier is unable to                     is not able to accurately report                     Neil Chatterjee, and Richard Glick.
                                             report accurate data on the total number                  wheelchair and scooter data to the
                                             of mishandled bags and enplaned bags                                                                             1. Pursuant to section 215(d)(2) of the
                                                                                                       Department for flights beginning                     Federal Power Act (FPA), the
                                             for the entire reportable period                          December 4, 2018.
                                             beginning December 4, 2018, and                                                                                Commission approves supply chain risk
                                             ending December 31, 2018, the                               Issued in Washington, DC, on October 22,           management Reliability Standards CIP–
                                                                                                       2018.                                                013–1 (Cyber Security—Supply Chain
                                             Enforcement Office will exercise its
                                             enforcement discretion as appropriate.5                   Blane A. Workie,                                     Risk Management), CIP–005–6 (Cyber
                                             An airline should inform the                              Assistant General Counsel for Aviation               Security—Electronic Security
                                             Enforcement Office no later than                          Enforcement and Proceedings.                         Perimeter(s)) and CIP–010–3 (Cyber
                                             January 3, 2019, if the airline is unable                 [FR Doc. 2018–23475 Filed 10–25–18; 8:45 am]         Security—Configuration Change
                                             to provide accurate mishandled baggage                    BILLING CODE 4910–9X–P                               Management and Vulnerability
                                             data using the methodology set forth in                                                                        Assessments).1 The North American
                                             the November 2, 2016 rule for the                                                                              Electric Reliability Corporation (NERC),
                                             December 2018 reportable period. To                       DEPARTMENT OF ENERGY                                 the Commission-certified Electric
                                             the extent the Enforcement Office                                                                              Reliability Organization (ERO),
                                             decides not to pursue action against an                   Federal Energy Regulatory                            submitted the supply chain risk
                                             airline that does not report the required                 Commission                                           management Reliability Standards for
                                                                                                                                                            approval in response to a Commission
                                                3 For calendar year 2018, 12 airlines reached the      18 CFR Part 40                                       directive in Order No. 829.2 As
                                             reporting threshold of 906,261,000 in domestic                                                                 discussed below, we approve the supply
                                             scheduled passenger revenue (one percent of total         [Docket No. RM17–13–000; Order No. 850]              chain risk management Reliability
                                             domestic scheduled passenger revenue) and are                                                                  Standards as they are responsive to
                                             required to report mishandled baggage data. These         Supply Chain Risk Management
                                             airlines are: Alaska Airlines, American Airlines,         Reliability Standards                                Order No. 829 and improve the electric
                                             Delta Air Lines, Envoy Air, ExpressJet Airlines,                                                               industry’s cybersecurity posture by
                                             Frontier Airlines, Hawaiian Airlines, JetBlue             AGENCY:  Federal Energy Regulatory                   requiring that entities mitigate certain
                                             Airways, SkyWest Airlines, Southwest Airlines,            Commission, DOE.                                     cybersecurity risks associated with the
                                             Spirit Airlines and United Airlines.
                                                4 As section 441 only changes the compliance           ACTION: Final rule.                                  supply chain for BES Cyber Systems.3
                                             date of the November 2 final rule, airlines are not
                                             required to submit data for any code-share                SUMMARY:   The Federal Energy                          1 16 U.S.C. 824o(d)(2).
                                             operations, which is a requirement of the November        Regulatory Commission (Commission)                     2 Revised  Critical Infrastructure Protection
                                             3, 2016, final rule.                                      approves supply chain risk management                Reliability Standards, Order No. 829, 156 FERC ¶
khammond on DSK30JT082PROD with RULES




                                                5 During the past year, the Enforcement Office has                                                          61,050, at P 43 (2016).
                                             been working with the reporting carriers to ensure
                                                                                                       Reliability Standards CIP–013–1 (Cyber                 3 BES Cyber System is defined as ‘‘[o]ne or more

                                             that they are able to report new mishandled baggage       Security—Supply Chain Risk                           BES Cyber Assets logically grouped by a
                                             data for flights on or after January 1, 2019. This        Management), CIP–005–6 (Cyber                        responsible entity to perform one or more reliability
                                             notification is not intended to suggest an airline’s      Security—Electronic Security                         tasks for a functional entity.’’ Glossary of Terms
                                             delay in submitting the new mishandled baggage                                                                 Used in NERC Reliability Standards (NERC
                                             data for flights occurring on or after January 1, 2019,
                                                                                                       Perimeter(s)) and CIP–010–3 (Cyber                   Glossary), http://www.nerc.com/files/glossary_of_
                                             would lead the Enforcement Office to exercise its         Security—Configuration Change                        terms.pdf. The acronym BES refers to the bulk
                                             enforcement discretion.                                   Management and Vulnerability                         electric system.



                                        VerDate Sep<11>2014    18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00028   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1


                                                               Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                                   53993

                                                2. The Commission has previously                     time-horizon capital budgets and                        will only let essential traffic cross
                                             explained that the global supply chain                  planning cycles.                                        security boundaries[,] . . . [i]f they are
                                             affords significant benefits to customers,                 4. While the supply chain risk                       not properly configured, they could
                                             including low cost, interoperability,                   management Reliability Standards                        easily pass unauthorized or malicious
                                             rapid innovation, and a variety of                      address the Commission’s directive in                   users or content.’’ 12 Accordingly, if
                                             product features and choice.4 Despite                   Order No. 829, we determine that there                  EACMS are compromised, that could
                                             these benefits, the global supply chain                 remains a significant cybersecurity risk                adversely affect the reliable operation of
                                             creates opportunities for adversaries to                associated with the supply chain for                    associated BES Cyber Systems.13 Given
                                             directly or indirectly affect the                       BES Cyber Systems because the                           the significant role that EACMS play in
                                             management or operations of companies                   approved Reliability Standards do not                   the protection scheme for medium and
                                             with potential risks to end users. Supply               address Electronic Access Control and                   high impact BES Cyber Systems, we
                                             chain risks include insertion of                        Monitoring Systems (EACMS).7 As we                      determine that EACMS should be
                                             counterfeits or malicious software,                     observed in the NOPR, it is widely                      within the scope of the supply chain
                                             unauthorized production, tampering, or                  recognized that the types of access and                 risk management Reliability Standards
                                             theft, as well as poor manufacturing and                monitoring functions that are included                  to provide minimum protection against
                                             development practices. Based on the                     within NERC’s definition of EACMS,                      supply chain attack vectors.
                                             record in this proceeding, we conclude                  such as firewalls, are integral to                         5. To address this gap, pursuant to
                                             that the supply chain risk management                   protecting industrial control systems.8                 section 215(d)(5) of the FPA,14 the
                                             Reliability Standards largely address                   Moreover, as stated in Order No. 848,                   Commission directs NERC to develop
                                             these supply chain cybersecurity risks                  EACMS, which include, for example,                      modifications to include EACMS
                                             as set out within the scope of Order No.                firewalls, authentication servers,                      associated with medium and high
                                                                                                     security event monitoring systems,                      impact BES Cyber Systems within the
                                             829. Among other things, the supply
                                                                                                     intrusion detection systems and alerting                scope of the supply chain risk
                                             chain risk management Reliability
                                                                                                     systems, control electronic access into                 management Reliability Standards.15
                                             Standards are forward-looking and
                                                                                                     Electronic Security Perimeters (ESP),                   We direct NERC to submit the directed
                                             objective-based and require each
                                                                                                     play a significant role in the protection               modifications within 24 months of the
                                             affected entity to develop and
                                                                                                     of high and medium impact BES Cyber                     effective date of this final rule.
                                             implement a plan that includes security
                                                                                                     Systems.9 Once an EACMS is                                 6. Further, the NERC proposal does
                                             controls for supply chain management
                                                                                                     compromised, an attacker could more                     not address Physical Access Control
                                             for industrial control system hardware,
                                                                                                     easily enter the ESP and effectively                    Systems (PACS) 16 and Protected Cyber
                                             software, and services associated with
                                                                                                     control the BES Cyber System or                         Assets (PCA),17 with the exception of
                                             bulk electric system operations.5                       Protected Cyber Asset.10 For example,
                                             Consistent with Order No. 829, the                                                                              the modifications in Reliability
                                                                                                     the Department of Homeland Security’s                   Standard CIP–005–6, which apply to
                                             Reliability Standards focus on the                      Industrial Control Systems Cyber
                                             following four security objectives: (1)                                                                         PCAs. We remain concerned that the
                                                                                                     Emergency Response Team (ICS–CERT)                      exclusion of these components may
                                             Software integrity and authenticity; (2)                identifies firewalls as ‘‘the first line of
                                             vendor remote access protections; (3)                                                                           leave a gap in the supply chain risk
                                                                                                     defense within an ICS network                           management Reliability Standards.
                                             information system planning; and (4)                    environment’’ that ‘‘keep the intruder
                                             vendor risk management and                                                                                      Nevertheless, in contrast to EACMS, we
                                                                                                     out while allowing the authorized                       believe that more study is necessary to
                                             procurement controls.                                   passage of data necessary to run the                    determine the impact of PACS and
                                                3. The Commission also approves the                  organization.’’ 11 ICS–CERT further                     PCAs in the context of the supply chain
                                             supply chain risk management                            explains that firewalls ‘‘act as sentinels,             risk management Reliability Standards.
                                             Reliability Standards’ associated                       or gatekeepers, between zones . . .
                                             violation risk factors and violation                    [and] [w]hen properly configured, they                    12 Id.

                                             severity levels. Regarding the Reliability                                                                        13 NOPR,    162 FERC ¶ 61,044 at P 37.
                                             Standards’ implementation plan and                        7 EACMS    are defined as ‘‘Cyber Assets that           14 16  U.S.C. 824o(d)(5).
                                             effective date, we approve NERC’s                       perform electronic access control or electronic           15 Reliability Standard CIP–002–5.1a (Cyber
                                                                                                     access monitoring of the Electronic Security            Security System Categorization) provides a ‘‘tiered’’
                                             proposed implementation period of 18                    Perimeter(s) or BES Cyber Systems. This includes        approach to cybersecurity requirements, based on
                                             months following the effective date of a                Intermediate Systems.’’ NERC Glossary. Reliability      classifications of high, medium and low impact BES
                                             Commission order. The NOPR proposed                     Standard CIP–002–5.1a (Cyber Security — BES             Cyber Systems.
                                             to reduce the implementation period to                  Cyber System Categorization) states that examples         16 PACS are defined as ‘‘Cyber Assets that control,
                                                                                                     of EACMS include ‘‘Electronic Access Points,            alert, or log access to the Physical Security
                                             12 months.6 However, as discussed                       Intermediate Systems, authentication servers (e.g.,     Perimeter(s), exclusive of locally mounted hardware
                                             below, the NOPR comments provide                        RADIUS servers, Active Directory servers,               or devices at the Physical Security Perimeter such
                                             sufficient justification for adopting the               Certificate Authorities), security event monitoring     as motion sensors, electronic lock control
                                             18-month implementation period                          systems, and intrusion detection systems.’’             mechanisms, and badge readers.’’ NERC Glossary.
                                                                                                     Reliability Standard CIP–002–5.1a (Cyber Security       Reliability Standard CIP–002–5.1a states that
                                             proposed by NERC. Specifically, the                     — BES Cyber System Categorization) Section A.6 at       examples include ‘‘authentication servers, card
                                             comments clarify that technical                         6.                                                      systems, and badge control systems.’’Id.
                                             upgrades are likely necessary to meet                      8 NOPR, 162 FERC ¶ 61,044 at P 37.
                                                                                                                                                               17 PCAs are defined as ‘‘[o]ne or more Cyber
                                             the Reliability Standards’ security                        9 Cyber Security Incident Reporting Reliability
                                                                                                                                                             Assets connected using a routable protocol within
                                             objectives, which could involve longer                  Standards, Order No. 848, 164 FERC ¶ 61,033, at         or on an Electronic Security Perimeter that is not
                                                                                                     P 10 (2018). ESP is defined as ‘‘[t]he logical border   part of the highest impact BES Cyber System within
                                                                                                     surrounding a network to which BES Cyber Systems        the same Electronic Security Perimeter. The impact
                                               4 Revised Critical Infrastructure Protection          are connected using a routable protocol.’’ NERC
khammond on DSK30JT082PROD with RULES




                                                                                                                                                             rating of Protected Cyber Assets is equal to the
                                             Reliability Standards, Notice of Proposed               Glossary.                                               highest rated BES Cyber System in the same
                                             Rulemaking, 152 FERC ¶ 61,054, at PP 61–62                 10 Order No. 848, 164 FERC ¶ 61,033 at P 10.
                                                                                                                                                             [Electronic Security Perimeter].’’ NERC Glossary.
                                             (2015).                                                    11 ICS–CERT, Recommended Practice: Improving         Reliability Standard CIP–002–5.1a states that
                                               5 Order No. 829, 156 FERC ¶ 61,050 at P 2.
                                                                                                     Industrial Control System Cybersecurity with            examples include, to the extent they are within the
                                               6 Supply Chain Risk Management Reliability            Defense-in-Depth Strategies at 23, https://ics-         Electronic Security Perimeter, ‘‘file servers, ftp
                                             Standards, Notice of Proposed Rulemaking, 83 FR         cert.us-cert.gov/sites/default/files/recommended_       servers, time servers, LAN switches, networked
                                             3433 (January 25, 2018), 162 FERC ¶ 61,044 (2018)       practices/NCCIC_ICS-CERT_Defense_in_Depth_              printers, digital fault recorders, and emission
                                             (NOPR).                                                 2016_S508C.pdf.                                         monitoring systems.’’ Id.



