Skip to content
LexBuild

Commission Information Collection Activities (FERC-725B); Comment Request; Extension 

---
identifier: "/us/fr/2010-26988"
source: "fr"
legal_status: "authoritative_unofficial"
title: "Commission Information Collection Activities (FERC-725B); Comment Request; Extension"
title_number: 0
title_name: "Federal Register"
section_number: "2010-26988"
section_name: "Commission Information Collection Activities (FERC-725B); Comment Request; Extension"
positive_law: false
currency: "2010-10-26"
last_updated: "2010-10-26"
format_version: "1.1.0"
generator: "[email protected]"
agency: "Energy Department"
document_number: "2010-26988"
document_type: "notice"
publication_date: "2010-10-26"
agencies:
  - "Energy Department"
  - "Federal Energy Regulatory Commission"
fr_citation: "75 FR 65618"
fr_volume: 75
docket_ids:
  - "Docket No. IC11-725B-000"
comments_close_date: "2010-12-27"
fr_action: "Notice of proposed information collection and request for comments."
---

#  Commission Information Collection Activities (FERC-725B); Comment Request; Extension

**AGENCY:**

Federal Energy Regulatory Commission, Energy.

**ACTION:**

Notice of proposed information collection and request for comments.

**SUMMARY:**

In compliance with the requirements of section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A) (2006), (Pub. L. 104-13), the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the proposed information collection described below.

**DATES:**

Comments in consideration of the collection of information are due December 27, 2010.

**ADDRESSES:**

Commenters must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-000. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at *http://www.ferc.gov/help/submission-guide.asp.* eFiling and eSubscription are not available for Docket No. IC11-725B-000, due to a system issue.

All comments and FERC issuances may be viewed, printed or downloaded remotely through FERC's eLibrary at *http://www.ferc.gov/docs-filing/elibrary.asp* , by searching on Docket No. IC11-725B. For user assistance, contact FERC Online Support by e-mail at *[email protected],* or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.

**FOR FURTHER INFORMATION CONTACT:**

Ellen Brown may be reached by e-mail at *[email protected]* , telephone at (202) 502-8663, and fax at (202) 273-0873.

**SUPPLEMENTARY INFORMATION:**

The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII, Subtitle A,  of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. [^1] EPAct 2005 added a new section 215 to the FPA, requiring a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced in the United States by the ERO subject to Commission oversight, or the Commission can independently enforce Reliability Standards. [^2]

[^1] Energy Policy Act of 2005, Public Law No.109-58, Title XII, Subtitle A, 119 Stat. 594, 941 (2005), 16 U.S.C. 824o.

[^2] 16 U.S.C. 824o(e)(3).

On February 3, 2006, the Commission issued Order No. 672, implementing section 215 of the FPA. Pursuant to Order No. 672, the Commission certified one organization, North American Electric Reliability Corporation (NERC), as the ERO. The Reliability Standards developed by the ERO and approved by the Commission apply to users, owners and operators of the Bulk-Power System, as set forth in each Reliability Standard.

On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the NERC for Commission approval. [^3] The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. [^4] These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks. [^5]

[^3] CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-007-1, CIP-008-1, and CIP-009-1.

[^4] In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

[^5] For a description of the CIP Reliability Standards, see the Critical Infrastructure Protection Section at NERC's Web site at *http://www.nerc.com/page.php?cid=2/20.*

The eight CIP Reliability Standards address the following topics:

• Critical Cyber Asset Identification.

• Security Management Controls.

• Personnel and Training.

• Electronic Security Perimeters.

• Physical Security of Critical Cyber Assets.

• Systems Security Management.

• Incident Reporting and Response Planning.

• Recovery Plans for Critical Cyber Assets.

The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures. For example, each responsible entity must develop and document a risk-based assessment methodology to identify critical assets, which is then used to develop a list of critical cyber assets (CIP-002-1). A responsible entity that identifies any critical cyber assets must also document: A cyber security policy (CIP-003-1); a security awareness program (CIP-004-1, Requirement R1); a personnel risk assessment program (CIP-004-1, Requirement R3); an electronic security perimeter and processes for control of electronic access to all electronic access points to the perimeter (CIP-005-1, Requirements R1 and R2); a physical security plan (CIP-006-1); procedures for securing certain cyber assets (CIP-007-1); and recovery plans for critical cyber assets (CIP-008-1). To demonstrate compliance with the CIP Reliability Standards, responsible entities are required to maintain various lists and access logs. All responsible entities are required to be auditably compliant with the CIP Reliability Standards by the end of 2010, including all required documentation.

The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.

*Action:* The Commission is requesting a three-year extension of the FERC-725B reporting requirements, with no changes.

*Burden Statement:* The extent of the reporting burden is influenced by the number of identified critical assets and related critical cyber assets pursuant to CIP-002. An entity identifying one or more critical cyber assets, including assets located at remote locations, will likely require more resources to demonstrate compliance with the CIP Reliability Standards compared to an entity that identifies no critical assets. The Commission has developed estimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to asses the number of entities reporting Critical Cyber Assets.

| Data collection | No. of | Average No. | Average No. | Total |
| --- | --- | --- | --- | --- |
|  | (1) | (2) | (3) | (1) × (2) × (3) |
| FERC-725B |  |  |  |  |
| Estimate of U.S. Entities that have identified Critical Cyber Assets | 345 | 1 | 320 | 110,400 |
| Estimate of U.S. Entities that have not identified Critical Cyber Assets | 1,156 | 1 | 8 | 9,248 |
| Totals | 1,501 |  |  | 119,648 |

The total estimated annual cost burden to respondents is:

• Entities that have identified Critical Assets = 110,400 hours@$96 = $10,598,400.

• Entities that have not identified Critical Assets = 9,248 hours@$96 = $887,808.

The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report. [^8]

[^8] Bureau of Labor Statistics figures were obtained from *http://www.bls.gov/oes/current/naics2_22.htm,* and 2009 Billing Rates figure were obtained from *http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html.* Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel.

The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting or otherwise disclosing the information.

The estimate of cost for respondents is based upon salaries for professional and clerical support, as well as direct and indirect overhead costs. Direct costs include all costs directly attributable to providing this information, such as administrative costs and the cost for information technology. Indirect or overhead costs are costs incurred by an organization in support of its mission. These costs apply to activities which benefit the whole organization rather than any one particular function or activity.

Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology e.g. permitting electronic submission of responses.

Kimberly D. Bose,

Secretary.