[Federal Register Volume 76, Number 104 (Tuesday, May 31, 2011)]
[Notices]
[Pages 31320-31322]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-13475]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. IC11-725B-001]
Commission Information Collection Activities (FERC-725B); Comment
Request; Submitted for OMB Review
AGENCY: Federal Energy Regulatory Commission, DOE.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: In compliance with the requirements of section 3507 of the
Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy
Regulatory Commission (Commission or FERC) has submitted the
information collection described below to the Office of Management and
Budget (OMB) for review of the information collection requirements. Any
interested person may file comments directly with OMB and should
address a copy of those comments to the Commission as explained below.
The Commission published a Notice in the Federal Register (75 FR 65618,
10/26/2010) requesting public comments. In addition, FERC published a
notice in the Federal Register (76 FR 19333, 4/7/2011) indicating
submission to OMB of the information collection described below and
that it had not received any comments regarding the collection of
information thus far. Subsequently, FERC staff became aware of a
comment from the Transmission Agency of Northern California (TANC) that
had been submitted in a timely manner but internally was indexed
incorrectly. On May 3, 2011 the Commission issued a notice extending
the comment period \1\ (on the notice published April 7, 2011) to June
23, 2011. The Commission is revising its submission to OMB to reflect
receipt of the comment.
---------------------------------------------------------------------------
\1\ The previous comment period ending on June 23rd will be
extended to the date 30 days after publication of this revised
notice in the Federal Register as stated in the DATES section of
this notice.
DATES: Comments on the collection of information are due by June 30,
---------------------------------------------------------------------------
2011.
ADDRESSES: Address comments on the collection of information to the
Office of Management and Budget, Office of Information and Regulatory
Affairs, Attention: Federal Energy Regulatory Commission Desk Officer.
Comments to OMB should be filed electronically, c/o [email protected] and include OMB Control Number 1902-0248 for
reference. The Desk Officer may be reached by telephone at 202-395-
4638.
A copy of the comments should also be sent to: Federal Energy
Regulatory Commission, Secretary of the Commission, 888 First Street,
NE., Washington, DC 20426. Comments may be filed either on paper or on
CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be
prepared in an acceptable filing format and in compliance with
Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for
Docket No. IC11-725B-001, due to a system issue.
All comments may be viewed, printed or downloaded remotely via the
Internet through FERC's homepage using the ``eLibrary'' link. For user
assistance, contact [email protected] or toll-free at (866)
208-3676, or for TTY, contact (202) 502-8659.
FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail
at [email protected], by telephone at (202) 502-8663, and by fax
at (202) 273-0873.
SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B,
Reliability Standards for Critical Infrastructure Protection (OMB
Control No. 1902-0248), is required to implement the statutory
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C.
824o). On January 18, 2008, the Commission issued Order No. 706,
approving eight Critical Infrastructure Protection Reliability
Standards (CIP Standards) submitted by the North American Electric
Reliability Corporation (NERC) for Commission approval.\2\
---------------------------------------------------------------------------
\2\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
---------------------------------------------------------------------------
The CIP Standards require certain users, owners, and operators of
the Bulk-Power System to comply with specific requirements to safeguard
critical cyber assets.\3\ These standards help protect the nation's
Bulk-Power System against potential disruptions from cyber attacks.\4\
The CIP Standards include one actual reporting requirement and several
recordkeeping requirements. Specifically, CIP-008-1 requires
responsible entities to report cyber security incidents to the
Electricity Sector-Information Sharing and Analysis Center (ES-ISAC).
In addition, the eight CIP Standards
[[Page 31321]]
require responsible entities to develop various policies, plans,
programs, and procedures.\5\
---------------------------------------------------------------------------
\3\ In addition, in accordance with section 215(d)(5) of the
FPA, the Commission proposed to direct NERC to develop modifications
to the CIP Reliability Standards to address specific concerns
identified by the Commission.
\4\ For a description of the CIP Standards, see the Critical
Infrastructure Protection Section on NERC's Web site at http://
www.nerc.com/page.php?cid=2\20.
\5\ The October notice issued in this docket contains more
information on the reporting requirements and can be found at http://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The
full text of the standards can be found on NERC's Web site at http:/
/www.nerc.com/page.php?cid=2[bs]20.
---------------------------------------------------------------------------
The CIP Standards do not require a responsible entity to report to
the Commission, ERO or Regional Entities, the various policies, plans,
programs and procedures. However, a showing of the documented policies,
plans, programs and procedures is required to demonstrate compliance
with the CIP Standards.