                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00029   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM       26OCR1


                                             53994              Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                             We distinguish among EACMS and the                      Commission directed NERC to develop                   NERC’s response to the Order No. 829
                                             other Cyber Assets because compromise                   a forward-looking, objective-based                    directive should respect the
                                             of PACS and PCAs are less likely. For                   Reliability Standard that would require               Commission’s jurisdiction under FPA
                                             example, a compromise of a PACS,                        responsible entities to develop and                   section 215 by only addressing the
                                             which would potentially grant an                        implement a plan with supply chain                    obligations of responsible entities and
                                             attacker physical access to a BES Cyber                 management security controls focused                  not by directly imposing any obligations
                                             System or PCA, is less likely since                     on four security objectives: (1) Software             on non-jurisdictional suppliers, vendors
                                             physical access is also required. In                    integrity and authenticity; (2) vendor                or other entities that provide products
                                             addition, PCAs typically become                         remote access; (3) information system                 or services to responsible entities.30
                                             vulnerable to remote compromise only                    planning; and (4) vendor risk
                                                                                                                                                           C. NERC Petition and Proposed
                                             once EACMS have been compromised.                       management and procurement
                                                                                                                                                           Reliability Standards
                                             Thus, we accept NERC’s commitment to                    controls.24
                                             evaluate the cybersecurity supply chain                    9. The Commission explained that                      11. On September 26, 2017, NERC
                                             risks presented by PACS and PCAs in                     verification of software integrity and                submitted for Commission approval
                                             the study of cybersecurity supply chain                 authenticity is intended to reduce the                proposed Reliability Standards CIP–
                                             risks directed by the NERC Board of                     likelihood that an attacker could exploit             013–1, CIP–005–6, and CIP–010–3 and
                                             Trustees (BOT) in its resolutions of                    legitimate vendor patch management                    their associated violation risk factors
                                             August 10, 2017.18 The Commission                       processes to deliver compromised                      and violation severity levels,
                                             further directs NERC to file the BOT-                   software updates or patches to a BES                  implementation plan, and effective
                                             directed final report with the                          Cyber System.25 For vendor remote                     date.31 NERC states that the purpose of
                                             Commission upon its completion.19                       access, the Commission stated that the                the Reliability Standards is to enhance
                                                                                                     objective is intended to address the                  the cybersecurity posture of the electric
                                             I. Background                                           threat that vendor credentials could be               industry by requiring responsible
                                             A. Section 215 and Mandatory                            stolen and used to access a BES Cyber                 entities to take additional actions to
                                             Reliability Standards                                   System without the responsible entity’s               address cybersecurity risks associated
                                                                                                     knowledge, as well as the threat that a               with the supply chain for BES Cyber
                                               7. Section 215 of the FPA requires a                                                                        Systems. NERC explains that the
                                                                                                     compromise at a trusted vendor could
                                             Commission-certified ERO to develop                                                                           Reliability Standards are designed to
                                                                                                     traverse over an unmonitored
                                             mandatory and enforceable Reliability                                                                         augment the existing controls required
                                                                                                     connection into a responsible entity’s
                                             Standards, subject to Commission                                                                              in the currently-effective CIP Reliability
                                                                                                     BES Cyber System.26 As to information
                                             review and approval. Reliability                                                                              Standards that help mitigate supply
                                                                                                     system planning, Order No. 829
                                             Standards may be enforced by the ERO,                                                                         chain risks, providing increased
                                                                                                     indicated that the objective is intended
                                             subject to Commission oversight, or by                                                                        attention on minimizing the attack
                                                                                                     to address the risk that responsible
                                             the Commission independently.20                                                                               surfaces of information and
                                                                                                     entities could unintentionally plan to
                                             Pursuant to section 215 of the FPA, the                                                                       communications technology products
                                                                                                     procure and install unsecure equipment
                                             Commission established a process to                                                                           and services procured to support
                                                                                                     or software within their information
                                             select and certify an ERO,21 and                                                                              reliable bulk electric system operations,
                                                                                                     systems, or could unintentionally fail to
                                             subsequently certified NERC.22                                                                                consistent with Order No. 829.
                                                                                                     anticipate security issues that may arise
                                             B. Order No. 829                                        due to their network architecture or                     12. NERC states that the supply chain
                                                                                                     during technology and vendor                          risk management Reliability Standards
                                               8. In Order No. 829, the Commission                                                                         apply only to medium and high impact
                                             directed NERC to develop a new or                       transitions.27 For vendor risk
                                                                                                     management and procurement controls,                  BES Cyber Systems. NERC explains that
                                             modified Reliability Standard that                                                                            the goal of the CIP Reliability Standards
                                             addresses supply chain risk                             the Commission explained that this
                                                                                                     objective is intended to address the risk             is to ‘‘focus[] industry resources on
                                             management for industrial control                                                                             protecting those BES Cyber Systems
                                             system hardware, software and                           that responsible entities could enter into
                                                                                                     contracts with vendors that pose                      with heightened risks to the [bulk
                                             computing and networking services                                                                             electric system] . . . [and] that the
                                             associated with bulk electric system                    significant risks to the responsible
                                                                                                     entities’ information systems, as well as             requirements applicable to low impact
                                             operations.23 Specifically, the                                                                               BES Cyber Systems, given their lower
                                                                                                     the risk that products procured by a
                                                                                                     responsible entity fail to meet minimum               risk profile, should not be overly
                                                18 NERC Board of Trustees, Proposed Additional

                                             Resolutions for Agenda Item 9.a: Cyber Security—        security criteria. This objective also                burdensome to divert resources from the
                                             Supply Chain Risk Management—CIP–005–6, CIP–            addresses the risk that a compromised                 protection of medium and high impact
                                             010–3, and CIP–013–1 (August 10, 2017).                 vendor would not provide adequate                     BES Cyber Systems.’’ 32 NERC further
                                                19 As discussed later in this final rule, the NOPR
                                                                                                     notice and related incident response to               maintains that the standard drafting
                                             proposed to direct NERC to file the BOT-directed                                                              team chose to limit the applicability of
                                             interim report, due 12 months from the date of the      responsible entities with whom that
                                             BOT resolutions, as well as the final report, which     vendor is connected.28                                the Reliability Standards to medium and
                                             is due 18 months from the date of the BOT                  10. Order No. 829 stated that while                high impact BES Cyber Systems because
                                             resolutions. On September 7, 2018, NERC filed the
                                                                                                     responsible entities should be required               the supply chain risk management
                                             BOT-directed interim report in this docket.                                                                   Reliability Standards are ‘‘consistent
                                                20 16 U.S.C. 824o(e).                                to develop and implement a plan, NERC
                                                21 Rules Concerning Certification of the Electric    need not impose any specific controls or              with the type of existing CIP
                                             Reliability Organization; and Procedures for the        ‘‘one-size-fits-all’’ requirements.29 In              cybersecurity requirements applicable
                                             Establishment, Approval, and Enforcement of             addition, the Commission stated that
khammond on DSK30JT082PROD with RULES




                                             Electric Reliability Standards, Order No. 672, FERC                                                             30 Id.   P 21.
                                             Stats. & Regs. ¶ 31,204, order on reh’g, Order No.        24 Id.
                                                                                                                                                             31 ReliabilityStandards CIP–013–1, CIP–005–6,
                                             672–A, FERC Stats. & Regs. ¶ 31,212 (2006).                      P 45.
                                                                                                       25 Id. P 49.
                                                                                                                                                           and CIP–010–3 are not attached to this final rule.
                                                22 North American Electric Reliability Corp., 116                                                          The Reliability Standards are available on the
                                                                                                       26 Id. P 52.
                                             FERC ¶ 61,062, order on reh’g and compliance, 117                                                             Commission’s eLibrary document retrieval system
                                                                                                       27 Id. P 57.
                                             FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc.                                                              in Docket No. RM17–13–000 and on the NERC
                                             v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).                  28 Id. P 60.                                        website, www.nerc.com.
                                                23 Order No. 829, 156 FERC ¶ 61,050 at P 43.           29 Id. P 13.                                          32 NERC Petition at 16–17.




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00030   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM     26OCR1


                                                                  Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                           53995

                                             to high and medium impact BES Cyber                        System planning and procurement.’’ 38                   negotiation of security provisions in its
                                             Systems as opposed to those applicable                     NERC explains that proposed Reliability                 agreements with the vendor.
                                             to low impact BES Cyber Systems.’’ 33                      Standard CIP–013–1 does not require
                                                                                                                                                                Proposed Modifications in Reliability
                                                13. NERC states that the standard                       any specific controls or mandate ‘‘one-
                                                                                                                                                                Standard CIP–005–6
                                             drafting team also excluded EACMS,                         size-fits-all’’ requirements due to the
                                             PACS, and PCAs from the scope of the                       differences in needs and characteristics                  18. Proposed Reliability Standard
                                             supply chain risk management                               of responsible entities and the diversity               CIP–005–6 includes two new parts,
                                             Reliability Standards, with the                            of bulk electric system environments,                   Parts 2.4 and 2.5, to address vendor
                                                                                                        technologies, and risks. NERC states that               remote access, which is the second
                                             exception of the modifications in
                                                                                                        the goal of the proposed Reliability                    objective discussed in Order No. 829.
                                             Reliability Standard CIP–005–6, which
                                                                                                        Standard is ‘‘to help ensure that                       NERC explains that the new parts work
                                             apply to PCAs. NERC explains that
                                                                                                        responsible entities establish                          in tandem with proposed Reliability
                                             although certain requirements in the
                                                                                                        organizationally-defined processes that                 Standard CIP–013–1, Requirement
                                             existing CIP Reliability Standards apply
                                                                                                        integrate a cybersecurity risk                          R1.2.6, which requires responsible
                                             to EACMS, PACS, and PCAs due to their
                                                                                                        management framework into the system                    entities to address Interactive Remote
                                             association with BES Cyber Systems
                                                                                                        development lifecycle.’’ 39 NERC                        Access and system-to-system remote
                                             (either by function or location), the
                                                                                                        observes that, among other things,                      access when procuring industrial
                                             standard drafting team determined that
                                                                                                        proposed Reliability Standard CIP–013–                  control system hardware, software, and
                                             the supply chain risk management                                                                                   computing and networking services
                                             Reliability Standards should focus on                      1 addresses the risk associated with
                                                                                                        information system planning, as well as                 associated with bulk electric system
                                             high and medium impact BES Cyber                                                                                   operations. NERC states that proposed
                                             Systems only. NERC states that this                        vendor risk management and
                                                                                                        procurement controls, the third and                     Reliability Standard CIP–005–6,
                                             determination was based on the                                                                                     Requirement R2.4 requires one or more
                                             conclusion that applying the proposed                      fourth objectives outlined in Order No.
                                                                                                        829.                                                    methods for determining active vendor
                                             Reliability Standards to EACMS, PACS,                                                                              remote access sessions, including
                                             and PCAs ‘‘would divert resources from                        16. NERC maintains that, consistent
                                                                                                                                                                Interactive Remote Access and
                                             protecting medium and high BES Cyber                       with Order No. 829, responsible entities
                                                                                                                                                                system-to-system remote access. NERC
                                             Systems.’’ 34                                              need not apply their supply chain risk
                                                                                                                                                                explains that the security objective of
                                                14. NERC asserts that with respect to                   management plans to the acquisition of                  Requirement R2.4 is to provide
                                             low impact BES Cyber Systems and                           vendor products or services under                       awareness of all active vendor remote
                                             EACMS, PACS, and PCAs, while not                           contracts executed prior to the effective               access sessions, both Interactive Remote
                                             mandatory, NERC expects that these                         date of Reliability Standard CIP–013–1,                 Access and system-to-system remote
                                             assets will likely be subject to                           nor would such contracts need to be                     access, that are taking place on a
                                             responsible entity supply chain risk                       renegotiated or abrogated to comply                     responsible entity’s system.
                                             management plans required by                               with the Reliability Standard. In
                                             Reliability Standard CIP–013–1.                            addition, NERC indicates that,                          Proposed Modifications in Reliability
                                             Specifically, NERC explains that                           consistent with the development of a                    Standard CIP–010–3
                                             ‘‘[r]esponsible [e]ntities may implement                   forward looking Reliability Standard, it                  19. Proposed Reliability Standard
                                             a single process for procuring products                    would not expect entities in the middle                 CIP–010–3 includes a new part, Part 1.6,
                                             and services associated with their                         of procurement activities for an                        to address software integrity and
                                             operational environments.’’ 35 NERC                        applicable product or service at the time               authenticity, the first objective
                                             contends that ‘‘by requiring that entities                 of the effective date of Reliability                    addressed in Order No. 829, by
                                             implement supply chain cybersecurity                       Standard CIP–013–1 to begin those                       requiring that the publisher is identified
                                             risk management plans for high and                         activities anew to implement their                      and the integrity of all software and
                                             medium impact BES Cyber Systems,                           supply chain cybersecurity risk                         patches are confirmed. NERC explains
                                             those plans would likely also cover their                  management plan.                                        that proposed Reliability Standard CIP–
                                             low impact BES Cyber Systems.’’ 36                            17. With regard to assessing                         010–3, Requirement R1.6 requires
                                             NERC also claims that responsible                          compliance with Reliability Standard                    responsible entities to verify software
                                             entities ‘‘may also use the same vendors                   CIP–013–1, NERC states that NERC and                    integrity and authenticity prior to a
                                             for procuring PACS, EACMS, and PCAs                        Regional Entities would focus on                        change from the existing baseline
                                             as they do for their high and medium                       whether responsible entities: (1)                       configuration, if the software source
                                             impact BES Cyber Systems such that the                     Developed processes reasonably                          provides a method to do so.
                                             same security considerations may be                        designed to (i) identify and assess risks               Specifically, NERC states that proposed
                                             addressed for those Cyber Assets.’’ 37                     associated with vendor products and                     Reliability Standard CIP–010–3,
                                                                                                        services in accordance with Part 1.1 and                Requirement R1.6 requires that
                                             Proposed Reliability Standard CIP–013–                     (ii) ensure that the security items listed              responsible entities verify the identity of
                                             1                                                          in Part 1.2 are an integrated part of                   the software source and the integrity of
                                                15. NERC states that the focus of                       procurement activities; and (2)                         the software obtained by the software
                                             proposed Reliability Standard CIP–013–                     implemented those processes in good                     sources prior to installing software that
                                             1 is on the steps that responsible entities                faith. NERC explains that NERC and                      changes established baseline
                                             must take ‘‘to consider and address                        Regional Entities will evaluate the steps               configurations, when methods are
                                             cybersecurity risks from vendor                            a responsible entity took to assess risks               available to do so. NERC asserts that the
khammond on DSK30JT082PROD with RULES




                                             products and services during BES Cyber                     posed by a vendor and associated                        security objective of proposed
                                                                                                        products or services and, based on that                 Requirement R1.6 is to ensure that the
                                               33 Id.   at 18.
                                                                                                        risk assessment, the steps the entity took              software being installed in the BES
                                               34 Id.   at 20.                                          to mitigate those risks, including the                  Cyber System was not modified without
                                               35 Id.                                                                                                           the awareness of the software supplier
                                               36 Id.   at 19.                                            38 Id.   at 22.                                       and is not counterfeit. NERC contends
                                               37 Id.   at 20.                                            39 Id.   at 23.                                       that these steps help reduce the


                                        VerDate Sep<11>2014      18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00031     Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1


                                             53996                   Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                             likelihood that an attacker could exploit                     D. Notice of Proposed Rulemaking                         25. The Commission received fifteen
                                             legitimate vendor patch management                              22. On January 18, 2018, the                         comments on the NOPR.
                                             processes to deliver compromised                              Commission issued a NOPR proposing                     E. Interim BOT-Directed Report
                                             software updates or patches to a BES                          to approve supply chain risk
                                             Cyber System.                                                                                                           26. On September 7, 2018, NERC
                                                                                                           management Reliability Standards CIP–
                                                                                                                                                                  submitted to the Commission an
                                             BOT Resolutions                                               013–1, CIP–005–6, and CIP–010–3 (83
                                                                                                                                                                  informational filing containing the BOT-
                                                                                                           FR 3422, January 25, 2018). The NOPR
                                                                                                                                                                  directed interim report prepared by the
                                                20. In the petition, NERC states that                      stated that the supply chain risk
                                                                                                                                                                  Electric Power Research Institute
                                             in conjunction with the adoption of the                       management Reliability Standards ‘‘will
                                                                                                                                                                  (EPRI).44 The interim report explains
                                             supply chain risk management                                  enhance existing protections for bulk
                                                                                                                                                                  that EPRI analyzed:
                                             Reliability Standards, on August 10,                          electric system reliability by addressing                 (1) Information regarding bulk electric
                                             2017, the BOT adopted resolutions                             the four objectives set forth in Order No.             system products and manufacturers; (2)
                                             regarding supply chain risk                                   829: (1) Software integrity and                        emerging vendor practices and industry
                                             management. In particular, the BOT                            authenticity; (2) vendor remote access;                standards; and (3) the applicability of
                                             directed NERC management, in                                  (3) information system planning; and (4)               the CIP Reliability Standards to supply
                                                                                                           vendor risk management and                             chain risks. The interim report
                                             collaboration with appropriate NERC
                                                                                                           procurement controls.’’ 41 Accordingly,                concludes with three categories of
                                             technical committees, industry
                                                                                                           the NOPR proposed to determine that                    identified next steps for further analysis
                                             representatives, and appropriate                              the supply chain risk management
                                             experts, including representatives of                                                                                and investigation.
                                                                                                           Reliability Standards constitute                          27. First, EPRI identifies four
                                             industry vendors, to further study the                        substantial progress in addressing the
                                             nature and complexity of cybersecurity                                                                               noteworthy industry practices, not
                                                                                                           supply chain cybersecurity risks                       already required by the CIP Reliability
                                             supply chain risks, including risks                           identified by the Commission in Order
                                             associated with low impact assets not                                                                                Standards, which may potentially
                                                                                                           No. 829.42                                             reduce future supply chain risks if
                                             currently subject to the supply chain                           23. The NOPR proposed to approve                     implemented correctly: (1) Third-party
                                             risk management Reliability Standards.                        the supply chain risk management                       accreditation processes; (2) secure
                                             The BOT further directed NERC to                              Reliability Standards’ associated                      hardware delivery; (3) threat-informed
                                             develop recommendations for follow-up                         violation risk factors and violation                   procurement language; and (4) processes
                                             actions that will best address any issues                     severity levels. However, with respect to              related to unsupported or open-source
                                             identified. Finally, the BOT directed                         the implementation plan and effective                  technology. Second, EPRI recommends
                                             that NERC management provide an                               date, the NOPR proposed to reduce the                  further study in modeling and assessing
                                             interim progress report no later than 12                      implementation period from the first                   the potential impact of common-mode
                                             months after the adoption of these                            day of the first calendar quarter that is              vulnerabilities, especially those
                                             resolutions (i.e., by August 10, 2018)                        18 months following the effective date                 targeting low-impact BES Cyber
                                             and a final report no later than 18                           of a Commission order approving the                    Systems. EPRI states that ‘‘risks of
                                             months after the adoption of the                              proposed Reliability Standards, as                     common-mode vulnerabilities . . . can
                                             resolutions (i.e., by February 10, 2019).                     proposed by NERC, to the first day of                  be mitigated if supply chain security
                                             In its petition, NERC states that ‘‘over                      the first calendar quarter that is 12                  practices are applied uniformly across
                                             the next 18 months, NERC, working                             months following the effective date of a               cyber asset types.’’ 45 Finally, EPRI
                                                                                                           Commission order.43                                    recommends various methods to obtain
                                             with various stakeholders, will continue
                                                                                                             24. The NOPR proposed to determine
                                             to assess whether supply chain risks                                                                                 additional data on industry practices.
                                                                                                           that a significant cybersecurity risk
                                             related to low impact BES Cyber                                                                                      These methods included issuing pre-
                                                                                                           associated with the supply chain for
                                             Systems, PACS, EACMS and PCA                                                                                         audit surveys and questionnaires;
                                                                                                           BES Cyber Systems persists because the
                                             necessitate further consideration for                                                                                targeting outreach to bulk electric
                                                                                                           proposed supply chain risk management
                                             inclusion in a mandatory Reliability                                                                                 system vendors; developing standard
                                                                                                           Reliability Standards exclude EACMS,
                                             Standard.’’ 40                                                                                                       vendor data sheets related to the CIP
                                                                                                           PACS, and PCAs, with the exception of
                                                                                                                                                                  Reliability Standards; and
                                             Implementation Plan                                           the modifications in Reliability
                                                                                                                                                                  independently testing legacy assets. In
                                                                                                           Standard CIP–005–6, which apply to
                                                                                                                                                                  its accompanying filing, NERC states its
                                                21. NERC’s proposed implementation                         PCAs. To address this gap, pursuant to
                                                                                                                                                                  intention to continue to study supply
                                             plan provides that the supply chain risk                      section 215(d)(5) of the FPA, the NOPR
                                                                                                                                                                  chain risks over the coming months,
                                             management Reliability Standards                              proposed to direct NERC to develop
                                                                                                                                                                  develop recommendations for follow-up
                                             become effective on the first day of the                      modifications to the CIP Reliability
                                                                                                                                                                  actions, and present a final report to the
                                             first calendar quarter that is 18 months                      Standards to include EACMS associated
                                                                                                                                                                  NERC BOT at its February 2019
                                             after the effective date of a Commission                      with medium and high impact BES
                                                                                                                                                                  meeting.
                                             order approving them. NERC states that                        Cyber Systems within the scope of the
                                             the proposed implementation period is                         supply chain risk management                           II. Discussion
                                             designed to afford responsible entities                       Reliability Standards. In addition, the                   28. Pursuant to section 215(d)(2) of
                                             sufficient time to develop and                                Commission proposed to direct that                     the FPA, the Commission approves
                                             implement their supply chain                                  NERC evaluate the cybersecurity supply                 supply chain risk management
                                             cybersecurity risk management plans                           chain risks presented by PACS and                      Reliability Standards CIP–013–1, CIP–
                                                                                                           PCAs in the study of cybersecurity
khammond on DSK30JT082PROD with RULES




                                             required under proposed Reliability                                                                                  005–6, and CIP–010–3 as just,
                                                                                                           supply chain risks directed by the NERC                reasonable, not unduly discriminatory
                                             Standard CIP–013–1 and implement the
                                                                                                           BOT in its resolutions of August 10,
                                             new controls required in proposed
                                                                                                           2017.                                                    44 NERC, Informational Filing regarding Proposed
                                             Reliability Standards CIP–005–6 and
                                                                                                                                                                  Supply Chain Risk Management Reliability
                                             CIP–010–3.                                                      41 NOPR,   162 FERC ¶ 61,044 at P 29.                Standards, Docket No. RM17–13–000 (September 7,
                                                                                                             42 Id. P 30.                                         2018) (NERC Interim Report).
                                               40 Id.   at 20–21.                                            43 Id. P 44.                                           45 Id. at 5–1.




                                        VerDate Sep<11>2014         18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00032   Fmt 4700   Sfmt 4700    E:\FR\FM\26OCR1.SGM   26OCR1


                                                               Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                              53997