Public Comment and FERC Response: TANC stated that they believed
that the Commission did not adequately address or articulate the burden
that falls on companies in complying with the CIP Standards and in
particular, the hourly and cost burdens to comply with the
documentation required by the CIP Standards. In looking at the
commenter's submittal, FERC has decided to examine more carefully the
burden calculations. Relying on OMB guidance in interpreting the
requirements of the Paperwork Reduction Act of 1995, FERC has
determined that its initial estimate of cost burden was indeed lower
than is reasonable for the average respondent.
FERC maintains that the universe of respondents breaks down into
three main categories: (1) Entities that have identified Critical Cyber
Assets and have undergone a previous audit; (2) Entities that have not
identified Critical Cyber Assets but must show compliance with CIP-003
R1 and CIP-002 R1 through R3; and (3) New entities that have come into
compliance with the CIP Standards and undergoing their first compliance
audit. FERC's revised burden analysis is based on the average amount of
time expended annually to obtain or maintain the information necessary
in the event of a compliance audit. The fact that the average company
may experience a spike in the burden hours immediately proceeding and
during a compliance audit is accounted for in the revised estimate.
The differences between the first and third categories of
respondents is that, as an entity goes through multiple compliance
audits, their processes become streamlined and more automated, which
then becomes reflected in a lessening of their burden. Other areas that
cause the burden numbers to fluctuate deal with the size of the
company, the number of overall electric assets they have, the number of
critical assets and critical cyber assets that they identify, etc.
Therefore, the total numbers currently used by FERC to calculate cost
burden are considered the case for an average-sized company with an
average number of Critical Assets and Critical Cyber Assets. It is
expected that the actual burden experienced by respondents may be
higher or lower than the Commission estimate, based on factors listed
above.
Based on observations over several audit cycles, FERC now thinks
that the preparation of the audit paperwork for an entity undergoing
their first compliance audit (respondent category 3) is approximately
3,840 hours. This represents 20 technical personnel working 50% of
their time over 8 weeks gathering and compiling all of the required
paperwork to show compliance. In addition, a secondary period that is
20% of the primary effort is estimated to be needed to respond and
gather information generated from questions arising from the initial
submission.
Based on observations over several audit cycles, FERC now thinks
that the burden associated with ongoing compliance and preparation for
future audits (respondent category 1) is less than entities coming into
compliance for the first time (respondent category 3) as they are
familiar with the audit compliance process and presumably will have
streamlined their processes to handle the data collection effort. FERC
estimates this should result in a reduction of 50% of their effort.
This would result in a burden of approximately 1,920 hours.
Finally, for those entities that have not identified Critical Cyber
Assets but must still show compliance with CIP-003 R1 and CIP-002 R1
through R3 (respondent category 2), FERC agrees with TANC and now
estimates that these entities must expend approximately 120 hours or
the equivalent of 3 employees working 50% of their time for 2 weeks.
FERC believes this is a reasonable estimate as the majority of these
entities are small and therefore have fewer electrical assets to
examine in order to determine if they have any Critical Assets, which
is the first stage of the CIP-002 process.
FERC has also reconsidered dividing the burden hours by three to
reflect the NERC audit schedule of 3-5 years and is instead not
dividing the burden hours at all. This is due to the fact that a
company will have to be obtaining and maintaining the information
necessary for an audit on a consistent basis, and not only during an
audit that occurs every 3-5 years. Therefore, the revised burden hours
presented here represent the average annual burden hours per
respondent, including the spikes that may result during an audit.
Action: The Commission is requesting a three-year extension of the
existing collection with no changes to the requirements.
Burden Statement: The revised estimated annual burden is shown
below in accordance with the discussion above. The Commission has
developed estimates using data from NERC's compliance registry as well
as a 2009 survey that was conducted by NERC to assess the number of
entities reporting Critical Cyber Assets.
----------------------------------------------------------------------------------------------------------------
Average number Average number of
Data collection Number of of responses burden hours per Total annual
respondents \6\ per respondent response \7\ hours
(1)................. (2) (3)................ (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B:
Category 1--Estimate of U.S. 345................. 1 1,920.............. 662,400
Entities that have
identified Critical Cyber
Assets.
Category 2--Estimate of U.S. 1,156............... 1 120................ 138,720
Entities that have not
identified Critical Cyber
Assets.