                                             or preferential, and in the public                      systems and alerting systems. The                      commitment to study these issues, as
                                             interest. We determine that the supply                  purpose of an ESP, in turn, is to manage               evinced by the BOT-directed study, the
                                             chain risk management Reliability                       electronic access to BES Cyber Systems                 NOPR proposed to direct NERC to
                                             Standards will enhance existing                         to support the protection of the BES                   modify the supply chain risk
                                             protections for bulk electric system                    Cyber Systems against compromise that                  management Reliability Standards to
                                             reliability by addressing the four                      could lead to misoperation or instability              include within their scope EACMS
                                             objectives identified in Order No. 829:                 in the bulk electric system.46 The record              associated with medium and high
                                             (1) Software integrity and authenticity;                indicates that the vulnerabilities                     impact BES Cyber Systems.48
                                             (2) vendor remote access; (3)                           associated with EACMS are well                            34. Specifically, the NOPR explained
                                             information system planning; and (4)                    understood and appropriate for                         that BES Cyber Systems have associated
                                             vendor risk management and                              mitigation. Thus, pursuant to section                  Cyber Assets, which, if compromised,
                                             procurement controls.                                   215(d)(5) of the FPA, we direct NERC to                pose a threat to the BES Cyber System
                                               29. Reliability Standard CIP–013–1                    develop modifications to the CIP                       by virtue of, inter alia, the security
                                             addresses information system planning                   Reliability Standards to include EACMS                 control function they perform.49 In
                                             and vendor risk management and                          within the scope of the supply chain                   particular, EACMS support BES Cyber
                                             procurement controls by requiring that                  risk management Reliability Standards.                 Systems and are part of the network and
                                             responsible entities develop and                        We direct NERC to submit the directed                  security architecture that allows BES
                                             implement one or more documented                        modifications within 24 months of the                  Cyber Systems to work as intended by
                                             supply chain cybersecurity risk                         effective date of this final rule.                     performing electronic access control or
                                             management plan(s) for high and                            31. In addition, while PACS and PCAs                electronic access monitoring of the ESP
                                             medium impact BES Cyber Systems.                        also present concerns, we agree with                   or BES Cyber Systems.
                                             The required plans must address, as                     NERC and others that further study is                     35. The NOPR indicated that since
                                             applicable, a baseline set of six security              warranted with regard to the impacts                   EACMS support and enable BES Cyber
                                             concepts: (1) Vendor security event                     and benefits of directing that the ERO                 System operation, misoperation and
                                             notification; (2) coordinated incident                  address the risks associated with PACS                 unavailability of EACMS that support a
                                             response; (3) vendor personnel                          and PCAs in the supply chain risk                      given BES Cyber System could also
                                             termination notification; (4) product/                  management Reliability Standards.                      contribute to misoperation of a BES
                                             services vulnerability disclosures; (5)                 Accordingly, we accept NERC’s                          Cyber System or render it unavailable,
                                             verification of software integrity and                  commitment to evaluate the                             which could adversely affect bulk
                                             authenticity; and (6) coordination of                   cybersecurity supply chain risks                       electric system reliability. The NOPR
                                             vendor remote access controls.                          presented by PACS and PCAs in the                      also explained that EACMS control
                                             Reliability Standard CIP–005–6                          cybersecurity supply chain risks study                 electronic access, including interactive
                                             addresses vendor remote access by                       directed by the BOT. The Commission                    remote access, into the ESP that protects
                                             creating two new requirements for                       further directs NERC to file the BOT-                  high and medium impact BES Cyber
                                             determining active vendor remote                        directed final report with the                         Systems. As the NOPR further noted, an
                                             access sessions and for having one or                   Commission upon its completion.                        attacker does not need physical access
                                             more methods to disable active vendor                      32. In the sections below, we discuss               to the facility housing a BES Cyber
                                             remote access sessions. Reliability                     the following issues: (A) Inclusion of                 System in order to gain access to a BES
                                             Standard CIP–010–3 addresses software                   EACMS in the supply chain risk                         Cyber System or PCA via an EACMS
                                             authenticity and integrity by creating a                management Reliability Standards; (B)                  compromise. The NOPR concluded that
                                             new requirement that responsible                        inclusion of PACS and PCAs in the                      EACMS represent the most likely route
                                             entities verify the identity of the                     BOT-directed study on cybersecurity                    an attacker would take to access a BES
                                             software source and the integrity of the                supply chain risks and filing of the                   Cyber System or PCA within an ESP.50
                                             software obtained from the software                     BOT-directed final report with the
                                                                                                                                                            2. Comments
                                             source prior to installing software that                Commission; (C) supply chain risk
                                             changes established baseline                            management Reliability Standards’                         36. NERC does not support the
                                             configurations, when methods are                        implementation plan and effective date;                proposed directive to include EACMS
                                             available to do so.                                     and (D) other issues raised in the NOPR                within the scope of the supply chain
                                               30. While we determine that the                       comments.                                              risk management Reliability Standards
                                             approved supply chain risk                                                                                     at this time. NERC indicates that it is
                                                                                                     A. Inclusion of EACMS in CIP Reliability               currently analyzing supply chain risks
                                             management Reliability Standards
                                                                                                     Standards                                              associated with EACMS, among other
                                             constitute substantial progress in
                                             addressing the supply chain                             1. NOPR                                                things, as part of the BOT-directed study
                                             cybersecurity risks identified in Order                                                                        of supply chain risks related to low
                                                                                                        33. The NOPR observed that the
                                             No. 829, as discussed below, we find                                                                           impact BES Cyber Systems. NERC
                                                                                                     supply chain risk management
                                             that the exclusion of EACMS from the                                                                           explains that the ‘‘study will help
                                                                                                     Reliability Standards do not apply to
                                             scope of the Reliability Standards                                                                             identify and differentiate the risks
                                                                                                     low impact BES Cyber Systems or Cyber
                                             presents risks to the cybersecurity of the                                                                     presented by various types of EACMS’’
                                                                                                     Assets associated with medium and
                                             bulk electric system. As explained in                                                                          to help in any directed standards
                                                                                                     high impact BES Cyber Systems (i.e.,
                                             Order No. 848, EACMS are defined in                                                                            development process.51 NERC requests
                                                                                                     EACMS, PACS, and PCAs). The NOPR,
                                             the NERC Glossary as ‘‘Cyber Assets that                                                                       that the Commission refrain from
                                                                                                     however, recognized that the BOT-
                                             perform electronic access control or                                                                           issuing a directive on EACMS until the
                                                                                                     directed study on cybersecurity supply
khammond on DSK30JT082PROD with RULES




                                             electronic access monitoring of the                                                                            results of the BOT-directed study to
                                                                                                     chain risks will examine the risks posed
                                             Electronic Security Perimeter(s) or BES                 by low impact BES Cyber Systems.47                       48 Id.   P 39.
                                             Cyber Systems. This includes                            While acknowledging NERC’s                               49 Reliability
                                                                                                                                                                          Standard CIP–002–5.1a (Cyber
                                             Intermediate Systems.’’ Among other                                                                            Security—BES Cyber System Categorization),
                                             things, EACMS include firewalls,                          46 Order   No. 848, 164 FERC ¶ 61,033 at PP 39–      Background at 6.
                                             authentication servers, security event                  40.                                                      50 NOPR, 162 FERC ¶ 61,044 at P 35.

                                             monitoring systems, intrusion detection                   47 NOPR,   162 FERC ¶ 61,044 at P 33.                  51 NERC Comments at 6.




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00033   Fmt 4700   Sfmt 4700    E:\FR\FM\26OCR1.SGM     26OCR1


                                             53998              Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                             assess supply chain risks associated                    like EEI, reference Reliability Standard                43. Idaho Power, for its part, does not
                                             with EACMS are received.52                              CIP–007–6 (Cyber Security — System                    believe that EACMS should be included
                                                37. Most commenters agree with                       Security Management), which requires                  in the scope of the supply chain risk
                                             NERC that the Commission should                         responsible entities to manage system                 management Reliability Standards based
                                             approve the supply chain risk                           security by specifying select technical,              on its view that EACMS are used in
                                             management Reliability Standards as                     operational, and procedural                           other industries and are not specific to
                                             filed and not direct the inclusion of                   requirements in support of protecting                 critical infrastructure. Instead, Idaho
                                             EACMS at this time. Instead, Trade                      BES Cyber Systems. MISO TOs state                     Power states that the focus should be on
                                             Associations, EEI, ITC, IRC, and MISO                   that this Reliability Standard applies to             correctly configuring EACMS devices as
                                             TOs support evaluating in the BOT-                      EACMS. AECC also contends that the                    opposed to addressing procurement
                                             directed study the possibility of                       existing CIP Reliability Standards                    practices.62
                                             including EACMS in the supply chain                     already sufficiently cover any risks
                                             risk management Reliability                                                                                     44. Appelbaum, Reclamation,
                                                                                                     associated with EACMS.58 In particular,               Resilient Societies, Isologic, Mabee, and
                                             Standards.53                                            AECC states that ‘‘CIP–005–6 already
                                                38. Trade Associations contend that                                                                        MPUC support the NOPR directive
                                                                                                     addresses vendor-initiated remote                     regarding EACMS associated with
                                             first allowing completion of the BOT-                   access . . . [and] developing technology
                                             directed study would allow NERC to                                                                            medium and high impact BES Cyber
                                                                                                     services for BEC Cyber Systems under
                                             assess the diversity of EACMS that                                                                            Systems. In addition, the commenters
                                                                                                     CIP–010–3 inherently already requires
                                             perform control or monitoring functions                                                                       urge the Commission to extend the
                                                                                                     coverage for EACMS, PACS, and PCAs
                                             with varying risk levels and ‘‘is likely to                                                                   scope of the supply chain risk
                                                                                                     due to the nature of the technology.’’ 59
                                             provide more specific information and                                                                         management Reliability Standards to
                                                                                                        41. ITC, IRC, and MISO TOs assert                  low impact BES Cyber Systems.63
                                             analysis concerning whether any
                                             category of EACMS might be                              that including EACMS within the                       MPUC states, for example, that the
                                             appropriately included within the scope                 supply chain risk management                          supply chain risk management
                                             of the supply chain Reliability                         Reliability Standards would constitute a              Reliability Standards should apply to all
                                             Standards.’’ 54 Trade Associations also                 substantial expansion of the Reliability              BES Cyber System assets, unless the
                                             maintain that first having the BOT-                     Standards and would require significant               specific asset can be shown to be
                                             directed study results will facilitate a                additional resources for compliance,                  completely isolated from the bulk
                                             more efficient and effective standards                  without a commensurate improvement                    electric system.64 Resilient Societies
                                             development process.                                    in bulk electric system reliability.                  states that the supply chain risk
                                                39. While also supportive of awaiting                According to ITC, the record does not                 management Reliability Standards
                                             the results of the BOT-directed study,                  contradict NERC’s technical assessment                should apply to low impact BES Cyber
                                             EEI asserts that EACMS are protected                    that inclusion of EACMS within the                    Systems since the compromise of a low
                                             under existing CIP Reliability                          supply chain risk management                          impact BES Cyber System could lead to
                                             Standards. EEI cites Reliability                        Reliability Standards is not justified.               the compromise of medium or high
                                             Standards CIP–005–5, Requirements R1,                   ITC claims that the NOPR, while
                                                                                                                                                           impact BES Cyber Systems.65
                                             Part 1.3 and R2, Parts 2.1–2.3, CIP–007–                ‘‘descriptively accurate,’’
                                             6, Requirements R1, Part 1.1, R2, R3, R4,               misunderstands the purpose and                          45. APS states that it supports the
                                             and R5, and CIP–010–2, Requirement 2,                   function of EACMS, which, ITC states,                 NOPR proposal to direct NERC to
                                             Part 2.1 as protecting EACMS against                    are intended to protect the ESP and the               modify the supply chain risk
                                             compromise.55 Moreover, EEI states that                 BES Cyber Assets contained therein and                management Reliability Standards to
                                             the likelihood of compromise of an                      are not intended to provide a reliability             include EACMS associated with
                                             EACMS from potential supply chain-                      function. ITC concludes that                          medium and high impact BES Cyber
                                             derived threats was not addressed in the                misoperation of an EACMS, while                       Systems. However, APS contends that
                                             NOPR and ‘‘should be evaluated before                   serious, does not rise to the level of a              the Commission should delay their
                                             directing a CIP Standard scope                          direct threat to the reliability of the bulk          inclusion until NERC and industry
                                             expansion.’’ 56 Even so, EEI supports                   electric system.                                      complete their analysis of the potential
                                             further evaluating the feasibility, as well                42. IRC similarly believes that                    need to separate the functions reflected
                                             as the benefits, of adding EACMS to the                 including EACMS within the scope of                   in the current EACMS definition (e.g.,
                                             supply chain risk management                            the supply chain risk management                      electronic access control versus
                                             Reliability Standards. EEI contends that                Reliability Standards would require                   electronic access monitoring). APS
                                             waiting for the BOT-directed study will                 ‘‘significant resources and effort’’ and              states that, including EACMS that
                                             allow industry time to gain experience                  because EACMS vendors supply such                     perform electronic access control
                                             implementing the supply chain risk                      systems to a larger market than just the              functions within the scope of the supply
                                             management Reliability Standard                         power sector there would need to be                   chain risk management Reliability
                                             requirements as well as help identify                   coordination with other industries                    Standards ‘‘represents good
                                             potential follow-up actions.57                          before implementing a supply chain risk               cybersecurity posture . . . [h]owever, at
                                                40. MISO TOs likewise aver that                      management Reliability Standard for                   this time, the definition of EACMS is
                                             EACMS, while important, are ‘‘not                       EACMS.60 MISO TOs also contend that                   not sufficiently mature to make the
                                             unprotected’’ under currently-effective                 including EACMS would affect                          necessary distinction discussed
                                             CIP Reliability Standards. MISO TOs,                    numerous pieces of equipment and                      above.’’ 66
                                                                                                     assets, with associated costs, system
khammond on DSK30JT082PROD with RULES




                                               52 Id. at 4–6.                                                                                                62 Idaho
                                                                                                     changes, and other burdens, without                                Power Comments at 2.
                                               53 Trade   Associations Comments at 10, EEI                                                                   63 Appelbaum
                                                                                                     showing commensurate benefits.61                                        Comments at 6, Reclamation
                                             Comments at 10, ITC Comments at 5, IRC                                                                        Comments at 7, Resilient Societies Comments at 3–
                                             Comments at 3.                                                                                                4, Isologic Comments at 3, Mabee Comments at 4,
                                               54 Trade Associations Comments at 10.                   58 AECC   Comments at 2–3.                          MPUC Comments at 6.
                                               55 EEI Comments at 8.                                   59 Id.at 3.                                            64 MPUC Comments at 6.
                                               56 Id.                                                  60 IRC Comments at 2–3.                                65 Resilient Societies Comments at 3.
                                               57 Id. at 10.                                           61 MISO TO Comments at 16.                             66 APS Comments at 5.




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00034   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1


                                                                Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                               53999

                                             3. Commission Determination                             BES Cyber System or render it                            50. Specifically, the goal of the supply
                                                46. Pursuant to section 215(d)(5) of                 unavailable, which could pose a                       chain risk management Reliability
                                             the FPA, we adopt the NOPR proposal                     significant risk to reliable operation.               Standards is ‘‘to help ensure that
                                             and direct NERC to develop                              Instead, commenters generally agree                   responsible entities establish
                                             modifications to include EACMS                          that EACMS perform important                          organizationally-defined processes that
                                             associated with medium and high                         security-related functions.70 For                     integrate a cybersecurity risk
                                             impact BES Cyber Systems within the                     example, NERC states that a                           management framework into the system
                                             scope of the supply chain risk                          compromised firewall ‘‘may allow                      development life cycle.’’ 75 The current
                                             management Reliability Standards.                       unfettered access to the ESP.’’ 71 EEI also           CIP Reliability Standards identified in
                                             While we are sensitive to the position                  agrees that the compromise of certain                 the comments, however, do not
                                             taken by NERC and other commenters                      EACMS that control access could                       adequately address supply chain risks.
                                             that the Commission should not issue a                  adversely affect the reliable operation of            For example, while Reliability Standard
                                             directive until after completion of the                 an associated BES Cyber System,                       CIP–005–5 provides a level of electronic
                                             BOT-directed final report, we conclude                  although EEI asserts that other CIP                   access protection for an ESP through
                                             that the record before us supports                      Reliability Standards adequately protect              controls applied to an Electronic Access
                                             directing NERC to include at least some                 those EACMS.72 Although some                          Point associated with an EACMS, those
                                             subset of EACMS associated with                         commenters, as discussed below,                       controls would only apply after an asset
                                             medium and high impact BES Cyber                        maintain that the reliability benefit of              is procured and deployed on a
                                             Systems at this time. We are not                        including EACMS in the supply chain                   responsible entity’s system. In this
                                             persuaded by comments advocating                        risk management Reliability Standards                 situation, the EACMS at issue could
                                             delay in view of the forthcoming BOT-                   is outweighed by the perceived costs,                 already contain built-in vulnerabilities
                                             directed final report because the                       these commenters do not challenge the                 making it susceptible to compromise or,
                                             standard drafting team will have the                    proposition that misoperation or                      in the worst-case scenario, could have
                                             benefit of the BOT-directed final report,               unavailability of EACMS has negative                  been compromised before acquisition.
                                             which is due in February 2019, when                     reliability ramifications. For example,                  51. Given the documented risks to the
                                             developing the directed Reliability                     ITC, while opposing the NOPR                          cyber posture of the bulk electric system
                                             Standard modifications.67                               directive, recognizes that misoperation               associated with EACMS, we are not
                                                47. We continue to believe that                      of an EACMS is ‘‘serious’’ and ‘‘[w]ere               persuaded to await the completion of
                                             EACMS represent the most likely route                   CIP resources infinite, it would no                   the BOT-directed final report before
                                             an attacker would take to access a BES                  doubt increase BES reliability by some                issuing a directive regarding EACMS.76
                                             Cyber System or PCA within an ESP                       degree to include EACMS within this                   Instead, it is reasonable to initiate
                                             based on the functions they perform.68                  Standard.’’ 73                                        modification of the supply chain risk
                                             EACMS support BES Cyber Systems and                        49. We disagree with the comments                  management Reliability Standards based
                                             are part of the network and security                    asserting that existing CIP Reliability               on the conclusion that at least some
                                             architecture that allows BES Cyber                      Standards adequately protect EACMS                    categories of EACMS should be
                                             Systems to work as intended because                     against supply chain-based threats.                   included. As discussed above, we are
                                             they perform electronic access control                  While existing CIP Reliability Standards              convinced that EACMS in general are a
                                             or electronic access monitoring of the                  include requirements that address                     known risk that should be protected
                                             ESP or BES Cyber Systems. In                            aspects of supply chain risk                          under the supply chain risk
                                             particular, EACMS control electronic                    management, existing Reliability                      management Reliability Standards. But
                                             access, including interactive remote                    Standards do not adequately protect                   we leave it to the standard drafting team
                                             access, into the ESP that protects high                 EACMS based on the four security                      to assess the various types of EACMS
                                             and medium impact BES Cyber                             objectives in Order No. 829.74 The CIP                and their associated levels of risk. We
                                             Systems. One specific function of                       Reliability Standards cited by EEI, MISO              are confident that the standard drafting
                                             electronic access control is to prevent                 TOs and AECC address aspects of                       team will be able to develop
                                             malware or malicious actors from                        electronic access control, systems                    modifications that include only those
                                             gaining access to the BES Cyber Systems                 security management, and configuration                EACMS whose compromise by way of
                                             and PCAs within the ESP.69 Given the                    monitoring, but they do not address                   the cybersecurity supply chain can
                                             significant role that EACMS play in the                 protection from supply chain threats                  affect the reliable operation of high and
                                             protection scheme for medium and high                   such as insertion of counterfeits or                  medium impact BES Cyber Systems.
                                             impact BES Cyber Systems, we                            malicious software, unauthorized                      While it will no doubt inform the
                                             determine that EACMS should be                          production, tampering, or theft, as well
                                             within the scope of the supply chain                                                                          standard drafting team’s work, the BOT-
                                                                                                     as poor manufacturing and development                 directed final report is not, in our view,
                                             risk management Reliability Standards                   practices. By contrast, the supply chain
                                             to provide minimum protection against                                                                         likely to alter the conclusion that at
                                                                                                     risk management Reliability Standards                 least some EACMS functions should be
                                             supply chain attack vectors.                            approved in this final rule specifically
                                                48. No commenter disagreed with the                                                                        included in the supply chain risk
                                                                                                     address the above listed supply chain                 management Reliability Standards.77
                                             NOPR that misoperation or
                                                                                                     threats, and, we determine, should be
                                             unavailability of EACMS that support a
                                                                                                     extended to at least some subset of                     75 NERC  Comments at 23.
                                             given BES Cyber System could
                                                                                                     EACMS.                                                  76 See NERC Comments at 4–6, EEI Comments at
                                             contribute to the misoperation of the                                                                         7–10, IRC Comments at 3, ITC Comments at 5,
khammond on DSK30JT082PROD with RULES




                                                                                                       70 See NERC Comments at 5–6, Appelbaum
                                                                                                                                                           Trade Associations at 8–12, MISO TOs Comments
                                               67 As we have imposed a 24-month deadline for                                                               at 16–18.
                                             NERC to file the modified supply chain risk             Comments at 5–6, APS Comments at 5, EEI                  77 The BOT-directed interim report provides the
                                             management Reliability Standards, the standard          Comments at 7–8, IRC Comments at 3, Idaho Power
                                                                                                                                                           example of a situation where a firewall used to
                                             drafting team will have ample time to review and        Comments at 2, MPUC Comments at 6.
                                                                                                       71 NERC Comments at 5.
                                                                                                                                                           protect BES Cyber Systems within an ESP was
                                             incorporate the findings in the BOT-directed final                                                            compromised due to supply chain vulnerability,
                                             report.                                                   72 EEI Comments at 7–8.
                                                                                                                                                           noting that each system within the ESP could be
                                               68 See NOPR, 162 FERC ¶ 61,044 at P 35.                 73 ITC Comments at 5.
                                                                                                                                                           exposed due to its logical proximity to the
                                               69 Id.                                                  74 Order No. 829, 156 FERC ¶ 61,050 at P 71.                                                  Continued




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00035   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM     26OCR1


                                             54000               Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                                52. The record does not support                        required by Reliability Standard CIP–                   functions, will require that responsible
                                             delaying a directive to modify the CIP                    013–1, Requirement R1.2.4. We                           entities have processes to require
                                             Reliability Standards to include                          recognize that including EACMS within                   notification by the vendor of the
                                             EACMS. While commenters opposing                          the scope of the supply chain risk                      discovery of such vulnerabilities,
                                             the NOPR proposal contend that the                        management Reliability Standards will                   representing a clear enhancement of the
                                             Commission should not act until NERC                      impose a burden on responsible entities.                protections provided by the CIP
                                             has the results of the BOT-directed final                 Nonetheless, the burden of possible                     Reliability Standards.
                                             report, we note that: (1) NERC will have                  procurement inefficiencies or resource                     57. Although some commenters
                                             24 months from the effective date of this                 constraints must be weighed against the                 question the importance of the EACMS
                                             final rule to develop and submit the                      significant risk of a cyber incident                    monitoring function, we note that these
                                             modified Reliability Standards; and (2)                   resulting from unmitigated supply chain                 systems work in concert with access
                                             the BOT-directed final report is due in                   vulnerabilities.80                                      control systems to alert of possible
                                             the near term (i.e., February 2019).                         55. It is also important to consider                 intrusion.84 Standard monitoring
                                             Nothing in our directive prevents the                     that in Order No. 848 the Commission                    systems such as intrusion detection
                                             standard drafting team from using the                     determined that the modified reporting                  systems are an essential component
                                             findings in the BOT-directed final report                 Reliability Standard need not include                   designed to recognize suspicious
                                             to refine its understanding of which                      all EACMS as currently defined and,                     activity and collect data used for
                                             types of EACMS functions present the                      instead, the standard drafting team may                 incident reporting. A compromised
                                             greatest risk and are worthy of inclusion                 analyze the matter to determine an                      intrusion detection system may provide
                                             in the supply chain risk management                       appropriate subset of EACMS for                         false information and generate false
                                             Reliability Standards. Indeed, as                         reporting purposes.81 Likewise, the                     alarms. Indeed, a compromised
                                             discussed below, in view of the BOT-                      standard drafting team that is formed in                intrusion detection system may not only
                                             directed study and the Commission’s                       response to our present directive may                   negate the value of the reported
                                             guidance, the standard drafting team                      determine, based on the work done in                    information, but could also potentially
                                             could modify the supply chain risk                        response to Order No. 848 as well as the                provide misleading information.
                                             management Reliability Standards to                       results of the BOT-directed study, what                 Various intrusion detection system
                                             include an appropriate subset of                          EACMS functions are most important to                   modules collect user logs, provide audit
                                             EACMS functions similar to the                            the reliable operation of the Bulk-Power                trails and indicate whether suspicious
                                             approach in Order No. 848.78                              System and therefore should be                          activity is malicious or normal. An
                                                53. As we have indicated above,                        included in the supply chain risk                       attacker could change the various
                                             including EACMS within the scope of                       management Reliability Standards.                       settings, removing or inserting false
                                             the supply chain risk management                             56. We find the remaining objections                 information. A compromised intrusion
                                                                                                       to our directive unpersuasive. BES
                                             Reliability Standards is consistent with                                                                          detection system may also allow the
                                                                                                       Cyber Systems rely on EACMS to enable
                                             the approach in Order No. 848 regarding                                                                           attacker to manipulate the system
                                                                                                       and secure the communications
                                             cybersecurity incident reporting. In                                                                              continuously without generating an
                                                                                                       capability that these systems depend on
                                             Order No. 848, the Commission                                                                                     alarm. In addition, an attacker may alter
                                                                                                       to control their assigned portion of the
                                             determined that EACMS that perform                                                                                the compromised system such that it
                                                                                                       bulk electric system. Commenters
                                             certain functions are significant to bulk                                                                         will deny legitimate activity and accept
                                                                                                       opposing the NOPR directive fail to
                                             electric system reliability so as to justify                                                                      malicious activity.85
                                                                                                       provide convincing examples of why
                                             their being within the scope of the                                                                                  58. For the reasons discussed above,
                                                                                                       EACMS should not receive the same
                                             cybersecurity incident reporting                                                                                  we adopt the NOPR proposal and,
                                                                                                       level of protection as the BES Cyber
                                             Reliability Standards. Specifically,                      Systems with which they are associated.                 pursuant to section 215(d)(5) of the
                                             Order No. 848 addressed the                               In addition, contrary to EEI’s assertion                FPA, direct NERC to develop
                                             identification of EACMS that should be                    that the ‘‘likelihood of compromise’’ is                modifications to the CIP Reliability
                                             subject to mandatory reporting                            unclear, ample evidence exists that                     Standards to include EACMS associated
                                             requirements:                                             supply chain vulnerabilities are an                     with medium and high impact BES
                                               With regard to identifying EACMS for                    active issue for vendors, whom                          Cyber Systems within the scope of the
                                             reporting purposes, NERC’s reporting                      malicious parties have intentionally                    supply chain risk management
                                             threshold should encompass the functions                  targeted.82 By contrast, commenters                     Reliability Standards. We direct NERC
                                             that various electronic access control and                supporting the NOPR directive provided                  to submit the directed modifications
                                             monitoring technologies provide. Those                                                                            within 24 months of the effective date
                                             functions must include, at a minimum: (1)
                                                                                                       examples where notable vendors of
                                                                                                       EACMS functions announced                               of this final rule.
                                             Authentication; (2) monitoring and logging;
                                             (3) access control; (4) interactive remote                vulnerabilities, specifically in firewall               B. Study of PACS and PCAs in the BOT-
                                             access; and (5) alerting.79                               firmware.83 Reliability Standard CIP–                   Directed Cybersecurity Supply Chain
                                               54. As with cybersecurity incident                      013–1, Requirement R1, Part 1.2.1,                      Risk Study
                                             reporting, in the context of this                         when applied to certain EACMS
                                                                                                                                                               1. NOPR
                                             proceeding, if, for example, a
                                             vulnerability in the supply chain for                       80 EEI  Comments at 9, MISO TOs Comments at             59. The NOPR stated that it would be
                                                                                                       16–17, ITC Comments at 5.                               appropriate to await the findings from
                                             EACMS is found, we determine that                            81 Order No. 848, 164 FERC ¶ 61,033 at P 53.
                                             responsible entities should have                             82 EEI Comments at 8–9.
                                                                                                                                                               the BOT-directed study on cybersecurity
                                             processes in place to be notified of such                                                                         supply chain risks before considering
khammond on DSK30JT082PROD with RULES