Category 3--New U.S. Entities 6................... 1 3,840.............. 23,040
that have to come into
compliance with the CIP
Standards \8\.
[[Page 31322]]
Entities no longer required Category 1: -2...... 1 Category 1 (2 -3,840
to comply with CIP Standards respondents):
(Two category 1 respondents 1,920.
and four category 2
respondents).
Category 2: -4...... ................ Category 2 (4 -480
respondents): 120.
------------------------------------------------------------------------------
Totals................... 1,501............... ................ ................... 819,840
----------------------------------------------------------------------------------------------------------------
The total estimated annual cost burden to respondents is:
---------------------------------------------------------------------------
\6\ The NERC Compliance Registry as of 9/28/2010 indicated that
2079 entities were registered for NERC's compliance program. Of
these, 2057 were identified as being U.S. entities. Staff concluded
that of the 2057 U.S. entities, only 1501 were registered for at
least one CIP-related function. According to an April 7, 2009, memo
to industry, NERC's VP and Chief Security Officer noted that only
31% of entities responded to an earlier survey and reported that
they had at least one Critical Asset, and only 23% reported having a
Critical Cyber Asset. Staff applied the 23% reporting to the 1501
figure to obtain an estimate. The 6 new entities listed here are
assumed to match a similar set of 6 entities that would drop out in
an existing year. Thus, the net estimate of respondents remains at
1501 per year.
\7\ Calculations:
Respondent category 3:
20 employees x (working 50%) x (40 hrs/week) x (8 weeks) = 3200
hours
20 employees x (working 20%) x (3200 hrs) = 640 hours
Total = 3840
Respondent category 2:
3 employees x (working 50%) x (40 hrs/week) x (2 weeks) = 120
hours
Respondent category 1:
50% of 3840 hours = 1920
\8\ These respondents and those in the subsequent column of the
table (with the corresponding burden and cost figures) were not
included in the 60-day public notice due to an oversight by
Commission staff.
---------------------------------------------------------------------------
Category 1, Entities that have identified Critical Assets
= 658,560 (662,400-3,840) hours @ $96 = $63,221,760
Category 2, Entities that have not identified Critical
Assets = 138,240 (138,720-480) hours @ $96 = $13,271,040
Category 3, New U.S. Entities that have to comply with CIP
Standards = 23,040 hours @ $96 = $2,211,840
Storage Costs for Entities that have identified Critical
Assets \9\ = 345 Entities @ $15.25 = $5,261
---------------------------------------------------------------------------
\9\ This cost category was not included in the 60-day public
notice due to an oversight by Commission staff.
---------------------------------------------------------------------------
Total Cost for the FERC-725B = $78,709,901
The hourly rate of $96 is the average cost of legal services ($230 per
hour), technical employees ($40 per hour) and administrative support
($18 per hour), based on hourly rates from the Bureau of Labor
Statistics (BLS) and the 2009 Billing Rates and Practices Survey
Report.\10\ The $15.25 rate for storage costs for each entity is an
estimate based on the average costs to service and store 1 GB of data
to demonstrate compliance with the CIP Standards.\11\
---------------------------------------------------------------------------
\10\ Bureau of Labor Statistics figures were obtained from
http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing
Rates figures were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were
based on the national average billing rate (contracting out) from
the above report and BLS hourly earnings (in-house personnel). It is
assumed that 25% of respondents have in-house legal personnel.
\11\ Based on the aggregate cost of an IBM advanced data
protection server.
---------------------------------------------------------------------------
The reporting burden includes the total time, effort, or financial
resources expended to generate, maintain, retain, disclose, or provide
the information including: (1) Reviewing instructions; (2) developing,
acquiring, installing, and utilizing technology and systems for the
purposes of collecting, validating, verifying, processing, maintaining,
disclosing and providing information; (3) adjusting the existing ways
to comply with any previously applicable instructions and requirements;
(4) training personnel to respond to a collection of information; (5)
searching data sources; (6) completing and reviewing the collection of
information; and (7) transmitting, or otherwise disclosing the
information.
Comments are invited on: (1) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimates of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information to be collected; and (4) ways to
minimize the burden of the collections of information on those who are
to respond, including the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology, e.g. permitting electronic submission of
responses.
Dated: May 25, 2011.
Kimberly D. Bose,
Secretary.
[FR Doc. 2011-13475 Filed 5-27-11; 8:45 am]
BILLING CODE 6717-01-P