                                                                                                          83 Resilient Societies Comments at 3 (noting a
                                             vulnerabilities by the vendor, as                         February 2016 Cisco ‘‘critical’’ security advisory on
                                                                                                                                                                 84 EEI Comments at 7, APS Comments at 3–5,
                                                                                                       a vulnerability that could allow an unauthenticated,
                                             compromised firewalls. NERC Interim Report at 4–          remote attacker to obtain full control of its           MISO TOs Comments 17–18.
                                             4.                                                        Industrial Security Appliance line of firewalls, and      85 International Journal of Information Sciences

                                                78 Order No. 848, 164 FERC ¶ 61,033 at PP 53–          a December 2015 Juniper ‘‘out-of-cycle security         and Techniques (IJIST) Vol.6, No.1/2, March 2016,
                                             54.                                                       advisory’’ on unauthorized code identified in a         Cyber Attacks on Intrusion Detection Systems at P
                                                                                                       specific operating system that could allow an           195, http://aircconline.com/ijist/V6N2/
                                               79 Id.   P 54.                                          attacker to access some firewalls).                     6216ijist20.pdf.



                                        VerDate Sep<11>2014     18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00036   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM    26OCR1


                                                               Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                               54001

                                             whether low impact BES Cyber Systems                    supply chain risk management                          protect and which are ‘‘burdensome’’ to
                                             should be addressed in the supply chain                 Reliability Standards are appropriately               protect.98 Isologic also disagrees with
                                             risk management Reliability Standards.                  scoped to mitigate the risks identified               the exclusion of low impact BES Cyber
                                             The NOPR explained that the BOT                         by the Commission.90                                  Systems and contends that awaiting the
                                             resolutions stated that the BOT-directed                   63. EEI and Trade Associations                     BOT-directed final report would unduly
                                             study should examine the risks posed                    support the supply chain risk                         delay an examination by the
                                             by low impact BES Cyber Systems, but                    management Reliability Standards’                     Commission of risks involving the
                                             the BOT resolutions did not identify                    exclusion of low impact BES Cyber                     ‘‘massive array of unprotected [low
                                             PACS and PCAs as subjects of the study.                 Systems. EEI agrees with the NOPR                     impact] transmission substations.’’ 99
                                             The NOPR noted, however, that NERC’s                    proposal to wait for NERC to study the                3. Commission Determination
                                             petition suggests that NERC will                        supply chain risks posed by low impact
                                             evaluate PACS and PCAs as part of the                   BES Cyber Systems as well as PACS and                    66. We accept NERC’s commitment to
                                             BOT-directed study.86                                   PCAs before directing further                         evaluate the cybersecurity supply chain
                                                60. The NOPR proposed to direct that                 modifications.91 Trade Associations also              risks presented by low impact BES
                                             NERC, consistent with the                               ‘‘strongly support’’ limiting the supply              Cyber Systems, PACS, and PCAs in the
                                             representation made in NERC’s petition,                 chain risk management Reliability                     study of cybersecurity supply chain
                                             include PACS and PCAs in the BOT-                       Standards’ applicability to medium and                risks directed by the NERC BOT. In light
                                             directed study and to await the findings                high impact BES Cyber Systems.92                      of that commitment, we conclude it is
                                             of the study’s final report before                         64. Other commenters contend that                  not necessary to separately direct that
                                             considering further action. The NOPR                    low impact BES Cyber Systems pose a                   NERC expand the scope of the BOT-
                                             indicated that the risks posed by                       significant risk and disagree with the                directed study. However, we adopt the
                                             EACMS also apply to varying degrees to                  view that excluding such assets will                  NOPR proposal to direct NERC to file
                                             PACS and PCAs. However, the NOPR                        focus industry resources on protecting                the BOT-directed study’s final report
                                             explained the distinction between                       systems with heightened risk, while not               with the Commission upon its
                                             EACMS and the other Cyber Assets: For                   being overly burdensome. For example,                 completion.
                                             example, a compromise of a PACS                                                                                  67. We continue to believe that it is
                                                                                                     Resilient Societies maintains that cyber
                                             through the supply chain, which would                                                                         appropriate to await the findings from
                                                                                                     attackers could use low impact BES
                                                                                                                                                           the BOT-directed final report on
                                             potentially grant an attacker physical                  Cyber Systems as network entry points
                                                                                                                                                           cybersecurity risks before considering
                                             access to a BES Cyber System or PCA,                    to attack high and medium impact BES
                                                                                                                                                           whether low impact BES Cyber Systems,
                                             is more difficult since it would also                   Cyber Systems, with a potential
                                                                                                                                                           PACS and PCAs should be addressed in
                                             require physical access. Physical access                coordinated cyberattack on multiple low
                                                                                                                                                           modified supply chain risk management
                                             is not required to take advantage of a                  impact facilities causing a cascading                 Reliability Standards.100 While we do
                                             compromised EACMS. Accordingly, the                     collapse.93 Similarly, Appelbaum                      not prejudge the findings from the
                                             NOPR proposed immediate action to                       asserts that ‘‘if a large number of [low              forthcoming final report, at this time we
                                             provide for the protection of EACMS,                    impact BES Cyber Systems] are                         find that NERC is taking adequate and
                                             because they represent the most likely                  compromised, then the effort to correct               timely steps to study whether low
                                             route an attacker would take to access                  or replace the compromised assets could               impact BES Cyber Systems, PACS and
                                             a BES Cyber System or PCA within an                     be significant.’’ 94 Reclamation also                 PCAs should be included in the supply
                                             ESP, while possible action on other                     recommends including low impact BES                   chain risk management Reliability
                                             Cyber Assets can await completion of                    Cyber Systems in the proposed                         Standards. Given that the BOT-directed
                                             the BOT-directed study’s final report.87                Reliability Standards in order to avoid               final report is scheduled to be
                                                61. In addition to proposing to direct               gaps that could compromise bulk                       completed in February 2019, we do not
                                             NERC to include PACS and PCAs in the                    electric system security.95                           view our determination as unduly
                                             BOT-directed study, the NOPR                               65. MPUC states that many of the                   delaying consideration of this important
                                             proposed to direct that NERC file the                   concerns identified in the NOPR apply                 issue. Once NERC submits the BOT-
                                             study’s interim and final reports with                  to all classifications of BES Cyber                   directed final report, the Commission
                                             the Commission upon their                               Systems and that responsible entities                 will be in a better position to consider
                                             completion.88                                           should be required to apply the supply                what further steps, if any, should be
                                             2. Comments                                             chain risk management Reliability                     taken to provide for the reliability of the
                                                                                                     Standards to all BES Cyber System                     bulk electric system.
                                                62. NERC concurs with the NOPR                       assets, unless the entities can show the
                                             proposal and states that the Commission                 assets in question to be completely                   C. Implementation Plan
                                             should ‘‘await the results of the Board-                isolated.96 Reclamation has similar                   1. NOPR
                                             requested study before considering                      concerns and states that the supply
                                             whether low impact BES Cyber Systems,                                                                            68. The NOPR stated that the 18-
                                                                                                     chain risk management Reliability
                                             PACS, and PCAs should be addressed in                                                                         month implementation period proposed
                                                                                                     Standards should apply to all BES Cyber
                                             the proposed Reliability Standards.’’ 89                                                                      by NERC may not be justified based on
                                                                                                     System impact ratings, including low
                                             NERC maintains that the BOT-directed                                                                          the anticipated effort required to
                                                                                                     impact.97 Mabee cautions against giving
                                             report will help determine whether the                                                                        develop and implement a supply chain
                                                                                                     industry the discretion to determine
                                                                                                                                                           risk management plan. The NOPR
                                                                                                     which cyber systems are ‘‘easy’’ to
                                               86 NOPR, 162 FERC ¶ 61,044 at P 27 (citing NERC                                                             explained that while, according to
                                             Petition at 21 (‘‘over the next 18 months, NERC,                                                              NERC, the proposed implementation
khammond on DSK30JT082PROD with RULES




                                                                                                       90 Id.at 5.
                                             working with various stakeholders, will continue to       91 EEI                                              period is ‘‘designed to afford
                                             assess whether supply chain risks related to low                 Comments at 3.
                                             impact BES Cyber Systems, PACS, EACMS, and
                                                                                                       92 Trade Associations Comments at 7.                responsible entities sufficient time to
                                             PCA necessitate further consideration for inclusion       93 Resilient Societies Comments at 3–4.             develop and implement their supply
                                             in a mandatory Reliability Standard’’)).                  94 Appelbaum Comments at 6.
                                               87 NOPR, 162 FERC ¶ 61,044 at P 42.                     95 Reclamation Comments at 1.                         98 MabeeComments at 4.
                                               88 Id. P 43.                                            96 MPUC Comments at 6.                                99 Isologic
                                                                                                                                                                       Comments at 5.
                                               89 NERC Comments at 4.                                  97 Reclamation Comments at 1.                         100 NOPR, 162 FERC ¶ 61,044 at P 40.




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00037   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1


                                             54002             Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                             chain cybersecurity risk management                     disable vendor remote access, while                   could complicate implementation and
                                             plans required under proposed                           Reliability Standard CIP–010–3 will also              potentially increase the administrative
                                             Reliability Standard CIP–013–1 and                      require technology upgrades.104 APS                   burden of implementation without a
                                             implement the new controls required in                  does not agree with the NOPR’s                        commensurate improvement in security.
                                             proposed Reliability Standards CIP–                     assessment that a 12-month                               74. Based on the discussion above, we
                                             005–6 and CIP–010–3,’’ the security                     implementation period is reasonable,                  do not adopt the NOPR proposal and
                                             objectives of the proposed Reliability                  noting the potential need for new                     approve NERC’s proposed
                                             Standards are process-based and do not                  technology and the limitations imposed                implementation plan whereby the
                                             prescribe technology that might justify                 by capital budget and planning                        supply chain risk management
                                             an extended implementation period.101                   cycles.105 ITC and MISO TOs argue that                Reliability Standards will be effective
                                             Accordingly, the NOPR proposed to                       the Commission does not have the legal                on the first day of the first calendar
                                             reduce the time for implementation                      authority to modify the implementation                quarter that is 18 months following the
                                             such that the supply chain risk                         period unilaterally for a proposed                    effective date of this final rule.
                                             management Reliability Standards                        Reliability Standard.                                 D. Other Issues
                                             would become effective the first day of                   71. Appelbaum supports a shortened
                                             the first calendar quarter that is 12                   implementation period for proposed                    1. Comments
                                             months, as opposed to NERC’s 18                         Reliability Standards CIP–010–3 and                      75. Certain commenters raised
                                             months, following the effective date of                 CIP–005–6, for the reasons stated in the              additional issues not addressed in the
                                             a Commission order approving the                        NOPR, but contends that an 18-month                   NOPR. MISO TOs, APS, and Trade
                                             Reliability Standards.                                  implementation period for proposed                    Associations request clarification
                                             2. Comments                                             Reliability Standard CIP–013–1 is more                regarding the term ‘‘vendor.’’
                                                                                                     appropriate. Specifically, Appelbaum                  Specifically, APS seeks clarification of
                                                69. NERC does not support the NOPR                   notes that the proposed Reliability                   the definition of ‘‘vendor’’ and on the
                                             proposal to reduce the implementation                   Standard includes new risk planning                   applicability of Reliability Standard
                                             period for the supply chain risk                        and documentation requirements that                   CIP–013–1 to those vendors that would
                                             management Reliability Standards to 12                  will take time to implement.                          only provide services associated with a
                                             months. NERC states that the proposed                   Appelbaum also contends that the risk                 BES Cyber System that is already
                                             18-month implementation period is                       assessment will likely involve multiple               procured and in service.107 APS also
                                             intended to give responsible entities                   vendors and various different assets.                 seeks clarification on whether
                                             adequate time to develop and                            Appelbaum states that an 18-month                     responsible entities are required to
                                             implement a supply chain risk                           implementation period would provide                   perform individualized vendor
                                             management plan required under                          the time to develop a supply chain risk               assessments for every in-scope
                                             proposed Reliability Standard CIP–013–                  management policy and associated                      procurement activity.108
                                             1, as well as to implement new controls                 processes, and then apply the processes                  76. MISO TOs contend that the
                                             required under proposed Reliability                     to current and future procurement                     Commission should clarify that the
                                             Standards CIP–005–6 and CIP–010–3.                      activities.106                                        supply chain risk management
                                             NERC explains that although proposed
                                                                                                                                                           Reliability Standards do not apply to
                                             Reliability Standard CIP–013–1 is                       3. Commission Determination
                                                                                                                                                           vendors and that responsible entities
                                             process-based, the development and                         72. We do not adopt the NOPR                       will not be responsible for vendor
                                             implementation of the underlying                        proposal to reduce the implementation                 noncompliance. MISO TOs also request
                                             Reliability Standard requirements                       period and instead approve the                        that the Commission clarify that
                                             ‘‘involves performing a complex risk                    implementation plan and effective date                responsible entities do not have any
                                             assessment process for planning and                     as proposed by NERC. The NOPR                         obligation to work only with compliant
                                             procuring BES Cyber Systems.’’ 102                      proposal was largely based on the
                                                70. Other commenters support                                                                               vendors.109
                                                                                                     premise that the security objectives of                  77. APS also seeks clarification
                                             NERC’s proposed 18-month                                the supply chain risk management                      regarding the scope of access intended
                                             implementation period and contend that                  Reliability Standards are process-based
                                             12 months is not enough time for                                                                              within the term ‘‘system-to-system
                                                                                                     and do not prescribe technology that                  access.’’ 110 As an example, APS asserts
                                             responsible entities to develop and                     might justify a longer implementation
                                             implement the plan and controls                                                                               that, although there is a connection,
                                                                                                     period. However, based on the                         User Datagram Protocol would not
                                             required under the supply chain risk
                                                                                                     comments, we are persuaded that                       qualify as ‘‘system-to-system access’’
                                             management Reliability Standards. EEI,
                                                                                                     technical upgrades are likely necessary               and seeks clarification regarding the
                                             Idaho Power, IRSC, MISO TOs, and
                                                                                                     to meet the security objectives of the                scope of connections that would qualify
                                             Trade Associations contend that while
                                                                                                     supply chain risk management                          as ‘‘system-to-system access.’’ 111
                                             the Commission is correct that the
                                                                                                     Reliability Standards, which could
                                             requirements in the Reliability                                                                               2. Commission Determination
                                                                                                     involve longer time-horizon capital
                                             Standards are process-based, certain
                                                                                                     budgets and planning cycles.                             78. The Supplemental Materials for
                                             requirements will require technology
                                                                                                        73. While the Commission could, as                 Reliability Standard CIP–013–1 explain
                                             enhancements, as well as coordination
                                                                                                     Appelbaum suggests, direct an 18-                     the meaning of the term ‘‘vendor.’’
                                             with vendors.103 For example, Trade
                                                                                                     month implementation period for                       Specifically, the Supplemental
                                             Associations state that Reliability
                                                                                                     Reliability Standard CIP–013–1 and a                  Materials state that a vendor ‘‘is limited
                                             Standard CIP–005–6 will require work
                                                                                                     12-month period for Reliability                       to those persons, companies, or other
khammond on DSK30JT082PROD with RULES




                                             with vendors to facilitate the ability to
                                                                                                     Standards CIP–005–6 and CIP–010–3,                    organizations with whom the
                                               101 NOPR, 162 FERC ¶ 61,044 at P 44 (citing
                                                                                                     we conclude that different timelines
                                                                                                                                                             107 APS    Comments at 9–11.
                                             NERC Petition at 35).
                                                                                                       104 Trade                                             108 Id.
                                               102 NERC Comments at 7.                                         Associations Comments at 12–13 (citing
                                               103 See EEI Comments at 3–4, Idaho Power              NOPR, 152 FERC ¶ 61,054 at P 44).                       109 MISO    TOs Comments at 7–9.
                                                                                                      105 APS Comments at 5–7.                               110 APS    Comments at 9–11.
                                             Comments at 3–4, IRC Comments at 4, Trade
                                             Associations Comments at 12–13.                          106 Appelbaum Comments at 4.                           111 Id.




                                        VerDate Sep<11>2014   18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00038   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM      26OCR1


                                                                   Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                       54003

                                             [r]esponsible [e]ntity, or its affiliates,                 risk management Reliability Standards                 CIP–010–2, respectively. As discussed
                                             contracts with to supply BES Cyber                         do not dictate a responsible entity’s                 above, the final rule addresses several
                                             Systems and related services.’’ 112 The                    contracting decision.                                 areas of the CIP Reliability Standards
                                             Supplemental Materials also note that a                       81. As to the term ‘‘system-to-                    through Reliability Standard CIP–013–1,
                                             vendor, for purposes of the supply chain                   system,’’ NERC explains that the                      Requirements R1, R2, and R3. Under
                                             risk management Reliability Standards,                     objective of Reliability Standard CIP–                Requirement R1, responsible entities
                                             may include: (i) Developers or                             005–6, Requirement R2.4 is for entities               would be required to have one or more
                                             manufacturers of information systems,                      to have visibility of active vendor                   processes to address the following
                                             system components, or information                          remote access sessions, including                     baseline set of security concepts, as
                                             system services; (ii) product resellers; or                Interactive Remote Access and system-                 applicable, in their procurement
                                             (iii) system integrators.113                               to-system remote access, taking place on              activities for high and medium impact
                                                79. With regard to vendor-related                       their system.118 Reliability Standard                 BES Cyber Systems: (1) Vendor security
                                             compliance concerns, vendors are not                       CIP–005–6 requires entities to have a                 event notification processes (Part 1.2.1);
                                             subject to the supply chain risk                           method to determine all active vendor                 (2) coordinated incident response
                                             management Reliability Standards. As                       remote access sessions.119                            activities (Part 1.2.2); (3) vendor
                                             NERC explains, ‘‘the proposed                                                                                    personnel termination notification for
                                             Reliability Standards apply only to                        III. Information Collection Statement
                                                                                                                                                              employees with access to remote and
                                             registered entities and do not directly                      82. The FERC–725B information                       onsite systems (Part 1.2.3); (4) product/
                                             impose obligations on suppliers,                           collection requirements contained in                  services vulnerability disclosures (Part
                                             vendors or other entities that provide                     this final rule are subject to review by              1.2.4); (5) verification of software
                                             products or services to registered                         the Office of Management and Budget                   integrity and authenticity (Part 1.2.5);
                                             entities.’’ 114 This is consistent with the                (OMB) under section 3507(d) of the                    and (6) coordination of vendor remote
                                             Commission’s guidance in Order No.                         Paperwork Reduction Act of 1995.120                   access controls (Part 1.2.6). Requirement
                                             829 that ‘‘any action taken by NERC in                     OMB’s regulations require approval of                 R2 mandates that each responsible
                                             response to the Commission’s directive                     certain information collection                        entity implement its supply chain
                                             to address the supply chain-related                        requirements imposed by agency                        cybersecurity risk management plan.
                                             reliability gap should respect ‘section                    rules.121 Upon approval of a collection               Requirement R3 requires a responsible
                                             215 jurisdiction by only addressing the                    of information, OMB will assign an                    entity to review and obtain the CIP
                                             obligations of responsible entities’ and                   OMB control number and expiration                     Senior Manager’s approval of its supply
                                             ‘not directly impose obligations on                        date. Respondents subject to the filing               chain risk management plan at least
                                             suppliers, vendors or other entities that                  requirements of this rule will not be                 once every 15 calendar months in order
                                             provide products or services to                            penalized for failing to respond to these             to ensure that the plan remains up-to-
                                             responsible entities.’ ’’ 115                              collections of information unless the                 date.
                                                80. As to the question of responsible                   collections of information display a
                                             entity liability for vendor                                                                                        84. Separately, Reliability Standard
                                                                                                        valid OMB control number. In the                      CIP–005–6, Requirement R2.4 requires
                                             noncompliance, NERC explains that                          NOPR, the Commission solicited
                                             ‘‘any resulting obligation that a supplier,                                                                      one or more methods for determining
                                                                                                        comments on the Commission’s need for                 active vendor remote access sessions,
                                             vendor or other entity accepts in                          this information, whether the
                                             providing products or services to the                                                                            including Interactive Remote Access
                                                                                                        information will have practical utility,              and system-to-system remote access.
                                             registered entity is a contractual matter                  the accuracy of the burden estimates,
                                             between the registered entity and the                                                                            Reliability Standard CIP–005–6,
                                                                                                        ways to enhance the quality, utility, and             Requirement R2.5 requires one or more
                                             third party outside the scope of the                       clarity of the information to be collected
                                             proposed Reliability Standard[.]’’ 116                                                                           methods to disable active vendor remote
                                                                                                        or retained, and any suggested methods                access, including Interactive Remote
                                             The security objective of the supply
                                                                                                        for minimizing respondents’ burden,                   Access and system-to-system remote
                                             chain risk management Reliability
                                                                                                        including the use of automated                        access. Reliability Standard CIP–010–3,
                                             Standards is to ‘‘ensure that
                                                                                                        information techniques. The                           Requirement R1.6 requires responsible
                                             [r]esponsible [e]ntities consider the
                                                                                                        Commission did not receive any                        entities to verify software integrity and
                                             security, integrity, quality, and
                                                                                                        comments on the specific burden                       authenticity in the operational phase, if
                                             resilience of the supply chain, and take
                                                                                                        estimates discussed below.                            the software source provides a method
                                             appropriate mitigating action when
                                             procuring BES Cyber Systems to address                       83. The Commission bases its                        to do so.
                                             threats and vulnerabilities in the supply                  paperwork burden estimates on the
                                                                                                        changes in paperwork burden presented                   85. The NERC Compliance Registry,
                                             chain.’’ 117 Therefore, while a                                                                                  as of December 2017, identifies
                                             responsible entity is not directly liable                  by the approved CIP Reliability
                                                                                                        Standard CIP–013–1 and the approved                   approximately 1,250 unique U.S.
                                             for vendor actions, the responsible                                                                              entities that are subject to mandatory
                                             entity is required to mitigate any                         revisions to CIP Reliability Standard
                                                                                                        CIP–005–6 and CIP–010–3 as compared                   compliance with Reliability Standards.
                                             resulting risks. Finally, the supply chain                                                                       Of this total, we estimate that 288
                                                                                                        to the current Commission-approved
                                               112 Reliability                                          Reliability Standards CIP–005–5 and                   entities will face an increased
                                                                 Standard CIP–013–1 at 12.
                                               113 Id.
                                                                                                                                                              paperwork burden under the approved
                                               114 NERC    Petition at 14.                                118 Id.at 31.                                       Reliability Standards CIP–013–1, CIP–
khammond on DSK30JT082PROD with RULES




                                               115 Order   No. 829, 156 FERC ¶ 61,050 at P 21.            119 See Reliability Standard CIP–005–6 at 28.       005–6, and CIP–010–3. Based on these
                                               116 NERC Petition at 17.                                   120 44 U.S.C. 3507(d).                              assumptions, we estimate the following
                                               117 Id. at 13.                                             121 5 CFR 1320.11.                                  reporting burden:




                                        VerDate Sep<11>2014      18:06 Oct 25, 2018   Jkt 247001   PO 00000   Frm 00039   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1


                                             54004                Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations

                                                                                                            RM17–13–000 FINAL RULE
                                                                                [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]

                                                                                                                               Annual                                                                   Total annual
                                                                                                                                                                        Average burden                                        Cost per
                                                                                                Number of                     number of               Total number                                      burden hours
                                                                                                                                                                          & cost per                                         respondent
                                                                                               respondents                 responses per              of responses                                      & total annual
                                                                                                                                                                         response 122                                            ($)
                                                                                                                             respondent                                                                      cost

                                                                                                       (1)                          (2)               (1) * (2) = (3)              (4)                   (3) * (4) = (5)        (5) ÷ (1)

                                             Create supply chain risk manage-                                   288                             1                 288   546 hrs.; $44,226              157,248 hrs.;                 $44,226
                                               ment plan (one-time) 123 (CIP–                                                                                                                            $12,737,088.
                                               013–1 R1).
                                             Updates and reviews of supply                                      288                             1                 288   30 hrs.; 2,430 ....            8,640 hrs.;                        2,430
                                               chain risk management plan (on-                                                                                                                           699,840.
                                               going) 124 (CIP–013–1 R2).
                                             Develop Procedures to update re-                                   288                             1                 288   50 hrs.; 4,050 ....            14,400 hrs.;                       4,050
                                               mote access requirements (one                                                                                                                             1,166,400.
                                               time) (CIP–005–6 R1–R4).
                                             Develop procedures for software in-                               288                               1                288   50 hrs.; 4,050 ....            14,400 hrs.;                      4,050
                                               tegrity and authenticity require-                                                                                                                         1,166,400.
                                               ments (one time) (CIP–010–3
                                               R1–R4).
                                                  Total (one-time) ........................   ........................     ........................               864   ............................   186,048 hrs.;       ........................
                                                                                                                                                                                                         15,069,888.
                                                  Total (ongoing) .........................   ........................     ........................               288   ............................   8,640 hrs.;         ........................
                                                                                                                                                                                                         699,840.



                                               The one-time burden of 186,048 hours                               • Year 1: $15,069,888                                             effective suite of cybersecurity CIP
                                             will be averaged over three years                                    • Years 2 and beyond: $699,840                                    Reliability Standards.
                                             (186,048 hours ÷ 3 = 62,016 hours/year                               • The paperwork burden estimate                                      Internal Review: The Commission has
                                             over three years).                                                includes costs associated with the initial                           reviewed the approved Reliability
                                               The ongoing burden of 8,640 hours                               development of a policy to address
                                                                                                                                                                                    Standards and made a determination
                                             applies to only Years 2 and beyond.                               requirements relating to: (1) Developing
                                                                                                                                                                                    that its action is necessary to implement
                                               The number of responses is also                                 the supply chain risk management plan;
                                                                                                                                                                                    section 215 of the FPA.
                                             average over three years (864 responses                           (2) updating the procedures related to
                                             (one-time) + (288 responses (Year 2) +                            remote access requirements (3)                                          88. Interested persons may obtain
                                             288 responses (Year 3)) ÷ 3 = 480                                 developing the procedures related to                                 information on the reporting
                                             responses.                                                        software integrity and authenticity.                                 requirements by contacting the
                                               The responses and burden for Years                              Further, the estimate reflects the                                   following: Federal Energy Regulatory
                                             1–3 will total respectively as follows:                           assumption that costs incurred in year                               Commission, 888 First Street NE,
                                             • Year 1: 480 responses; 62,016 hours                             1 will pertain to plan and procedure                                 Washington, DC 20426 [Attention: Ellen
                                             • Year 2: 480 responses; 62,016 hours +                           development, while costs in years 2 and                              Brown, Office of the Executive Director,
                                               8,640 hours = 70,656 hours                                      3 will reflect the burden associated with                            email: DataClearance@ferc.gov, phone:
                                             • Year 3: 480 responses; 62,016 hours +                           maintaining the supply chain risk                                    (202) 502–8663, fax: (202) 273–0873].
                                               8,640 hours = 70,656 hours.                                     management plan and modifying it as                                     89. For submitting comments
                                               86. The following shows the annual                              necessary on a 15-month basis.                                       concerning the collection(s) of
                                             cost burden for each year, based on the                              87. Title: FERC–725B (Mandatory                                   information and the associated burden
                                             burden hours in the table above:                                  Reliability Standards, Revised Critical                              estimate(s), please send your comments
                                                                                                               Infrastructure Protection Reliability                                to the Commission, and to the Office of
                                                122 The loaded hourly wage figure (includes                    Standards).                                                          Management and Budget, Office of
                                             benefits) is based on the average of the occupational                Action: Information Collection,                                   Information and Regulatory Affairs, 725
                                             categories for 2017 found on the Bureau of Labor                  FERC–725B (Supply Chain Risk                                         17th Street NW, Washington, DC 20503
                                             Statistics website (http://www.bls.gov/oes/current/               Management Reliability Standards).
                                             naics2_22.htm):                                                                                                                        [Attention: Desk Officer for the Federal
                                                Legal (Occupation Code: 23–0000): $143.68.
                                                                                                                  OMB Control No.: 1902–0248.                                       Energy Regulatory Commission, phone:
                                                                                                                  Respondents: Businesses or other for-
                                                Information Security Analysts (Occupation Code                                                                                      (202) 395–4638, fax: (202) 395–7285].
                                             15–1122): $61.55.                                                 profit institutions; not-for-profit
                                                                                                                                                                                    For security reasons, comments to OMB
                                                Computer and Information Systems Managers                      institutions.
                                             (Occupation Code: 11–3021): $96.51.                                  Frequency of Responses: On                                        should be submitted by email to: oira_
                                                Management (Occupation Code: 11–0000):                         Occasion.                                                            submission@omb.eop.gov. Comments
                                             $94.28.                                                              Necessity of the Information: This                                submitted to OMB should include
                                                Electrical Engineer (Occupation Code: 17–2071):
                                                                                                               final rule approves the requested                                    Docket Number RM17–13–000 and
                                             $66.90.                                                                                                                                OMB Control Number 1902–0248.
                                                Management Analyst (Code: 43–0000): $63.32.                    modifications to Reliability Standards
khammond on DSK30JT082PROD with RULES




                                                These various occupational categories are                      pertaining to critical infrastructure                                IV. Environmental Analysis
                                             weighted as follows: [($94.28)(.10) + ($61.55)(.315)              protection. As discussed above, the
                                             + ($66.90)(.02) + ($143.68)(.15) + ($96.51)(.10) +                Commission approves NERC’s CIP                                         90. The Commission is required to
                                             ($63.32)(.315)] = $81.30. The figure is rounded to
                                             $81.00 for use in calculating wage figures in this
                                                                                                               Reliability Standards CIP–013–1, CIP–                                prepare an Environmental Assessment
                                             final rule.                                                       005–6, and CIP–010–3 pursuant to                                     or an Environmental Impact Statement
                                                123 One-time burdens apply in Year One only.                   section 215(d)(2) of the FPA because                                 for any action that may have a
                                                124 Ongoing burdens apply in Year 2 and beyond.                they improve upon the currently-                                     significant adverse effect on the human


                                        VerDate Sep<11>2014     18:06 Oct 25, 2018    Jkt 247001      PO 00000           Frm 00040      Fmt 4700      Sfmt 4700   E:\FR\FM\26OCR1.SGM           26OCR1


                                                                      Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations                                                      54005

                                             environment.125 The Commission has                                 estimate that each of the 248 small                    document, excluding the last three
                                             categorically excluded certain actions                             entities to whom the approved                          digits, in the docket number field. User
                                             from this requirement as not having a                              modifications to Reliability Standards                 assistance is available for eLibrary and
                                             significant effect on the human                                    CIP–013–1, CIP–005–6, and CIP–010–3                    the Commission’s website during
                                             environment. Included in the exclusion                             apply will incur one-time costs of                     normal business hours from the
                                             are rules that are clarifying, corrective,                         approximately $52,326 per entity to                    Commission’s Online Support at (202)
                                             or procedural or that do not                                       implement the approved Reliability                     502–6652 (toll free at 1–866–208–3676)
                                             substantially change the effect of the                             Standards, as well as the ongoing                      or email at ferconlinesupport@ferc.gov,
                                             regulations being amended.126 The                                  paperwork burden reflected in the                      or the Public Reference Room at (202)
                                             actions taken herein fall within this                              Information Collection Statement                       502–8371, TTY (202) 502–8659. Email
                                             categorical exclusion in the                                       (approximately $2,430 per year per                     the Public Reference Room at
                                             Commission’s regulations.                                          entity). We do not consider the                        public.referenceroom@ferc.gov.
                                                                                                                estimated costs for these 248 small
                                             V. Regulatory Flexibility Act Analysis                             entities to be a significant economic                  VII. Effective Date and Congressional
                                                91. The Regulatory Flexibility Act of                           impact. Accordingly, we certify that                   Notification
                                             1980 (RFA) generally requires a                                    Reliability Standards CIP–013–1, CIP–                     96. The final rule is effective
                                             description and analysis of proposed                               005–6, and CIP–010–3 will not have a                   December 26, 2018. The Commission
                                             rules that will have significant                                   significant economic impact on a                       has determined that this final rule
                                             economic impact on a substantial                                   substantial number of small entities.                  imposes no substantial effect upon
                                             number of small entities.127 The Small                                                                                    either NERC or NERC registered
                                             Business Administration’s (SBA) Office                             VI. Document Availability
                                                                                                                                                                       entities 131 and, with the concurrence of
                                             of Size Standards develops the                                       94. In addition to publishing the full               the Administrator of the Office of
                                             numerical definition of a small                                    text of this document in the Federal                   Information and Regulatory Affairs of
                                             business.128 The SBA revised its size                              Register, the Commission provides all                  OMB, that this rule is not a ‘‘major rule’’
                                             standard for electric utilities (effective                         interested persons an opportunity to                   as defined in section 351 of the Small
                                             January 22, 2014) to a standard based on                           view and/or print the contents of this                 Business Regulatory Enforcement
                                             the number of employees, including                                 document via the internet through the                  Fairness Act of 1996. This final rule is
                                             affiliates (from the prior standard based                          Commission’s Home Page (http://                        being submitted to the Senate, House,
                                             on megawatt hour sales).129                                        www.ferc.gov) and in the Commission’s                  and Government Accountability Office.
                                                92. Reliability Standards CIP–013–1,                            Public Reference Room during normal
                                             CIP–005–6, CIP–010–3 are expected to                               business hours (8:30 a.m. to 5:00 p.m.                   By the Commission. Chairman McIntyre
                                                                                                                                                                       was not present at the Commission Meeting
                                             impose an additional burden on 288                                 Eastern time) at 888 First Street NE,                  held on October 18, 2018 and did not vote
                                             entities 130 (reliability coordinators,                            Room 2A, Washington, DC 20426.                         on this item.
                                             generator operators, generator owners,                               95. From the Commission’s Home
                                                                                                                                                                         Issued: October 18, 2018.
                                             interchange coordinators or authorities,                           Page on the internet, this information is
                                                                                                                available on eLibrary. The full text of                Nathaniel J. Davis, Sr.,
                                             transmission operators, balancing
                                             authorities, and transmission owners).                             this document is available on eLibrary                 Deputy Secretary.
                                                93. Of the 288 affected entities                                in PDF and Microsoft Word format for                     Note: The following appendix will not
                                             discussed above, we estimate that                                  viewing, printing, and/or downloading.                 appear in the Code of Federal Regulations.
                                             approximately 248 or 86.2 percent of the                           To access this document in eLibrary,
                                             affected entities are small entities. We                           type the docket number of this                         Appendix Commenters

                                                              Abbreviation                                                                                Commenter

                                             AECC ..............................................      Arkansas Electric Cooperative Corporation.
                                             Appelbaum ......................................         Jonathan Appelbaum.
                                             APS .................................................    Arizona Public Service Company.
                                             EEI ..................................................   Edison Electric Institute.
                                             Idaho Power ....................................         Idaho Power Company.
                                             IRC ..................................................   ISO/RTO Council.
                                             Isologic ............................................    Isologic LLC.
                                             ITC ..................................................   International Transmission Company.
                                             Mabee .............................................      Michael Mabee.
                                             MISO TOs .......................................         MISO Transmission Owners.
                                             MPUC ..............................................      Maine Public Utilities Commission.
                                             NERC ..............................................      North American Electric Reliability Corporation.
                                             Reclamation ....................................         U.S. Bureau of Reclamation.
                                             Resilient Societies ...........................          Foundation for Resilient Societies.
                                             Trade Associations .........................             American Public Power Association, Electricity Consumers Resource Council, Large Public Power Council,
                                                                                                         National Rural Electric Cooperative Association, and Transmission Access Policy Study Group.



                                             [FR Doc. 2018–23201 Filed 10–25–18; 8:45 am]
khammond on DSK30JT082PROD with RULES




                                             BILLING CODE 6717–01–P

                                               125 Regulations Implementing the National                          128 13 CFR 121.101.                                  subsidiaries. For the analysis in this NOPR, we are
                                             Environmental Policy Act of 1969, Order No. 486,                     129 13 CFR 121.201, Subsector 221.                   using a 500 employee threshold due to each
                                             FERC Stats. & Regs. ¶ 30,783 (1987).                                 130 Public utilities may fall under one of several   affected entity falling within the role of Electric
                                               126 18 CFR 380.4(a)(2)(ii).                                      different categories, each with a size threshold       Bulk Power Transmission and Control (NAISC
                                               127 5 U.S.C. 601–12.                                             based on the company’s number of employees,            Code: 221121).
                                                                                                                including affiliates, the parent company, and             131 5 U.S.C. 804(3)c.




                                        VerDate Sep<11>2014         18:06 Oct 25, 2018        Jkt 247001   PO 00000   Frm 00041   Fmt 4700   Sfmt 4700   E:\FR\FM\26OCR1.SGM   26OCR1



Document Created: 2018-10-26 02:27:40
Document Modified: 2018-10-26 02:27:40
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionRules and Regulations
ActionFinal rule.
DatesThis rule is effective December 26, 2018.
ContactSimon Slobodnik (Technical Information) Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected]
FR Citation83 FR 53992 

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR