[Federal Register Volume 77, Number 80 (Wednesday, April 25, 2012)]
[Rules and Regulations]
[Pages 24594-24611]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-9893]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM11-11-000; Order No. 761]


Version 4 Critical Infrastructure Protection Reliability 
Standards

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: Under section 215 of the Federal Power Act, the Federal Energy 
Regulatory Commission (Commission) approves eight modified Critical 
Infrastructure Protection (CIP) Reliability Standards, CIP-002-4 
through CIP-009-4, developed and submitted to the Commission for 
approval by the North American Electric Reliability Corporation (NERC), 
the Electric Reliability Organization certified by the Commission. The 
CIP Reliability Standards provide a cybersecurity framework for the 
identification and protection of ``Critical Cyber Assets'' to support 
the reliable operation of the Bulk-Power System. Reliability Standard 
CIP-002-4 requires the identification and documentation of Critical 
Cyber Assets associated with ``Critical Assets'' that support the 
reliable operation of the Bulk-Power System and introduces ``bright 
line'' criteria for the identification of Critical Assets. The 
Commission approves the related Violation Risk Factors, Violation 
Severity Levels with modifications, implementation plan, and effective 
date proposed by NERC.

DATES: This rule will become effective June 25, 2012.

FOR FURTHER INFORMATION CONTACT: 

Jan Bargen (Technical Information), Office of Electric Reliability, 
Division of Logistics and Security, Federal Energy Regulatory 
Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6333, 
Jan.Bargen@ferc.gov.
Edward Franks (Technical Information), Office of Electric Reliability, 
Division of Logistics and Security, Federal Energy Regulatory 
Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6311, 
Edward.Franks@ferc.gov.
Kevin Ryan (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE., Washington, DC 
20426, (202) 502-6840, Kevin.Ryan@ferc.gov.
Matthew Vlissides (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, (202) 502-8408, Matthew.Vlissides@ferc.gov.

SUPPLEMENTARY INFORMATION:
139 FERC ] 61,058
Before Commissioners: Jon Wellinghoff, Chairman; Philip D. Moeller, 
John R. Norris, and Cheryl A. LaFleur.


[[Page 24595]]


Issued April 19, 2012.
    1. Under section 215 of the Federal Power Act (FPA),\1\ the 
Commission approves modified Critical Infrastructure Protection (CIP) 
Reliability Standards, CIP-002-4 through CIP-009-4. The ``Version 4'' 
CIP Reliability Standards were developed and submitted for approval to 
the Commission by the North American Electric Reliability Corporation 
(NERC), which the Commission certified as the Electric Reliability 
Organization (ERO) responsible for developing and enforcing mandatory 
Reliability Standards. The CIP Reliability Standards provide a 
cybersecurity framework for the identification and protection of 
``Critical Cyber Assets'' that are associated with ``Critical Assets'' 
to support the reliable operation of the Bulk-Power System.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o (2006).
---------------------------------------------------------------------------

    2. The Version 4 CIP Reliability Standards include ``bright line'' 
criteria for the identification of Critical Assets, which replace the 
risk-based assessment methodology developed and applied by applicable 
entities under the Version 3 CIP Reliability Standards. Version 4 
includes other conforming modifications to the remaining CIP 
Reliability Standards, CIP-003-4 through CIP-009-4.
    3. The Commission approves NERC's filing, as amended by its errata 
filing, with regard to the related Violation Risk Factors (VRFs), the 
Violation Severity Levels (VSLs) with modifications, the implementation 
plan, and effective date proposed by NERC. The Commission also approves 
the concurrent retirement of the currently effective Version 3 CIP 
Reliability Standards, CIP-002-3 to CIP-009-3.
    4. In addition, the Commission determines that it is appropriate to 
impose a deadline by which time the ERO will submit for approval CIP 
Reliability Standards that are fully compliant with Order No. 706.\2\ 
NERC indicated that it anticipates filing the ``Version 5'' CIP 
Reliability Standards by the third quarter of 2012.\3\ Accordingly, we 
establish a deadline of 6 months from the end of the third quarter of 
2012 (i.e., March 31, 2013). NERC must also submit reports at the 
beginning of each quarter in which the ERO is to explain whether it is 
on track to meet the deadline and describe the status of its CIP 
standard development efforts.
---------------------------------------------------------------------------

    \2\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and 
granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008), 
order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), 
order denying clarification, Order No. 706-C, 127 FERC ] 61,273 
(2009).
    \3\ NERC Reply Comments at 4.
---------------------------------------------------------------------------

I. Background

A. Mandatory Reliability Standards

    5. Section 215 of the FPA requires a Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, which are 
subject to Commission review and approval. Once approved, the 
Reliability Standards may be enforced by the ERO, subject to Commission 
oversight, or by the Commission independently.\4\
---------------------------------------------------------------------------

    \4\ 16 U.S.C. 824o(e).
---------------------------------------------------------------------------

    6. Pursuant to section 215 of the FPA, the Commission established a 
process to select and certify an ERO,\5\ and subsequently certified 
NERC as the ERO.\6\ On January 18, 2008, the Commission issued Order 
No. 706 approving eight CIP Reliability Standards proposed by NERC. 
Pursuant to section 215(d)(5) of the FPA,\7\ the Commission directed 
NERC to develop modifications to the CIP Reliability Standards to 
address concerns discussed in Order No. 706. Subsequently, the 
Commission approved Version 2 and Version 3 of the CIP Reliability 
Standards, each version including changes responsive to some but not 
all of the directives in Order No. 706.\8\
---------------------------------------------------------------------------

    \5\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \6\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
    \7\ 16 U.S.C. 824o(d)(5).
    \8\ North American Electric Reliability Corp., 128 FERC ] 61,291 
(2009), order denying reh'g and granting clarification, 129 FERC ] 
61,236 (2009) (approving Version 2 of the CIP Reliability 
Standards); North American Electric Reliability Corp., 130 FERC ] 
61,271 (2010) (approving Version 3 of the CIP Reliability 
Standards).
---------------------------------------------------------------------------

B. NERC Petition

    7. On February 10, 2011, NERC filed a petition seeking Commission 
approval of the Version 4 CIP Reliability Standards, CIP-002-4 to CIP-
009-4, and the concurrent retirement of the Version 3 CIP Reliability 
Standards, CIP-002-3 to CIP-009-3.\9\ In the petition, NERC states that 
the principal differences between Version 3 and Version 4 are found in 
CIP-002, where NERC replaced the risk-based assessment methodology for 
identifying Critical Assets with 17 uniform ``bright line'' criteria 
for identifying Critical Assets. Concerning the process of identifying 
the associated Critical Cyber Assets that are subject to the cyber 
security protections required by CIP-003 through CIP-009, NERC only 
made changes for certain generation Critical Assets. NERC submitted 
proposed VRFs and VSLs and an implementation plan governing the 
transition to Version 4. NERC proposed that the Version 4 CIP 
Reliability Standards become effective the first day of the eighth 
calendar quarter after applicable regulatory approvals have been 
received.
---------------------------------------------------------------------------

    \9\ NERC Petition at 1. The proposed Reliability Standards are 
not attached to the final rule. They are, however, available on the 
Commission's eLibrary document retrieval system in Docket No. RM11-
11-000 and are available on the ERO's Web site, www.nerc.com. 
Reliability Standards approved by the Commission are not codified in 
the Code of Federal Regulations.
---------------------------------------------------------------------------

    8. On April 12, 2011, NERC made an errata filing correcting certain 
errors in the petition and furnishing corrected exhibits and the 
standard drafting team minutes. In the errata, NERC also replaced the 
VRFs and VSLs in the February 10, 2011 petition with new proposed VRFs 
and VSLs.\10\
---------------------------------------------------------------------------

    \10\ NERC states that the Version 4 VRFs and VSLs are carried 
over in part from the VRFs and VSLs in the Version 3 CIP Reliability 
Standards. NERC Petition at 46. The Commission approved the Version 
2 and 3 VRFs and VSLs in Docket Nos. RD10-6-001 and RD09-7-003 on 
January 20, 2011 but required NERC to make modifications in a 
compliance filing due by March 21, 2011. North American Electric 
Reliability Corporation, 134 FERC ] 61,045 (2011). The February 10, 
2011 petition did not carry over the modified Version 3 VRFs and 
VSLs since it was filed before the March 21, 2011 compliance filing. 
NERC submitted new Version 4 VRFs and VSLs that carried over the 
modified Version 3 VRFs and VSLs in the April 12, 2012 errata. On 
June 6, 2011, NERC filed the March 21, 2011 compliance filing in the 
present docket, Docket No. RM11-11-000.
---------------------------------------------------------------------------

    9. Reliability Standard CIP-002-4 requires each responsible entity 
to use the bright line criteria as a ``checklist'' to identify Critical 
Assets, initially and in an annual review, replacing the risk-based 
assessment methodology developed and applied by each registered entity 
required under the currently-effective Version 3 CIP Reliability 
Standards. As in past versions, each responsible entity will then 
identify the Critical Cyber Assets associated with its updated list of 
Critical Assets. If application of the bright line criteria results in 
the identification of Critical Cyber Assets, such assets become subject 
to the remaining CIP Reliability Standards.
    10. In the petition, NERC states that CIP-002-4 addresses some, but 
not all, of the directives in Order No. 706. NERC explained that the 
standard drafting team limited the scope of requirements in the 
development of Version 4 ``as an interim step'' limited to the concerns 
raised by the Commission regarding

[[Page 24596]]

CIP-002.\11\ NERC maintains that it has taken a ``phased'' approach to 
meeting the Commission's directives from Order No. 706 and, according 
to NERC, the standard drafting team continues to address the remaining 
Commission directives. According to NERC, the team will build on the 
CIP-002-4 standard's establishment of uniform criteria for the 
identification of Critical Assets.\12\
---------------------------------------------------------------------------

    \11\ NERC Petition at 6 (citing Order No. 706, 122 FERC ] 61,040 
at P 236).
    \12\ NERC Petition at 6.
---------------------------------------------------------------------------

C. Notice of Proposed Rulemaking

    11. On September 15, 2011, the Commission issued a Notice of 
Proposed Rulemaking (NOPR) proposing to approve the Version 4 CIP 
Reliability Standards.\13\ The NOPR also proposed to approve the 
related VRFs, VSLs with modifications, and implementation schedule 
proposed by NERC. To underscore the need to achieve full compliance 
with the directives in Order No. 706, the NOPR proposed to set a 
deadline by which date the ERO would be required to submit to the 
Commission for approval CIP Reliability Standards that are fully 
compliant with Order No. 706. The NOPR also addressed certain 
directives in Order No. 706 that have not yet been met, which would 
need to be satisfied by the proposed deadline.\14\
---------------------------------------------------------------------------

    \13\ Version 4 Critical Infrastructure Protection Reliability 
Standards, 76 FR 58,730 (Sept. 22, 2011), FERC Stats. & Regs. ] 
32,679 (2011) (NOPR).
    \14\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 40-61.
---------------------------------------------------------------------------

    12. In response to the NOPR, comments were filed by 28 interested 
entities. NERC submitted reply comments clarifying its position on one 
issue. Below, we address the issues raised by these comments. The 
Appendix to this Final Rule lists the entities that filed comments on 
the NOPR.

II. Discussion

    13. As discussed below, the Commission approves the eight modified 
Version 4 CIP Reliability Standards, finding that they are just and 
reasonable, not unduly discriminatory or preferential and in the public 
interest. In addition, the Commission approves NERC's proposed VRFs, 
VSLs with modifications, and its proposed implementation plan. The 
Commission has also determined that it is appropriate to impose a 
deadline for the ERO to achieve full compliance with Order No. 706. 
NERC commented that it anticipates filing the Version 5 CIP Reliability 
Standards by the third quarter of 2012.\15\ We therefore establish a 
deadline of 6 months from the end of the third quarter of 2012 (i.e., 
March 31, 2013), to provide the ERO with time to address any unforeseen 
contingencies. In addition, the Commission directs the ERO to submit 
quarterly reports, at the beginning of each quarter, in which it is to 
both confirm that it is on track to meet the deadline and describe the 
status of its CIP Reliability Standards development efforts.
---------------------------------------------------------------------------

    \15\ NERC Reply Comments at 4.
---------------------------------------------------------------------------

    14. Below we discuss the Commission's basis for approving Version 4 
of the CIP Reliability Standards. In addition, we discuss comments 
regarding: (1) The bright line criteria used to identify Critical 
Assets that are contained in Attachment 1 of Reliability Standard CIP-
002-4; (2) the identification of Critical Assets that fall outside the 
scope of Attachment 1 by registered entities, Regional Entities, or 
ERO; (3) the implementation plan for the Version 4 CIP Reliability 
Standards; (4) compliance with Order No. 706; (5) the deadline for 
submitting CIP Reliability Standards that fully comply with Order No. 
706; and (6) the VRFs and VSLs.

A. The Commission Adopts the NOPR Proposal To Approve the Version 4 CIP 
Reliability Standards

NERC Petition
    15. NERC states that CIP-002-4 establishes clear and uniform 
criteria for identifying Critical Assets on the Bulk-Power System.\16\ 
According to NERC, CIP-002-4 achieves a specified reliability goal by 
requiring the identification and documentation of Critical Cyber Assets 
associated with Critical Assets that support the reliable operation of 
the Bulk-Power System. NERC maintains that the Reliability Standard 
``improves reliability by establishing uniform criteria across all 
Responsible Entities for the identification of Critical Assets.'' \17\ 
Further, NERC states that CIP-002-4 contains a technically sound method 
to achieve its reliability goal by requiring the identification and 
documentation of Critical Assets through the application of the 
criteria set forth in Attachment 1 of CIP-002-4.
---------------------------------------------------------------------------

    \16\ NERC Petition at 38.
    \17\ Id. at 4.
---------------------------------------------------------------------------

NOPR
    16. In the NOPR, the Commission proposed to approve the Version 4 
CIP Reliability Standards. Giving due weight to the ERO's petition, the 
NOPR stated that the Version 4 CIP Standards will result in the 
identification of certain types of Critical Assets that may not be 
identified under Version 3; uses bright line criteria to identify 
Critical Assets, eliminating the use of existing entity-defined risk-
based assessment methodologies that, as currently applied, generally do 
not adequately identify Critical Assets; and provides a level of 
consistency and clarity regarding the identification of Critical Assets 
lacking under Version 3.\18\
---------------------------------------------------------------------------

    \18\ NOPR, FERC Stats. & Regs. ] 32,679 at P 21.
---------------------------------------------------------------------------

Comments
    17. Most commenters and NERC generally support the Commission's 
proposal to approve the Version 4 CIP Reliability Standards.\19\ Hydro-
Qu[eacute]bec and NV Energy, however, oppose approval of Version 4,\20\ 
while the G&T Cooperatives support Version 4 for ``guidance purposes'' 
only pending submission of a ``Version 5'' of the CIP Reliability 
Standards.\21\
---------------------------------------------------------------------------

    \19\ See, e.g., Trade Associates Comments at 2; FirstEnergy 
Comments at 1; KCP&L Comments at 2; PG&E Comments at 1; Tallahassee 
Comments at 1; Exelon Comments at 2; Dominion Comments at 3; NERC 
Comments at 3.
    \20\ Hydro-Qu[eacute]bec Comments at 6; NV Energy Comments at 2.
    \21\ G&T Cooperatives Comments at 3.
---------------------------------------------------------------------------

    18. Hydro-Qu[eacute]bec opposes the bright line criteria because 
they capture assets based on factors such as voltages and amount of 
megawatts without assessing the asset's criticality to reliability. 
Hydro-Qu[eacute]bec states that the Commission should consider allowing 
the current risk-based assessment methodology and a bright line 
approach to coexist.\22\
---------------------------------------------------------------------------

    \22\ Hydro-Qu[eacute]bec Comments at 3-4.
---------------------------------------------------------------------------

    19. NV Energy believes that Version 4 unnecessarily expands the 
scope of the CIP Reliability Standards to facilities whose protection 
may offer only marginal value in preventing widespread cyber attacks on 
the bulk electric system.\23\ NV Energy asserts that no technical 
justification exists for the bright line criteria and, accordingly, 
NERC does not provide a sufficient basis to determine if Version 4 is 
just and reasonable or more effective than Version 3.\24\
---------------------------------------------------------------------------

    \23\ NV Energy Comments at 2.
    \24\ Id. at 3-4.
---------------------------------------------------------------------------

Commission Determination
    20. The Commission approves the Version 4 CIP Reliability Standards 
pursuant to section 215(d) of the FPA. The Commission concludes that 
the Version 4 CIP Reliability Standards are just, reasonable, not 
unduly discriminatory or preferential, and in the public interest. For 
the reasons identified in the NOPR, we approve Version 4 because it: 
Identifies Critical Assets that may not be identified under Version 3; 
will eliminate the use of

[[Page 24597]]

existing entity-defined risk-based assessment methodologies that, as 
applied, generally do not adequately identify Critical Assets; and 
provides a level of consistency and clarity regarding the 
identification of Critical Assets lacking under Version 3.
    21. With respect to the objections raised by Hydro-Qu[eacute]bec 
and NV Energy, we find them unpersuasive. Although NV Energy asserts 
that Version 4 will identify Critical Assets that do not require 
protection or whose protection only offers marginal benefits, as we 
stated in the NOPR, Version 4 will offer an increase in the overall 
protection for bulk electric system components that clearly require 
protection, including control centers.\25\ Recognizing that Version 4 
is an ``interim step,'' our concern is that Version 4 does not provide 
enough protection to satisfy Order No. 706.\26\
---------------------------------------------------------------------------

    \25\ NOPR, FERC Stats. & Regs. ] 32,679 at P 23 (``[T]he number 
of control centers identified as Critical Assets increases from 425 
under Version 3 to 553 under Version 4, the latter figure 
representing 74 percent of all control centers.'').
    \26\ NERC Petition at 6.
---------------------------------------------------------------------------

    22. We also find unpersuasive Hydro-Qu[eacute]bec and NV Energy's 
claim that the bright line criteria are based on arbitrary values 
(i.e., amounts of megawatts and voltages) without assessing the impact 
on reliability, or otherwise lack a technical justification. As 
discussed later in this final rule, the Commission finds that NERC 
offered an acceptable technical justification for the bright line 
criteria used to identify Critical Assets in Version 4. As indicated in 
the NOPR, we believe that Version 4 is an interim step towards full 
compliance with Order No. 706 and that implementation of Version 4 and 
concurrent retirement of Version 3, as proposed in the petition and 
reaffirmed by the ERO in its comments, is a step towards full 
compliance with Order No. 706.\27\ For the same reason, we reject the 
G&T Cooperatives' suggestion that Version 4 be approved for ``guidance 
purposes only.'' Nevertheless, we note that approval of the specific 
bright line approach to identifying Critical Assets adopted in Version 
4 does not prejudge the manner in which cyber assets are identified for 
protection in Version 5 or subsequent revisions to the CIP Reliability 
Standards.
---------------------------------------------------------------------------

    \27\ NOPR, FERC Stats. & Regs. ] 32,679 at P 3.
---------------------------------------------------------------------------

B. Bright Line Criteria for Identifying Critical Assets

    23. Reliability Standard CIP-002-4 establishes criteria for 
identifying Critical Assets on the Bulk-Power System. Requirement R1 of 
Reliability Standard CIP-002-4, which pertains to the identification of 
Critical Assets, provides:

    The Responsible Entity shall develop a list of its identified 
Critical Assets determined through an annual application of the 
criteria contained in CIP-002-4 Attachment 1--Critical Asset 
Criteria. The Responsible Entity shall update this list as 
necessary, and review it at least annually.

    Attachment 1 to Reliability Standard CIP-002-4 provides seventeen 
criteria to be used by all responsible entities for the identification 
of Critical Assets pursuant to Requirement R1. The thresholds apply to 
specific types of facilities such as generating units, transmission 
lines and control centers. Reliability Standard CIP-002-4, Requirement 
R2 then requires responsible entities to develop a list of Critical 
Cyber Assets associated with the Critical Assets identified pursuant to 
Requirement R1.
1. Generation/Transmission
NERC Petition
    24. Several of the proposed criteria pertain to the identification 
of critical generation assets and critical transmission assets. 
Reliability Standard CIP-002-4, criterion 1.1 designates as Critical 
Assets: ``Each group of generating units (including nuclear generation) 
at a single plant location with an aggregate highest rated net Real 
Power capability of the preceding 12 months equal to or exceeding 1500 
MW in a single Interconnection.'' Reliability Standard CIP-002-4, 
Requirement R2 qualifies criterion 1.1 by stating that: ``For each 
group of generating units (including nuclear generation) at a single 
plant location identified in Attachment 1, criterion 1.1, the only 
Cyber Assets that must be considered are those shared Cyber Assets that 
could, within 15 minutes, adversely impact the reliable operation of 
any combination of units that in aggregate equal or exceed Attachment 
1, criterion 1.1.''
    25. For transmission assets, criterion 1.6 designates as Critical 
Assets: ``Transmission Facilities operated at 500 kV or higher.'' 
Criterion 1.7 also designates as Critical Assets: ``Transmission 
Facilities operated at 300 kV or higher at stations or substations 
interconnected at 300 kV or higher with three or more other 
transmission stations or substations.''
    26. Reliability Standard CIP-002-4, criterion 1.2 provides that 
``Each reactive resource or group of resources at a single location 
(excluding generation Facilities) having aggregate net Reactive Power 
nameplate rating of 1000 MVAR or greater'' shall be designated as a 
Critical Asset. Criterion 1.3 designates as Critical Assets: ``Each 
generation Facility that the Planning Coordinator or Transmission 
Planner designates and informs the Generator Owner or Generator 
Operator as necessary to avoid BES Adverse Reliability Impacts in the 
long-term planning horizon.'' Criterion 1.8 designates as Critical 
Assets: ``Transmission Facilities at a single station or substation 
location that are identified by the Reliability Coordinator, Planning 
Authority or Transmission Planner as critical to the derivation of 
Interconnection Reliability Operating Limits (IROLs) and their 
associated contingencies.'' Criterion 1.9 designates as Critical 
Assets: ``Flexible AC Transmission Systems (FACTS), at a single station 
or substation location, that are identified by the Reliability 
Coordinator, Planning Authority or Transmission Planner as critical to 
the derivation of Interconnection Reliability Operating Limits (IROLs) 
and their associated contingencies.''
Comments
    27. Hydro-Qu[eacute]bec states that the term ``group of generating 
units'' used in criterion 1.1 is ambiguous because it could mean a 
generating station or a group of units sharing the same transformer. 
Hydro-Qu[eacute]bec also believes that the 15-minute period, 
established by CIP-002-4, Requirement R2, which states that ``the only 
Cyber Assets that must be considered are those shared Cyber Assets that 
could, within 15 minutes, adversely impact the reliable operation of 
any combination of units that in aggregate equal or exceed Attachment 
1, criterion 1.1,'' needs further explanation because it is unclear how 
to determine whether operation is not reliable after 15 minutes. 
Finally, Hydro-Qu[eacute]bec contends that the term ``Flexible AC 
Transmission System (FACTS)'' in criterion 1.9 must be defined in the 
NERC Glossary of Terms.\28\
---------------------------------------------------------------------------

    \28\ Hydro-Qu[eacute]bec Comments at 4-5.
---------------------------------------------------------------------------

    28. NV Energy comments that the bright line criteria lack technical 
justification because they are primarily based on asset size (e.g., 
megawatts and voltage levels) to determine criticality. NV Energy 
maintains that size should not be dispositive to determining whether an 
asset is critical. NV Energy cites the 500 kV or higher size threshold 
for transmission facilities in criterion 1.6 as an example of a broad 
categorization that is likely to capture elements, such as NV Energy's 
radial facilities, whose function are not essential to the reliable 
operation of the

[[Page 24598]]

bulk electric system. NV Energy also identifies the 300 kV or higher 
threshold for transmission facilities interconnected at 300 kV or 
higher with three or more other transmission stations or substations in 
criterion 1.7 as another example. NV Energy asserts that other 
parameters, beyond the number of interconnections, must be evaluated to 
determine criticality. Finally, NV Energy states that the 1500 MW 
threshold in criterion 1.1 lacks technical justification.\29\
---------------------------------------------------------------------------

    \29\ NV Energy Comments at 3-4.
---------------------------------------------------------------------------

    29. ISO/RTO Council states that responsibility for identifying 
critical generation should not be shifted from generation owners under 
criterion 1.3, which it maintains allows a planning coordinator or 
transmission planner to designate critical generation facilities.\30\ 
Likewise, MISO maintains that criteria 1.3, 1.8, and 1.9 place undue 
burden on reliability coordinators, planning authorities/coordinators, 
and transmission planners by requiring them to designate facilities as 
Critical Assets.\31\ ISO/RTO Council and MISO believe that these 
authorities have insufficient guidance or data to designate facilities 
as Critical Assets in a uniform manner. MISO seeks remand of these 
criteria or, in the alternative, argues that these entities should be 
indemnified and have limited liability for decisions to designate or 
not designate facilities as Critical Assets. MISO also encourages the 
Commission to make clear that requiring these entities to make 
designations does not shift compliance obligations from the registered 
entity that owns or operates a facility identified under these 
criteria.\32\
---------------------------------------------------------------------------

    \30\ ISO/RTO Council at 6.
    \31\ MISO Comments at 5.
    \32\ Id. at 7.
---------------------------------------------------------------------------

    30. Further, MISO and ISO/RTO Council point to the lack of a 
mechanism for registered entities to challenge designations made by 
planning coordinators and transmission planners. MISO requests the 
establishment of such a mechanism.\33\ ISO/RTO Council states that the 
Commission ``needs to consider how to address the rights of Generator 
Owners or Generator Operators in the context of designation under the 
CIP Standards, or otherwise explain why the Generator Owner or 
Generator Operator has no rights to challenge the Planning Coordinator 
or Transmission Planner's determination.'' \34\
---------------------------------------------------------------------------

    \33\ Id. at 8.
    \34\ ISO/RTO Council Comments at 13.
---------------------------------------------------------------------------

Commission Determination
    31. The Commission finds that the bright line criteria for 
designating generation and transmission assets as Critical Assets are 
acceptable and supported by the information contained in NERC's 
petition.
    32. In response to Hydro-Qu[eacute]bec's comments, the Commission 
finds the term ``group of generating units,'' as used in criterion 1.1, 
to mean all generating units at a ``single plant location,'' as that 
term is defined in the ``Rationale and Implementation Reference 
Document'' for CIP-002-4 cited in the petition.\35\ ``Single plant 
location'' refers to a ``group of generating units occupying a defined 
physical footprint, often but not always, these units are surrounded by 
a common fence, have a common entry point, share common facilities such 
as warehouses, water plants and cooling sources, follow a similar 
naming convention (plant name--unit number) and fall under a common 
management organization.'' \36\ It is our understanding that the 
transformer used by a generating unit has no bearing under criterion 
1.1 on whether a generating unit belongs to a ``group of generating 
units.''
---------------------------------------------------------------------------

    \35\ NERC Petition at 9 (citing Rationale and Implementation 
Reference Document, http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf). The Rationale 
and Implementation Reference Document, dated December 2010, was also 
submitted as part of the NERC filing. As found on the Commission's 
eLibrary system in Docket No. RM11-11-00, the Rationale and 
Implementation Reference Document is found in Exhibit E (Development 
Record of the proposed CIP Reliability Standard and the associated 
Implementation Plans) beginning at page 2141 of the PDF electronic 
file submitted by NERC. This Final Rule refers to the page numbers 
used within the Rationale and Implementation Reference Document. The 
Rational and Implementation Reference Document states that it 
``provides guidance for Responsible Entities in the application of 
the criteria in CIP-002-4, Attachment 1. It provides clarifying 
notes on the intent and rationale of the Standards Drafting Team. It 
is not meant to augment, modify, or nullify any compliance 
requirements in the standard.'' Rationale and Implementation 
Reference Document at 1.
    \36\ Rationale and Implementation Reference Document at 8.
---------------------------------------------------------------------------

    33. As for Hydro-Qu[eacute]bec's comments on the 15-minute trigger 
for CIP Reliability Standard coverage, NERC explains in its petition 
that ``[i]n specifying a 15-minute qualification, Requirement R2 
includes only those Cyber Assets that would have a real-time impact on 
the reliable operation of the Bulk Electric System.'' \37\ Further, 
NERC explains that there may be generation facilities that, ``while 
essential to the reliability and operability of the generation 
facility, may not have real-time operational impact within the 
specified real-time operations impact window of 15 minutes,'' such as a 
cyber asset controlling the supply of coal fuel in a generation 
facility.\38\ We believe that NERC has provided adequate explanation 
and justification of this provision. To the extent that Hydro-
Qu[eacute]bec seeks specific advice on how to implement the 
Requirement, Hydro- Qu[eacute]bec should raise the issue with the 
relevant Regional Entity or NERC.
---------------------------------------------------------------------------

    \37\ NERC Petition at 12.
    \38\ Id.
---------------------------------------------------------------------------

    34. With respect to Hydro-Qu[eacute]bec's comment that the term 
``Flexible AC Transmission System (FACTS)'' should be defined in the 
NERC Glossary of Terms, the Commission observes that the term is 
defined in the North American Energy Standards Board (NAESB) Wholesale 
Electric Industry Glossary,\39\ which is recognized in the NERC Rules 
of Procedure as a reference.\40\ Moreover, Hydro-Qu[eacute]bec's 
comment does not suggest a lack of understanding of what the term means 
such that Hydro-Qu[eacute]bec could not apply criterion 1.9.
---------------------------------------------------------------------------

    \39\ Available at www.naesb.org/pdf/weq_glossary072804w3.doc.
    \40\ NERC Rules of Procedure, Appendix 3A Standards Process 
Manual, at 22 (effective date January 31, 2012).
---------------------------------------------------------------------------

    35. The Commission disagrees with NV Energy's comments that the 
bright line criteria lack a technical justification because they are 
primarily based on asset size. While it is true that the standard 
establishes thresholds based on asset size, NERC articulated a basis 
for those values. For example, for the 1500 MW threshold in criterion 
1.1, the petition states that the standard drafting team derived that 
number ``from the most significant Contingency Reserves operated in 
various Balancing Authorities in all regions * * * [u]sing this number 
and data reported by the U.S. Energy Information Administration [], the 
team determined that approximately 146 generators in the United States 
would be classified as Critical Assets using this criterion * * * 
[t]his accounts for 29 percent of the installed generator capacity in 
the United States.'' \41\ Moreover, as discussed above, the 15-minute 
trigger in CIP-002-4, Requirement R2, is a qualification to the asset 
size thresholds in criterion 1.1 and is meant to include only ``Cyber 
Assets that would have a real-time impact on the reliable operation of 
the Bulk Electric System.'' \42\ Considering the ERO's pleadings and 
affording due weight to the ERO's technical expertise, the

[[Page 24599]]

Commission accepts the ERO's justification for approval of the bright 
line criteria in Attachment 1.\43\
---------------------------------------------------------------------------

    \41\ NERC Petition at 15.
    \42\ Id. at 12.
    \43\ 16 U.S.C. 824o(d)(2).
---------------------------------------------------------------------------

    36. The Commission disagrees with MISO's and ISO/RTO Council's 
comment that criteria 1.3, 1.8, and 1.9 require reliability 
coordinators, planning coordinators/authorities, and transmission 
planners to review a registered entity's Critical Asset list or 
designate assets as Critical Assets. Instead, these criteria use the 
product of planning actions taken by reliability coordinators, planning 
coordinators/authorities, and transmission planners pursuant to other 
non-CIP Reliability Standards--these planning actions are, put simply, 
not made in conjunction with the application of CIP-002-4. The 
Commission also disagrees with MISO and ISO/RTO Council's comments that 
reliability coordinators, planning coordinators, and transmission 
planners should have the same liability protection as an entity 
externally reviewing Critical Asset lists, as was discussed in Order 
No. 706-A.\44\
---------------------------------------------------------------------------

    \44\ Order No. 706-A, 123 FERC ] 61,174 at P 53.
---------------------------------------------------------------------------

    37. Criteria 1.3, 1.8, and 1.9 require a responsible entity to 
identify generation and transmission facilities as Critical Assets when 
they have been determined as ``necessary to avoid BES Adverse 
Reliability Impacts in the long-term planning horizon'' (criterion 1.3) 
or ``critical to the derivation of Interconnection Reliability 
Operating Limits (IROLs) and their associated contingencies'' (criteria 
1.8 and 1.9).
    38. First, this is not a discretionary action based on what a 
reliability coordinator, planning coordinator/authority, or 
transmission planner subsequently considers ``necessary'' to avoid 
adverse impacts. Rather, reliability coordinators, planning 
coordinators/authorities, and transmission planners make these 
underlying determinations as part of their compliance obligations 
associated with other (non-CIP) Reliability Standards. NERC developed a 
Rationale and Implementation Reference Document that provides guidance 
on implementation of the Attachment 1 criteria and supports our 
finding. This reference document associates criterion 1.3 with 
Reliability Standards TPL-003 and TPL-004: ``If it is determined 
through system studies that a unit must run in order to preserve the 
reliability of the BES, such as due to a category C3 contingency as 
defined in TPL-003 or a category D contingency as defined in TPL-004, 
then that unit must be classified as a Critical Asset [under criterion 
1.3].'' \45\ Similarly, the Rationale and Implementation Reference 
Document associates criteria 1.8 and 1.9 with Reliability Standard FAC-
014-2: ``Parts 1.8 and 1.9 include those Transmission Facilities that 
have been identified as critical to the derivation of IROLs and their 
associated contingencies, as specified by FAC-014-2, Establish and 
Communicate System Operating Limits, R5.1.1 and R5.1.3.'' \46\
---------------------------------------------------------------------------

    \45\ Rationale and Implementation Reference Document at 10.
    \46\ Id. at 13.
---------------------------------------------------------------------------

    39. Second, during development of the Version 4 CIP Reliability 
Standards, the standard drafting team addressed this issue in 
responding to a comment concerning criteria 1.3 that ``[n]o entity 
should be able to simply `designate' another as having critical 
assets.'' \47\ The standard drafting team responded by stating that 
``[t]he burden for identifying Critical Assets is with the Responsible 
Entity that is the asset owner * * * [t]he Planning Authority and/or 
Transmission Planner are not designating the asset as critical for CIP 
purposes; they are determining the unit to be necessary to avoid 
Adverse Reliability Impacts based on other NERC reliability 
standards.'' \48\
---------------------------------------------------------------------------

    \47\ NERC Petition, Exhibit E, at 1548 of PDF electronic file.
    \48\ Id.
---------------------------------------------------------------------------

    40. Third, transmission planners and planning authorities/
coordinators cannot have a compliance obligation to designate Critical 
Assets under Reliability Standard CIP-002-4 because they are not 
identified as Applicable Entities under the Reliability Standard.\49\
---------------------------------------------------------------------------

    \49\ Section 302 of the NERC Rules of Procedure states that 
``Applicability--Each Reliability Standard shall clearly identify 
the functional classes of entities responsible for complying with 
the Reliability Standard, with any specific additions or exceptions 
noted * * *.'' NERC Rules of Procedure at 3 (effective date January 
31, 2012).
---------------------------------------------------------------------------

    41. In sum, under CIP-002-4, the responsible entity is required, 
and thus bears the compliance obligation, to apply the bright line 
criteria in Attachment 1 of CIP-002-4 to designate Critical Assets. We 
therefore reject the contention that reliability coordinators, planning 
coordinators/authorities, and transmission planners designate Critical 
Assets under the bright line criteria. We also disagree that CIP-002-4 
imposes an undue burden on reliability coordinators, planning 
coordinators/authorities, and transmission planners because, as 
discussed above, determining whether an asset is ``necessary to avoid 
BES Adverse Reliability Impacts in the long-term planning horizon'' 
(criterion 1.3) or ``critical to the derivation of Interconnection 
Reliability Operating Limits (IROLs) and their associated 
contingencies'' is associated with existing Reliability Standards. 
However, the Commission does agree with MISO and ISO/RTO Council that 
additional clarity could be provided to ensure uniformity in 
implementation of criterion 1.3. To address the concerns of uniform 
implementation, the Commission believes that responsible entities would 
benefit from the ERO's guidance.
    42. We deny MISO and ISO/RTO Council's request that the Commission 
require an appeals process to challenge determinations made by planning 
coordinator and transmission planners pursuant to other Reliability 
Standards. An appeals process is neither necessary nor appropriate 
because the determinations by planning coordinator and transmission 
planners are made for purposes unrelated to cybersecurity. It is true 
that those determinations will be used by responsible entities when 
applying the bright line criteria in CIP-002-4. However, as discussed 
above, the responsible entities, and not planning coordinators and 
transmission planners, are ultimately responsible for compliance with 
the CIP Reliability Standards. Accordingly, we reject MISO and ISO/RTO 
Council's suggestion to direct NERC to develop an appeals process for 
determinations made by planning coordinators and transmission planners 
in the context of other Reliability Standards in this final rule 
approving the Version 4 CIP Reliability Standards.
2. Blackstart/Must Run Units
NERC Petition
    43. Reliability Standard CIP-002-4, criterion 1.3 designates as a 
Critical Asset: ``Each generation Facility that the Planning 
Coordinator or Transmission Planner designates and informs the 
Generator Owner or Generator Operator as necessary to avoid BES Adverse 
Reliability Impacts in the long-term planning horizon.'' Reliability 
Standard CIP-002-4, criterion 1.4 designates as a Critical Asset: 
``Each Blackstart Resource identified in the Transmission Operator's 
restoration plan.''
Comments
    44. ISO/RTO Council comments that criterion 1.4 pertaining to 
blackstart resources appears to conflict with the NERC Statement of 
Registry Criteria. ISO/RTO Council observes that while criterion 1.4 
identifies as a Critical Asset ``[e]ach Blackstart Resource identified 
in the Transmission Operator's restoration

[[Page 24600]]

plan,'' the Registry Criteria provide for registration of ``any 
generator, regardless of size, that is a blackstart unit material to 
and designated as part of a transmission operator entity's restoration 
plan * * *'' \50\ ISO/RTO Council suggests that ``some Regional 
Entities may have determined that certain blackstart units are not 
material to the Transmission Operator's restoration plan, and are 
therefore, presumably not covered'' by the Reliability Standards.\51\ 
Thus, ISO/RTO Council seeks clarification whether criterion 1.4 is 
meant to apply to blackstart units ``covered'' by the Registry Criteria 
or all blackstart resources and, if the latter, whether a revision to 
the Registry Criteria is appropriate.
---------------------------------------------------------------------------

    \50\ NERC Statement of Compliance Registry Criteria (Revision 
5.0) at 8 (Oct. 16, 2008) (emphasis added).
    \51\ ISO/RTO Council Comments at 14.
---------------------------------------------------------------------------

    45. MISO comments that designating must run units as Critical 
Assets pursuant to criterion 1.3 may create an incentive for generation 
owners and generation operators to remove such units from service prior 
to their designation as Critical Assets.\52\
---------------------------------------------------------------------------

    \52\ MISO Comments at 9.
---------------------------------------------------------------------------

Commission Determination
    46. With regard to ISO/RTO Council's comments, we note that NERC 
developed the Registry Criteria to identify users, owners and operators 
of the bulk electric system that are candidates for compliance 
registration. NERC does not apply the Registry Criteria to register 
particular assets.\53\ Moreover, whether NERC should revise the 
Registry Criteria is beyond the scope of this proceeding.\54\ That 
being said, it is not clear to us whether any substantive distinction 
is to be made between criterion 1.4, which implicates each blackstart 
resource identified in a restoration plan, and the Registry Criteria, 
which identifies as a candidate for registration the owner or operator 
of ``a blackstart unit material to and designated as part of a * * * 
restoration plan.'' We leave it to NERC to consider whether a 
blackstart unit identified in a transmission operator's restoration 
plan could ever be considered immaterial to that plan and, if so, 
whether a clarification or revision to one or more documents is 
appropriate.
---------------------------------------------------------------------------

    \53\ Order No. 706, 122 FERC ] 61,040 at P 50 (``the NERC 
registry process is designed to identify and register entities for 
compliance with Reliability Standards, and not identify lists of 
assets'').
    \54\ Order No. 706, 122 FERC ] 61,040 at P 49.
---------------------------------------------------------------------------

    47. We disagree with MISO that designating a ``must run'' unit as a 
Critical Asset may create an incentive for generation owners and 
generation operators to remove units from service prior to their 
designation as Critical Assets. The Commission is willing to consider 
rate filings to address this concern. For example, the Commission 
conditionally accepted a proposal filed by PJM to allow generators to 
recover costs related to compliance with mandatory NERC CIP Reliability 
Standards.\55\ Specifically, the Commission conditionally approved 
PJM's proposal in order to provide additional means for blackstart 
service providers to recover incremental costs associated with 
providing blackstart service.\56\ Finally, MISO can compensate ``must 
run'' generation units under System Support Agreements to prevent 
generators deemed as ``must run'' from being removed from service.
---------------------------------------------------------------------------

    \55\ PJM Interconnection, L.L.C., 138 FERC ] 61,020 (2012).
    \56\ Id. P 47.
---------------------------------------------------------------------------

3. Control Centers/Control Systems
NERC Petition
    48. Reliability Standard CIP-002-4, criteria 1.14-1.17 define the 
control centers and back up control centers that are treated as 
Critical Assets. Specifically, criterion 1.14 identifies as a bright 
line for Critical Assets ``[e]ach control center or backup control 
center used to perform the functional obligations of the Reliability 
Coordinator.'' Criterion 1.15 pertains to control centers or backup 
control centers used to control generation at multiple plant locations, 
equal to or exceeding 1500 MW. Criteria 1.16 and 1.17 include as 
Critical Assets control centers or backup control centers used to 
perform the functional obligations of transmission operators and 
balancing authorities, respectively.
NOPR
    49. In the NOPR, the Commission expressed concern, based on survey 
data supplied by NERC, that the Reliability Standard CIP-002-4 criteria 
would still leave a significant number of control centers 
unprotected.\57\
---------------------------------------------------------------------------

    \57\ NOPR, FERC Stats. & Regs. ] 32,679 at P 56.
---------------------------------------------------------------------------

Comments
    50. Commenters hold diverging views on whether the Version 4 CIP 
Reliability Standards adequately protect control centers and control 
systems (i.e., control systems not housed in control centers). G&T 
Cooperatives believe that Version 4 goes too far, while SPP RE and, to 
a lesser extent, MISO believe that it does not go far enough.\58\ NERC, 
PG&E, and the Trade Associations acknowledge the NOPR's concern that 
CIP Version 4 does not protect some control centers/common control 
systems, but they anticipate that a future Version 5 CIP Reliability 
Standards will protect more Critical Assets.\59\
---------------------------------------------------------------------------

    \58\ G&T Cooperatives Comments at 11-12; SPP RE Comments at 5-6; 
MISO Comments at 11.
    \59\ NERC Comments at 14-15; PG&E Comments at 14; Trade 
Associations Comments at 7-8.
---------------------------------------------------------------------------

    51. G&T Cooperatives believe that the Version 4 bright line 
criteria need additional work, which is why they support allowing a 
future Version 5 to supersede Version 4 before it becomes effective. 
Specifically, G&T Cooperatives state that criteria 1.14, 1.16, and 1.17 
``sweep in control centers and backup control centers, without regard 
to their size or potential impact on the [bulk electric system].'' \60\ 
G&T Cooperatives maintain that the bright line criteria should be 
revisited to ensure that they capture only those assets that should be 
covered in order to protect bulk electric system reliability.\61\
---------------------------------------------------------------------------

    \60\ G&T Cooperatives Comments at 11.
    \61\ G&T Cooperatives Comments at 10-13.
---------------------------------------------------------------------------

    52. SPP RE states that criteria 1.14-1.17 are insufficient because 
they do not consider interconnectivity of control centers or address 
the possibility that a small network-connected control center not 
deemed a Critical Asset could be used to compromise larger control 
centers. SPP RE believes that, at a minimum, all balancing authority 
and transmission operator control centers should be declared Critical 
Assets. SPP RE also encourages the Commission to consider requiring 
NERC to modify the bright line criteria to classify a control center as 
a Critical Asset if it is network-connected to other control 
centers.\62\
---------------------------------------------------------------------------

    \62\ SPP RE Comments at 5-6.
---------------------------------------------------------------------------

    53. With respect to common control systems, SPP RE believes that 
individual resources that do not qualify as Critical Assets under the 
bright line criteria can still pose a reliability risk if they have a 
common control system. SPP RE notes that under Version 4, a registered 
entity must designate its control center or generation facility as a 
Critical Asset in order to bring an associated common control system 
into scope. SPP RE believes that the bright line criteria may not 
ensure that all common control systems are identified, however. 
Criterion 1.1 designates as Critical Assets groups of generating units 
at a single plant location with an aggregate highest rated net Real 
Power capability equal to or exceeding 1500 MW. Criterion 1.15 
designates as Critical Assets: ``Each control center or backup control 
center used to control generation at multiple plant locations, for any 
generation Facility or group of

[[Page 24601]]

generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each 
control center or backup control center used to control generation 
equal to or exceeding 1500 MW in a single Interconnection.'' SPP RE 
states that criterion 1.1 adequately protects the common control 
systems of generating units at a single plant location with aggregate 
real power equal to or exceeding 1500 MW. However, SPP RE believes that 
criterion 1.15 does not clearly apply to control centers and common 
control systems that control generation that equals or exceeds 1,500 MW 
in the aggregate regardless of the individual plant size requirements 
set forth in criterion 1.1.\63\
---------------------------------------------------------------------------

    \63\ Id. at 6-7.
---------------------------------------------------------------------------

    54. MISO expresses concern with Version 4's treatment of control 
centers. MISO asks for clarification whether Version 4 intentionally 
omitted ``data centers'' associated with control centers from the 
bright line criteria and whether registered entities have the 
discretion to designate them as Critical Assets. Because control 
centers often work in tandem with an associated data center, MISO 
recommends allowing registered entities to designate data centers as 
Critical Assets.\64\
---------------------------------------------------------------------------

    \64\ MISO Comments at 10-11.
---------------------------------------------------------------------------

    55. NERC and PG&E acknowledge the NOPR's concern that Version 4 
does not fully address the Order No. 706 directives pertaining to 
control centers. NERC and PG&E temper this concern, however, by 
pointing to the lack of an accepted definition of ``control centers'' 
and the fact that some control centers in the generation context only 
communicate with generators that fall below the NERC Registration 
Criteria for generators. NERC and PG&E suggest that cyber assets at 
these generator locations are unlikely to have a greater impact on 
reliability than much larger single-unit generators merely because the 
smaller units have a control center. In any case, NERC and PG&E explain 
that under a future Version 5 every control center will be protected 
and will receive a ``medium'' or ``high'' level of security under a new 
three-tiered structure. Further, NERC and PG&E state that several 
Version 5 requirements will apply to control centers regardless of 
whether they are classified as medium or high.\65\ NERC also states 
that ``cyber misuse'' will be a consideration under the classification 
process in CIP Version 5 and that the CIP Version 5 drafting team has 
proposed a definition of ``control center.'' \66\
---------------------------------------------------------------------------

    \65\ NERC Comments at 14-15; PG&E Comments at 13-14.
    \66\ NERC Comments at 15.
---------------------------------------------------------------------------

    56. The Trade Associations likewise recognize the NOPR's concern 
regarding control centers but state that control centers and control 
systems are being considered in the Version 5 project. The Trade 
Associations also state that appropriate prioritization and tailored 
application of mandatory requirements will be needed in addressing 
control centers and control systems given the widely varying 
circumstances and configurations in which these facilities are 
used.\67\
---------------------------------------------------------------------------

    \67\ Trade Associations Comments at 7-8.
---------------------------------------------------------------------------

Commission Determination
    57. The Commission recognizes the diverging views among commenters 
regarding the protection of control centers and control systems 
afforded under the Version 4 CIP Reliability Standards. In Order No. 
706, we stated that ``it is difficult to envision a scenario in which a 
reliability coordinator, transmission operator or transmission owner 
control center or backup control center would not properly be 
identified as a critical asset.'' \68\ The Commission maintains this 
view. However, as we observed in the NOPR, the percentage of control 
centers to be identified as Critical Assets under Version 4 is 74 
percent, which is an improvement over the number currently identified 
under Version 3.\69\ Therefore, it is reasonable to approve Version 4 
because it will ensure that more control centers are identified as 
Critical Assets than are identified under Version 3. However, we 
continue to expect comprehensive protection of all control centers and 
control systems as NERC works to comply with the requirements of Order 
No. 706.
---------------------------------------------------------------------------

    \68\ Order No. 706, 122 FERC ] 61,040 at P 280.
    \69\ NOPR, FERC Stats. & Regs. ] 32,679 at P 23.
---------------------------------------------------------------------------

    58. We agree with SPP RE that the CIP Reliability Standards should 
consider interconnectivity of control centers and the strategy of 
classifying a control center as a Critical Asset if it is network-
connected to other control centers. The Commission also finds merit in 
MISO's comment that responsible entities should be allowed to designate 
data centers as Critical Assets because of their inherent connectivity 
to the control centers or control systems they support. Therefore, we 
expect NERC to address these approaches as it works to comply with the 
requirements of Order No. 706.\70\
---------------------------------------------------------------------------

    \70\ See, e.g., Order No. 706, 122 FERC ] 61,040 at PP 280-281.
---------------------------------------------------------------------------

C. NOPR Questions on Critical Asset Identification

1. Flexibility To Identify Critical Assets That Fall Outside of the CIP 
Version 4 Bright Line Criteria
NOPR
    59. In the NOPR, the Commission stated that under the currently-
effective Reliability Standard CIP-002-3, a responsible entity that 
applies its risk-based assessment methodology considers specific types 
of assets identified in Requirement R1, as well as ``any additional 
assets that support the operation of the Bulk Electric System that the 
Responsible Entity deems appropriate to include its assessment.'' \71\ 
The Commission invited comment on whether a registered entity retains 
the same flexibility under Version 4 to identify assets that, although 
outside of the bright line criteria for identifying Critical Assets, 
are essential to Bulk-Power System reliability.
---------------------------------------------------------------------------

    \71\ NOPR, FERC Stats. & Regs. ] 32,679 at P 31.
---------------------------------------------------------------------------

Comments
    60. NERC states that, in developing Version 4, the drafting team 
considered adding criteria that would allow entities to identify 
additional facilities falling outside of the bright line criteria, but 
determined not to include the provision. However, NERC adds that 
``registered entities are permitted to apply any or all of the 
requirements in the CIP standards to assets that do not meet the 
bright-line thresholds.'' \72\
---------------------------------------------------------------------------

    \72\ NERC Comments at 4.
---------------------------------------------------------------------------

    61. The Trade Associations and FirstEnergy believe that registered 
entities do not have the flexibility to identify Critical Assets that 
fall outside the bright line criteria such that they would be subject 
to mandatory and enforceable compliance obligations and should not have 
such flexibility because it would detract from the consistency afforded 
by the bright line criteria.\73\ The Trade Associations, however, state 
that registered entities have the discretion to identify facilities as 
Critical Assets provided those facilities are not subject to compliance 
obligations.\74\
---------------------------------------------------------------------------

    \73\ Trade Associations Comments at 4-5; FirstEnergy Comments at 
2.
    \74\ Trade Association Comments at 5.
---------------------------------------------------------------------------

    62. PG&E comments that appropriate flexibility exists under Version 
4 to allow the identification of Critical Assets essential to the bulk 
electric system. In particular, PG&E cites to criterion 1.3, which 
would require a planning coordinator or transmission planner to 
identify a generation facility

[[Page 24602]]

as ``critical'' if ``necessary to avoid BES Adverse Reliability Impacts 
in the long-term planning horizon.'' \75\ Likewise, PG&E indicates that 
criterion 1.8 provides that a reliability coordinator, planning 
authority, and transmission planner has authority to designate certain 
transmission facilities critical to the derivation of IROLs as 
critical. PG&E also believes that industry should be encouraged to 
apply any or all of the CIP Reliability Standards to assets that do not 
meet the bright line criteria, ``even beyond a compliance and audit 
program.'' \76\
---------------------------------------------------------------------------

    \75\ PG&E Comments at 5.
    \76\ Id.
---------------------------------------------------------------------------

    63. SPP RE encourages the Commission to require NERC to restore the 
``other'' criterion to the bright line criteria.\77\ MISO likewise 
believes that registered entities should have the flexibility to 
identify more Critical Assets because the bright line criteria create a 
minimum regulatory floor on which to build.\78\
---------------------------------------------------------------------------

    \77\ SPP RE Comments at 5.
    \78\ MISO Comments at 11.
---------------------------------------------------------------------------

2. NERC or Regional Entities' Ability To Identify Critical Assets That 
Fall Outside of the CIP Version 4 Bright-Line Criteria
NOPR
    64. In the NOPR, the Commission invited comment on whether NERC 
and/or Regional Entities would have the ability, either in an event-
driven investigation or compliance audit, to identify specific assets 
that fall outside the bright-line criteria yet are still essential to 
Bulk-Power System reliability and should be subject prospectively to 
compliance with the CIP Reliability Standards, and if so, on what basis 
should that decision be made.\79\
---------------------------------------------------------------------------

    \79\ NOPR, FERC Stats. & Regs. ] 32,679 at P 31.
---------------------------------------------------------------------------

Comments
    65. NERC states that the Version 4 CIP Reliability Standards are an 
interim step and that the future Version 5 CIP Reliability Standards 
will refine the bright line criteria, with the intent of categorizing 
assets (to be termed ``BES Cyber Systems'') as low, medium or high 
impact to Bulk-Power System reliability. NERC states that, in the 
interim, it has the authority under Section 810 of the NERC Rules of 
Procedure to issue an Alert to recommend specific actions. According to 
NERC, it can use the Alerts ``as a tool to address assets that NERC and 
Regional Entities later determine should be treated as critical but to 
not fall into the CIP Version 4 criteria.'' \80\
---------------------------------------------------------------------------

    \80\ NERC Comments at 4-7.
---------------------------------------------------------------------------

    66. The Trade Associations, Dominion, FirstEnergy and other 
commenters oppose identification of Critical Assets outside of the 
bright line process by NERC or Regional Entities as detracting from the 
clarity afforded by the bright line criteria. The Trade Associations 
and Tallahassee opine that the Commission should not undermine the 
bright line criteria by granting Regional Entities discretion to 
designate Critical Assets that are otherwise excluded by application of 
the bright line criteria.\81\ SPP RE states that it is not appropriate 
to apply arbitrarily criteria not found in the CIP Reliability 
Standards to require additional cyber systems to be subject to the CIP 
Reliability Standards.\82\ Dominion states that if such a mechanism is 
necessary, it should not be done in the compliance audit context.\83\
---------------------------------------------------------------------------

    \81\ Trade Association Comments at 5-6; Tallahassee Comments at 
4-5.
    \82\ SPP RE Comments at 4.
    \83\ Dominion Comments at 4-5.
---------------------------------------------------------------------------

    67. MISO supports review of Critical Asset designations by NERC and 
Regional Entities given its belief that criteria 1.3, 1.8, and 1.9 
require reliability coordinators, planning authorities/authorities and 
transmission planners to identify certain Critical Assets. MISO 
maintains that the lack of guidance for applying these criteria leaves 
room for substantial discretion, which may undermine the consistent 
identification of Critical Assets absent Regional Entity or NERC 
review.\84\
---------------------------------------------------------------------------

    \84\ MISO Comments at 4.
---------------------------------------------------------------------------

Commission Determination
    68. We agree with NERC and others that registered entities can 
voluntarily apply any or all of the requirements in the CIP Reliability 
Standards to assets that fall outside the bright line criteria.\85\ As 
MISO described it, Version 4's bright line criteria establish a 
``regulatory floor'' for cybersecurity, which must be followed by all 
registered entities.\86\ Nothing in Version 4 prevents registered 
entities from applying the protections required by the CIP Reliability 
Standards to additional assets that they deem critical. At the same 
time, we agree that assets not identified by the bright line criteria 
are not subject to a compliance obligation or to addition by the 
Commission, NERC, or a Regional Entity. We are persuaded that the 
clarity and addition of Critical Assets effected by the bright line 
criteria render Version 4 an improvement over Version 3.
---------------------------------------------------------------------------

    \85\ NERC Comments at 4.
    \86\ MISO Comments at 11.
---------------------------------------------------------------------------

    69. We expect NERC to continue to work towards a version of the CIP 
Reliability Standards that will largely eliminate the risk of gaps in 
the identification of Critical Assets.\87\ In Section E of this Final 
Rule, we discuss the directive in Order No. 706 regarding external 
review in an effort to provide the ERO with guidance in developing 
future versions of the CIP Reliability Standards.
---------------------------------------------------------------------------

    \87\ NERC Petition at 4.
---------------------------------------------------------------------------

D. Implementation Plan

NERC Petition
    70. NERC proposed an implementation plan for existing Critical 
Assets and an implementation plan for newly identified Critical Assets 
and newly registered entities. For existing Critical Assets, NERC 
proposed an effective date for full compliance with the Version 4 CIP 
Standards of the first day of the eighth calendar quarter after 
applicable regulatory approvals have been received. The implementation 
plan for newly identified Critical Assets and newly registered entities 
specifies how responsible entities are to handle newly identified 
Critical Cyber Assets, as well as how newly registered entities are to 
implement the CIP Reliability Standards after the effective date for 
Version 4.
NOPR
    71. In the NOPR, the Commission proposed to approve both the 
effective date and the implementation plan for CIP-002-4 based upon a 
belief that the proposed implementation plan establishes reasonable 
deadlines for industry compliance.\88\
---------------------------------------------------------------------------

    \88\ NOPR, FERC Stats. & Regs. ] 32,679 at P 39.
---------------------------------------------------------------------------

Comments
    72. Comments varied regarding NERC's proposed implementation plan. 
NERC, PG&E and Exelon support the CIP Version 4 implementation plan. 
PG&E comments that the two year time frame, commencing from Commission 
approval, is reasonable. The Trade Associations support the 
implementation plan. However, they also urge the Commission to avoid a 
``one size fits all'' approach, explaining that there are 
``complexities'' of implementing ``[CIP Versions] 3 to 4 to 5.'' \89\ 
According to the Trade Associations, some entities may face significant 
challenges as the result of approval of Version 4 potentially followed 
so closely in time by the approval of Version 5. The Trade

[[Page 24603]]

Associations ask for coordination among NERC, the regions and 
registered entities to achieve compliance in an efficient and orderly 
manner. NERC and Exelon acknowledge that there could be concerns with 
implementing CIP Version 5 soon after Version 4 becomes effective, but 
note that CIP Version 5-related implementation issues could be 
revisited after CIP Version 5 is filed.\90\
---------------------------------------------------------------------------

    \89\ Trade Associations Comments at 13.
    \90\ NERC Comments at 10; Exelon Comments at 3.
---------------------------------------------------------------------------

    73. G&T Cooperatives, ISO/RTO Council, SPP RE, ITC, Dominion, and 
FirstEnergy oppose and/or recommend modifying the CIP Version 4 
implementation plan in anticipation of a future CIP Version 5 filing. 
G&T Cooperatives state that CIP Version 4 should be approved for 
``guidance purposes'' only, thus delaying implementation, so that it 
may be superseded by CIP Version 5.\91\ G&T Cooperatives believe that 
CIP Version 5 should become effective on the date that CIP Version 4 
would otherwise become effective. Therefore, G&T Cooperatives believe 
that NERC no longer intends that CIP Version 4 should go into effect in 
advance of CIP Version 5.
---------------------------------------------------------------------------

    \91\ G&T Cooperatives Comments at 10.
---------------------------------------------------------------------------

    74. ISO/RTO Council asks that the Commission provide guidance to 
NERC on how to exercise discretion on enforcement and implementation 
issues given the potential overlap and possible conflict with CIP 
Version 5.\92\ SPP RE suggests that the Commission allow entities to 
``early adopt'' CIP Version 5.\93\ ITC recommends keeping CIP Version 4 
in effect for at least three years so registered entities can collect a 
full three-year audit cycle's worth of data, which would avoid 
``frequent and abrupt changes'' and could help later when implementing 
CIP Version 5.\94\ Dominion recommends allowing registered entities to 
discontinue implementation of CIP Version 4, while remaining compliant 
with CIP Version 3, if CIP Version 5 is approved by the Commission 
before the CIP Version 4 mandatory compliance date.\95\
---------------------------------------------------------------------------

    \92\ ISO/RTO Council Comments at 15.
    \93\ SPP RE Comments at 7.
    \94\ ITC Comments at 4.
    \95\ Dominion Comments at 3.
---------------------------------------------------------------------------

    75. In its reply comments, NERC reiterates that it supports 
implementation of CIP Version 4 as filed. NERC rejects the G&T 
Cooperatives' suggestion that NERC no longer intends that CIP Version 4 
should go into effect in advance of CIP Version 5. NERC states that it 
recognizes the concerns raised by industry regarding the interplay 
between CIP Version 4 and CIP Version 5. However, NERC states that 
``until CIP Version 5 and an appropriate implementation plan is fully 
vetted and approved by the industry, the NERC Board of Trustees, and 
FERC, there is no basis to determine at this juncture that the CIP 
Version 4 standards should not be implemented.'' \96\
---------------------------------------------------------------------------

    \96\ NERC Reply Comments at 3.
---------------------------------------------------------------------------

Commission Determination
    76. The Commission adopts the NOPR proposal and approves both the 
effective date and the implementation plan for CIP-002-4 as just, 
reasonable, not unduly discriminatory or preferential, and in the 
public interest. The comments opposing NERC's proposed implementation 
plan for CIP-002-4 are all based upon concerns that the approval of CIP 
Version 4 may be followed very closely in time by a future Version 5 of 
the CIP Reliability Standards. We understand the commenters' interest 
in careful coordination, so that the industry can achieve compliance in 
an efficient and orderly manner as the industry moves from Version 3 to 
Version 5, via the interim Version 4. These concerns, however, do not 
provide a basis on which to reject the NOPR proposal.
    77. While G&T Cooperatives, ISO/RTO Council, SPP RE, ITC, Dominion, 
and FirstEnergy outline various proposed solutions to a potential 
overlap between CIP Version 4 and a future Version 5 of the CIP 
Reliability Standards, the commenters ignore one critical fact--the 
only version of the CIP Reliability Standards at issue in this 
proceeding is Version 4. There is no proposed Version 5 of the CIP 
Reliability Standards before the Commission at this time, so any 
concerns raised about implementation of Version 5 are beyond the scope 
of this proceeding. To the extent that the development of Version 5 
raises actual implementation concerns, such concerns should be raised 
when NERC submits Version 5 for approval. This proceeding is not the 
appropriate forum to determine how to coordinate the implementation of 
the CIP Version 4 Reliability Standards with possible future versions 
of the CIP Reliability Standards that have not yet been developed or 
submitted for approval to the Commission.

E. Compliance With Order No. 706

    78. In the petition, NERC stated that the standard drafting team 
``limited the scope of requirements in the development of CIP-002-4 
through CIP-009-4 as an interim step to address the more immediate 
concerns raised in FERC Order No. 706, paragraph 236.'' \97\ NERC 
further stated that the standard drafting team is continuing its effort 
to address the remaining outstanding Order No. 706 directives. NERC 
explained that its phased approach to meeting the Order No. 706 
directives has ``consistently built upon prior versions of the CIP-002 
through CIP-009 standards to enhance the reliability of the Bulk 
Electric System.'' \98\ In that light, the Commission discussed certain 
outstanding Order No. 706 directives in the NOPR and proposed giving 
guidance to aid in the development of the next version of the CIP 
Reliability Standards.
---------------------------------------------------------------------------

    \97\ NERC Petition at 6.
    \98\ Id.
---------------------------------------------------------------------------

    79. In their comments, the Trade Associations seek clarification as 
to whether the issues discussed in Section B of the NOPR (i.e., 
connectivity, control centers, and NERC and Regional Entity review of 
Critical Asset lists) should be viewed merely as encouragement to 
address those issues in CIP Version 5 or as new directives beyond what 
was required in Order No. 706.\99\ The Trade Associations explain that 
it is their expectation that the final rule will not include any 
further directives. Instead, the Trade Associations encourage the 
Commission to allow development of CIP Version 5 to move forward 
without introducing any new uncertainties in a final rule on CIP 
Version 4. Based on the comments in response to the NOPR, we determine 
not to issue new directives at this time beyond what is required to 
comply with Order No. 706. Consistent with the NOPR proposal, we 
provide guidance for future versions of the CIP Reliability Standards 
regarding the issues of connectivity, application of the National 
Institute of Standards and Technology (NIST) Framework, and provision 
of a regional perspective.
---------------------------------------------------------------------------

    \99\ Trade Association Comments at 10.
---------------------------------------------------------------------------

1. Connectivity
NOPR
    80. In the NOPR, the Commission stated that:

    In light of recent cybersecurity vulnerabilities, threats and 
attacks that have exploited the interconnectivity of cyber systems, 
the Commission seeks comments regarding the method of identification 
of Critical Cyber Assets to ensure sufficiency and accuracy. The 
Commission recognizes that control systems that support Bulk-Power 
System reliability are ``only as secure as their weakest links,'' 
and that a single vulnerability opens the computer network and all 
other networks with which it is interconnected to potential 
malicious activity. Accordingly, the Commission believes that any 
criteria adopted for the

[[Page 24604]]

purposes of identifying a Critical Cyber Asset under CIP-002 should 
be based upon a Cyber Asset's connectivity and its potential to 
compromise the reliable operation of the Bulk-Power System, rather 
than focusing on the operation of any specific Critical Asset(s). 
[Footnotes omitted.] \100\
---------------------------------------------------------------------------

    \100\ NOPR, FERC Stats. & Regs. ] 32,679 at P 43.

The Commission invited comment on this approach.
Comments
    81. NERC comments that, while it does not believe that the 
connectivity issue was raised in Order No. 706, the CIP Version 5 
standards drafting team recognizes the importance of the matter and is 
considering it in the development of Version 5.\101\ However, NERC does 
not believe that connectivity can be addressed in CIP Version 5 by the 
time it is submitted to the NERC Board of Trustees for approval.\102\ 
NERC notes that CIP Version 5 will eliminate the blanket exemption for 
non-routably connected cyber systems, ``and instead move[s] the 
connectivity attribute to specific requirements.'' \103\ NERC adds that 
the CIP Version 5 drafting team has proposed to apply electronic 
security perimeter protections ``of some form'' to include all bulk 
electric system Cyber Systems.\104\
---------------------------------------------------------------------------

    \101\ NERC Comments at 11.
    \102\ Id.
    \103\ Id.
    \104\ Id.
---------------------------------------------------------------------------

    82. SPP RE states that neither CIP Version 4 nor CIP Version 5 
consider all possible communication paths between a given cyber asset 
and any assets that support a reliability function. According to SPP 
RE, the Version 4 standards define bright line criteria based on size 
of the asset, and the draft Version 5 standards would rate cyber 
systems based on their span of control, but fail to consider 
interconnectivity and the potential for a small system to be used as a 
vector of attack against other systems.\105\ SPP RE explains that 
control center cyber systems routinely exchange data with reliability 
coordinators, over wide area networks.\106\
---------------------------------------------------------------------------

    \105\ SPP RE Comments at 3-5.
    \106\ Id. at 3-4.
---------------------------------------------------------------------------

    83. ISO/RTO Council states that the Commission's concerns with 
connectivity could be addressed by requiring certain asset owners and 
operators to take a ``mutual distrust'' posture.\107\ MISO supports 
considering the connectivity issue but also encourages the Commission 
to evaluate the costs and benefits of this approach.
---------------------------------------------------------------------------

    \107\ ISO/RTO Council Comments at 17.
---------------------------------------------------------------------------

    84. PG&E states that issues pertaining to connectivity are being 
addressed in CIP Version 5.\108\ The Trade Associations state that they 
understand the Commission's concerns regarding connectivity. But taken 
together with the NOPR's ``weakest link'' statements, the Trade 
Associations are concerned these views could imply that everything 
needs to be protected.\109\ The Trade Associations believe that the 
``weakest link'' concept articulated in the NOPR needs to be fleshed 
out in more detail and that Commission staff should work with the CIP 
Version 5 standard drafting team to discuss these issues. The Trade 
Associations also maintain that the CIP Version 5 standard drafting 
team is currently working on addressing the Commission's directives in 
Order No. 706 and that no further directives regarding connectivity, or 
otherwise, should be made in the final rule approving CIP Version 4. 
According to the Trade Associations, any directives in the final rule 
would serve to prejudge CIP Version 5.
---------------------------------------------------------------------------

    \108\ PG&E Comments at 9.
    \109\ Trade Associations Comments at 18.
---------------------------------------------------------------------------

Commission Determination
    85. The Commission appreciates the comments on whether cyber 
connectivity should be a basis for the identification of Critical Cyber 
Assets, or their equivalent, in future versions of the CIP Reliability 
Standards. We have raised concerns relating to the use of cyber 
connectivity as a basis for applying the CIP Reliability Standards 
during and since the approval of Version 1. For example, in Order No. 
706, we stated that ``NERC's compliance [with the CIP Reliability 
Standards] is necessary in light of its interconnectivity with other 
entities that own and operate critical assets.'' \110\ Similarly, in 
finding that an ``N minus 1'' criterion is not an appropriate risk-
based assessment methodology for identifying Critical Assets, we noted 
that a cyber attack can strike multiple assets simultaneously.\111\ The 
cyber connectivity of Bulk-Power System assets increases the risk of a 
multiple asset cyber attack. The CIP Reliability Standards should 
reflect this risk.
---------------------------------------------------------------------------

    \110\ Order No. 706, 122 FERC ] 61,040 at P 47.
    \111\ Id. P 256.
---------------------------------------------------------------------------

    86. In that light, we support the elimination of the blanket 
exemption for non-routable connected cyber systems as highlighted in 
NERC's comments.\112\ A continued blanket exemption in Version 5 would 
not adequately address risk.
---------------------------------------------------------------------------

    \112\ NERC Comments at 11.
---------------------------------------------------------------------------

    87. In addition, we support the concept of applying electronic 
security perimeter protections ``of some form'' to all bulk electric 
system cyber systems.\113\ Because electronic communications between 
functional entities and their associated systems are essential to the 
operation of the Bulk-Power System, it is important for each distinct 
system to be protected at its boundary by an electronic security 
perimeter. The use of electronic security perimeters, as required under 
the CIP Reliability Standards, is commonly referred to as zoned 
security in the information security industry.\114\ Security zones are 
established to ensure that a compromise in one security zone does not 
lead to a compromise in another security zone across a security 
perimeter.\115\ The Commission is encouraged by NERC's comments that 
its standard drafting team is considering ways to address connectivity 
issues and electronic perimeter protections surrounding all BES Cyber 
Systems.
---------------------------------------------------------------------------

    \113\ Id.
    \114\ A ``security zone'' is defined by the ISA99 Committee on 
Industrial Automation and Control Systems Security as a ``grouping 
of logical or physical assets that share common security 
requirements.'' Security for Industrial Automation and Control 
Systems Part 1: Terminology, Concepts, and Models, ISA-99.00.01-
2007.
    \115\ A ``security perimeter'' is defined by the ISA99 Committee 
on Industrial Automation and Control Systems Security as a 
``boundary (logical or physical) of the domain in which a security 
policy or security architecture applies, i.e. the boundary of the 
space in which security services protect system resources.'' 
Security for Industrial Automation and Control Systems Part 1: 
Terminology, Concepts, and Models, ISA-99.00.01-2007.
---------------------------------------------------------------------------

    88. We also agree with SPP RE that the CIP Reliability Standards 
should consider communication paths between a given cyber asset and 
other assets that support a reliability function.\116\ As noted by SPP 
RE, cyber security standards that categorize cyber systems based upon 
the size or scope of the assets that they control ``fail to consider 
the interconnectivity of the BES Cyber Systems and the potential for a 
small control center system to be used as a vector of attack against a 
larger control center system.'' \117\ As noted by SPP RE, ``[c]ontrol 
center BES Cyber Systems routinely exchange operational data with each 
other as required by NERC Reliability Standard TOP-005-2a.'' \118\ As 
further noted by SPP RE, connectivity is important to address because 
of the required communications from control centers to and between 
reliability coordinators under the Interconnection Reliability 
Operations and Coordination Standards.\119\ The Commission agrees that 
cyber connectivity is important to address

[[Page 24605]]

when developing future versions of the CIP Reliability Standards. That 
being said, we acknowledge the concern of Trade Associations that the 
``connectivity'' and ``weakest link'' concepts could possess different 
meanings to various stakeholders.\120\ Thus, addressing connectivity 
should include reaching a common understanding of the term. Further, we 
understand and agree with the Trade Associations' concern that 
protection should be applied in a reasonable manner.\121\
---------------------------------------------------------------------------

    \116\ SPP RE Comments at 3-4.
    \117\ Id.
    \118\ Id.
    \119\ Id.
    \120\ Trade Associations Comments at 18.
    \121\ Id.
---------------------------------------------------------------------------

    89. Recognizing the importance of addressing cyber connectivity in 
future versions of the CIP Reliability Standards, we encourage NERC to 
consider the benefits of a ``mutual distrust'' posture, or similar 
strategies, put forth by the ISO/RTO Council \122\ and as directed by 
the Commission in Order No. 706.\123\ In Order No. 706, the Commission 
used the term ``mutual distrust'' to denote how ``outside world'' 
systems are treated by those inside the control system.\124\ 
Specifically, a mutual distrust posture requires each responsible 
entity that has identified critical cyber assets to protect itself and 
not trust any communication crossing an electronic security perimeter, 
regardless of where that communication originates.\125\
---------------------------------------------------------------------------

    \122\ ISO/RTO Council Comments at 17.
    \123\ Order No. 706, 122 FERC ] 61,040 at P 412 (``The 
Commission therefore directs the ERO to provide guidance, regarding 
the issues and concerns that a mutual distrust posture must address 
in order to protect a responsible entity's control system from the 
outside world.'').
    \124\ Id. P 33.
    \125\ Id. n.24.
---------------------------------------------------------------------------

    90. Applying electronic security perimeter protections ``of some 
form'' to bulk electric system cyber systems covered by the CIP 
Reliability Standards will support the adoption of a ``mutual 
distrust'' posture. This posture will encourage asset owners and 
operators to employ sound network architectural design, thus segmenting 
their systems into distinct security zones protected by managed 
interfaces that will allow only trusted access. The managed interfaces, 
or electronic security perimeter access points, are intended to 
restrict or prohibit network access and information flow to bulk 
electric system cyber systems covered by the CIP Reliability Standards 
from unidentified, unauthenticated, and unauthorized connectivity to 
ensure security. Multiple electronic security perimeters can be 
established to protect cyber assets and adopted as part of a defense in 
depth strategy to limit the propagation of a threat.\126\
---------------------------------------------------------------------------

    \126\ ``Defense in depth'' is defined by the ISA99 Committee on 
Industrial Automation and Control Systems Security as the 
``provision of multiple security provisions, especially in layers, 
with the intent to delay if not prevent an attack. NOTE: Defense in 
depth implies layers of security and detection, even on single 
systems, and provides the following features: attackers are faced 
with breaking through or bypassing each layer without being 
detected; a flaw in one layer can be mitigated by capabilities in 
other layers; system security becomes a set of layers within the 
overall network security.'' Security for Industrial Automation and 
Control Systems Part 1: Terminology, Concepts, and Models, ISA-
99.00.01-2007.
---------------------------------------------------------------------------

    91. Having considered the feedback to our question on cyber 
connectivity, we continue to believe that criteria adopted for the 
purpose of identifying Critical Cyber Assets under CIP-002 should 
include a cyber asset's ``connectivity'' and its potential to 
compromise the reliable operation of the Bulk-Power System. Therefore, 
we expect Version 5 to address these issues.
2. Application of NIST Framework
NOPR
    92. In the NOPR, the Commission elaborated on the Order No. 706 
guidance regarding the consideration of the NIST Framework when 
developing CIP Reliability Standards.\127\ The NOPR explained that the 
NIST Framework recognizes that all connected assets require a baseline 
level of protection to prevent attackers from gaining a foothold to 
launch further, even more devastating attacks on other critical 
systems.\128\ The Commission invited comment on this approach.
---------------------------------------------------------------------------

    \127\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 46-52.
    \128\ Id. P 51.
---------------------------------------------------------------------------

Comments
    93. NERC, PG&E, SPP RE, and MISO support applying aspects of the 
NIST Framework to the CIP Reliability Standards, which could lead to 
more bulk electric system components being protected, though at 
different levels depending on their criticality. NERC and PG&E state 
that the CIP Version 5 standard drafting team has incorporated four key 
features of the NIST Framework into the draft CIP Version 5.\129\ NERC 
states, however, that the NIST standards/guidelines should not be 
adopted in total because elements of the NIST standards/guidelines, 
which are meant to help federal agencies to manage risks to their 
information systems in support of their unique missions, are 
inapplicable to the power sector.\130\ NERC and MISO point out that the 
NIST Framework allows for applicable NIST concepts to be tailored and 
incorporated into the CIP Reliability Standards, which has been the 
approach of the standard drafting team in developing CIP Version 5.
---------------------------------------------------------------------------

    \129\ NERC Comments at 13; PG&E Comments at 11-12.
    \130\ NERC Comments at 12-13.
---------------------------------------------------------------------------

Commission Determination
    94. The Commission finds the feedback provided on the potential 
application of the NIST Framework to the CIP Reliability Standards to 
be useful. We agree with the commenters that support applying 
applicable features of the NIST Framework to Version 5 of the CIP 
Reliability Standards. As stated in the NOPR, we believe that the NIST 
Framework could provide beneficial input into the CIP Reliability 
Standards.\131\ In its comments, NERC states that a standards drafting 
team is incorporating four key features of the NIST Framework into the 
Version 5 CIP Reliability Standards: (1) Ensuring that all BES Cyber 
Systems associated with the Bulk-Power System, based on their function 
and impact, receive some level of protection; (2) customizing 
protection to the mission of the cyber systems subject to protection; 
(3) applying a tiered approach to security controls that specifies the 
level of protection appropriate for systems based upon their importance 
to the reliable operation of the Bulk-Power System; and (4) using the 
concept of the BES Cyber System.\132\ We view the approach of 
incorporating these applicable features of the NIST Framework into the 
CIP Reliability Standards as a positive step in improving cyber 
security for the Bulk-Power System.
---------------------------------------------------------------------------

    \131\ NOPR, FERC Stats. & Regs. ] 32,679 at P 46.
    \132\ NERC Comments at 13-14. NERC comments that the next 
version of the CIP Reliability Standards replaces the identification 
of ``Critical Assets'' with the categorization of ``BES Cyber 
Systems.'' Specifically, NERC states that ``BES Cyber Systems will 
be characterized as `High Impact,' `Medium Impact,' or `Low Impact' 
based on the impact of the cyber system to the reliable operation of 
the bulk power system * * * [t]his characterization makes use of a 
bright-line concept similar to Version 4, but requires responsible 
entities to determine the impact of loss, compromise or misuse of a 
given BES Cyber System using a bright-line impact filter.'' NERC 
Comments at 7.
---------------------------------------------------------------------------

    95. NIST standards are used by industry generally as a reference 
and can be applied by the ERO to the Bulk-Power System.\133\ Therefore, 
we

[[Page 24606]]

continue to encourage NERC and industry to include aspects of the NIST 
Framework and standards into subsequent versions of the CIP Reliability 
Standards to better protect the Bulk-Power System. Similar to our 
approach in Order No. 706, we continue to urge NERC to look to relevant 
NIST standards for guidance in developing effective cybersecurity 
standards for the electric industry.\134\
---------------------------------------------------------------------------

    \133\ For example, NIST SP800-82 provides a detailed Guide to 
Industrial Control Systems Security that is relevant to the electric 
power industry. Specifically, NIST SP800-82 includes recommendations 
to assist in the protection of Supervisory Control and Data 
Acquisition systems, Distributed Control Systems, and other control 
system configurations such as Programmable Logic Controllers. See 
National Institute of Standard and Technology, Guide to Industrial 
Control Systems (ICS) Security (NIST SP900-82) (2011), http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf.
    \134\ Order No. 706, 122 FERC ] 61,040 at P 233 (directing the 
ERO ``to consult with federal entities that are required to comply 
with both CIP Reliability Standards and NIST standards on the 
effectiveness of the NIST standards and on implementation issues and 
[to] report these findings to the Commission'').
---------------------------------------------------------------------------

3. Regional Perspective
NOPR
    96. In the NOPR, the Commission highlighted the Order No. 706 
directive for NERC to ``develop a process of external review and 
approval of critical asset lists based on a regional perspective.'' 
\135\ The NOPR explained the Commission's concern that a lack of a 
regional review of a registered entity's identification of cyber assets 
might result in a reliability gap. In addition, the Commission 
discussed concerns regarding cyber systems spanning multiple regions:
---------------------------------------------------------------------------

    \135\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 59-61 (citing 
Order No. 706, 122 FERC ] 61,040 at P 329).

    This problem may be exacerbated by any future revisions to the 
CIP Reliability Standards that opt to reserve a high level of 
independent authority to the registered entity to categorize and 
prioritize its cyber assets. Looking forward, it will be essential 
for NERC and the Regional Entities to actively review the 
designation of cyber assets that are subject to the CIP Reliability 
Standards, including those which span regions, in order to determine 
whether additional cyber assets should be protected.\136\
---------------------------------------------------------------------------

    \136\ Id. P 61.
---------------------------------------------------------------------------

Comments
    97. NERC states that the bright line criteria adopted under Version 
4 of the CIP Reliability Standards provide certainty and clarity as to 
the assets that should be identified as critical. NERC explains that 
the CIP Reliability Standard drafting team is further refining the 
bright line criteria and anticipates that the next version of the CIP 
Reliability Standards will characterize ``BES Cyber Systems'' (in lieu 
of cyber assets) with ``high,'' ``medium,'' or ``low'' impact on Bulk-
Power System reliability. According to NERC, ``[t]his characterization 
makes use of a bright line concept similar to Version 4, but requires 
responsible entities to determine the impact of loss, compromise or 
misuse of a given BES Cyber System using a bright line impact filter.'' 
\137\
---------------------------------------------------------------------------

    \137\ NERC Comments at 7. NERC states in its comments that the 
CIP standard drafting team is considering the adoption of the term 
``BES Cyber Systems'' in the next version of the CIP Reliability 
Standards. Our discussion below uses the term ``cyber assets'' to 
include any cyber asset or systems that the ERO eventually 
designates as needing cyber security protections under the CIP 
Reliability Standards.
---------------------------------------------------------------------------

    98. The Trade Associations state that they cannot support the NOPR 
proposal on redesignation of assets based on a ``regional view'' 
without specific information about the mechanics of the proposal or the 
nature of the perceived reliability gap. According to the Trade 
Associations, registered entities are in the best position to determine 
which of their cyber assets are critical to the operation of Critical 
Assets and therefore subject to CIP compliance. The Trade Associations 
contend that NERC and the Regional Entities have the opportunity to 
review a registered entity's approach to developing its list of 
Critical Cyber Assets in the context of a compliance audit or other 
compliance monitoring process.
    99. FirstEnergy states that the bright line criteria should be the 
sole methodology for identifying Critical Assets and that allowing the 
ERO or Regional Entities the ability to add assets that fall outside 
the bright line criteria undermines the purpose of the bright line 
criteria.\138\ Tallahassee states that the Commission should not 
undermine the value of the bright line criteria by granting the 
Regional Entities the discretion to designate assets as critical if the 
assets are not otherwise identified by the bright line criteria.
---------------------------------------------------------------------------

    \138\ FirstEnergy Comments at 2.
---------------------------------------------------------------------------

    100. SPP RE, for its part, states that it is not appropriate to 
apply arbitrarily criteria not listed in the CIP Reliability Standards 
to require additional cyber assets to be subject to the CIP Reliability 
Standards. SPP RE states that the appropriate way to address any 
concern that the bright line criteria do not capture all assets that 
should be protected is to modify the bright line criteria to address 
any deficiency.
Commission Determination
    101. In Order No. 706, the Commission explained the need for 
external review of the Critical Asset lists in the context of an 
earlier version of the CIP Reliability Standards that required 
registered entities to apply individualized risk-based methodologies to 
identify Critical Assets.\139\ Further, as indicated in the NOPR in the 
immediate proceeding, the Commission's concerns are ``exacerbated by 
any future revisions to the CIP Reliability Standards that opt to 
reserve a high level of independent authority to the registered entity 
to categorize and prioritize its cyber assets.'' \140\
---------------------------------------------------------------------------

    \139\ Order No. 706, 122 FERC ] 61,040 at PP 298, 322.
    \140\ NOPR, FERC Stats. & Regs. ] 32,679 at P 61.
---------------------------------------------------------------------------

    102. We agree with commenters that the adoption of appropriate, 
bright line criteria for Critical Asset identification may obviate the 
need for an external review. We believe that there is less need for 
external review where application of bright line criteria results in an 
objective, consistently applied approach to the identification of cyber 
assets. As discussed above, NERC anticipates the development of tiered, 
bright line criteria in the next version of the CIP Reliability 
Standards. Whether this development ultimately eliminates the need for 
an external review process as directed in Order No. 706 will depend on 
the discretion allowed to individual registered entities in identifying 
and characterizing assets or systems.
    103. However, even with the adoption of clear and objective 
criteria, we believe that there remains a need for an entity with a 
regional perspective, presumably the ERO or a Regional Entity, to have 
the opportunity to identify or adjust the characterization of cyber 
assets in some circumstances. For example, an event may reveal that a 
specific cyber asset has a greater impact than previously recognized. 
In such circumstance, an objective third party should have the 
opportunity to designate a cyber asset prospectively as critical or 
recharacterize the impact of a cyber asset for compliance 
purposes.\141\ Likewise, it is possible that a technological 
development or newly discovered vulnerability could justify a case-
specific adjustment.
---------------------------------------------------------------------------

    \141\ Order No. 706, 122 FERC ] 61,040 at P 325.
---------------------------------------------------------------------------

    104. We agree with SPP RE that a modification of one or more of the 
bright line criteria is an appropriate response to a generic change in 
risk or impact of a category of cyber assets. Accordingly, as a 
reasonable application of the Order No. 706 directive that an entity 
with a regional approach have oversight of Critical Asset 
identification, NERC and the regions--or another designated third 
party--should have the authority in some circumstances, such as those 
discussed above, to designate a cyber asset as critical or adjust the

[[Page 24607]]

``impact'' characterization. In addressing the Order No. 706 
directives, NERC should develop appropriate provisions to implement 
this limited opportunity for review.

F. Deadline for Addressing Order No. 706 Directives

NERC Petition
    105. In the petition, NERC states that the standard drafting team 
is continuing to address the outstanding Order No. 706 directives.\142\ 
NERC notes that the next version of the CIP Reliability Standards 
``will build on the CIP-002-4 standards' establishment of uniform 
criteria for the identification of Critical Assets.'' \143\
---------------------------------------------------------------------------

    \142\ NERC Petition at 6.
    \143\ Id.
---------------------------------------------------------------------------

NOPR
    106. In the NOPR, the Commission invited comment on whether a 
reasonable deadline should be established for NERC to satisfy the 
outstanding directives in Order No. 706 pertaining to the CIP 
Reliability Standards based on NERC's current development timeline for 
CIP Version 5.\144\ Based on the then current NERC timeline, the NOPR 
proposed that the CIP Version 5 filing be made by the end of the third 
quarter of 2012.
---------------------------------------------------------------------------

    \144\ NOPR, FERC Stats. & Regs. ] 32,679 at P 67.
---------------------------------------------------------------------------

Comments
    107. Comments varied as to the imposition of a deadline for NERC to 
file CIP Version 5. Most comments support at least a soft filing date 
coupled with periodic informational filings on the status of CIP 
Version 5. While some comments support a hard deadline, that support is 
qualified.
    108. NERC, ISO/RTO Council, PG&E, and Dominion offer qualified 
support for a deadline. NERC supports the proposed deadline, provided: 
the CIP Version 4 Final Rule does not add to or expand on the Order No. 
706 directives; NERC is able to use its standard development process; 
and CIP Version 5 only requires one successive ballot.\145\ PG&E 
likewise believes that the proposed deadline is attainable provided the 
CIP Version 4 Final Rule does not expand on the Order No. 706 
directives.\146\ ISO/RTO Council states that a deadline is reasonable 
as long as there is sufficient time for stakeholder input.\147\ 
However, ISO/RTO Council is skeptical about the current development 
timeline. Dominion also supports a hard deadline as long as CIP Version 
5 is developed through the normal NERC standard development 
process.\148\
---------------------------------------------------------------------------

    \145\ NERC Comments at 8-9.
    \146\ PG&E Comments at 8.
    \147\ ISO/RTO Comments at 16.
    \148\ Dominion Comments at 4.
---------------------------------------------------------------------------

    109. The Trade Associations, AMP, Exelon, FirstEnergy, and KCP&L do 
not support a hard deadline for filing CIP Version 5.\149\ The Trade 
Associations, supported by FirstEnergy and KPC&L, and AMP believe that 
the development schedule for CIP Version 5 is aggressive and may need 
to be revised. The Trade Associations caution that an artificial 
deadline may increase the risk that some complex technical issues may 
not be fully resolved in Version 5. The Trade Associations and Exelon 
support a ``realistic goal'' or ``target date'' for filing CIP Version 
5 coupled with periodic informational filings marking NERC's 
progress.\150\ AMP supports requiring NERC to make periodic 
informational filings as well.\151\ The Trade Associations state that 
if the Commission deems a deadline necessary, it should be set for the 
first quarter of 2013.
---------------------------------------------------------------------------

    \149\ Trade Associations Comments at 13-14; AMP Comments at 4-5; 
Exelon Comments at 3-4; FirstEnergy Comments at 3-4; KCP&L Comments 
at 2.
    \150\ Trade Associations Comments at 15.
    \151\ AMP Comments at 5.
---------------------------------------------------------------------------

Commission Determination
    110. We adopt our NOPR proposal to establish a deadline for 
compliance with the outstanding Order No. 706 CIP directives. Given the 
elapse of time since the issuance of Order No. 706, we believe that it 
is appropriate to set a reasonable deadline for completion of the next 
version of the CIP Reliability Standards, which, according to NERC, is 
expected to address the outstanding Order No. 706 directives.\152\ The 
setting of a deadline responds to the finding in the January 2011 Audit 
Report of the Department of Energy's Inspector General that ``the CIP 
standards implementation approach and schedule approved by the 
Commission were not adequate to ensure that systems-related risks to 
the Nation's power grid were mitigated or addressed in a timely 
manner.'' \153\
---------------------------------------------------------------------------

    \152\ NOPR, FERC Stats. & Regs. ] 32,679 at P 65 n.65.
    \153\ NOPR, FERC Stats. & Regs. ] 32,679 at P 65 (citing 
Department of Energy Inspector General Audit Report, Federal Energy 
Regulatory Commission's Monitoring if Power Grid Cybersecurity at 2 
(January 2011)).
---------------------------------------------------------------------------

    111. We recognize, as numerous commenters discuss, that the current 
schedule for completing CIP Version 5 is aggressive. We also understand 
that the volume of industry discussion is high and we agree that 
industry input should not be artificially rushed or curtailed. In its 
reply comments, NERC indicated that it anticipates filing the Version 5 
CIP Reliability Standards by the third quarter of 2012.\154\ 
Accordingly, to allow for sufficient time beyond what NERC estimates, 
we establish a deadline that is 6 months from the end of the third 
quarter of 2012 (i.e., March 31, 2013). NERC must also submit reports 
at the beginning of each quarter in which the ERO is to explain whether 
it is on track to meet the deadline and describe the status of its 
standard development efforts.
---------------------------------------------------------------------------

    \154\ NERC Reply Comments at 4.
---------------------------------------------------------------------------

G. Violation Severity Levels and Violation Risk Factors

NERC Petition
    112. As amended on April 12, 2011, the petition includes proposed 
VRFs and VSLs for each Requirement of the Version 4 CIP Reliability 
Standards, CIP-002-4 to CIP-009-4.
NOPR
    113. In the NOPR, the Commission stated that the VSLs for 
Requirements R1 and R2 of CIP-002-4 do not adequately address the 
failure to properly identify either Critical Assets or Critical Cyber 
Assets.\155\ Specifically, NERC proposed to assign a ``Severe VSL'' for 
a violation of Requirement R1 if a responsible entity does not develop 
a list of its identified Critical Assets ``even if such list is null.'' 
NERC did not propose to assign a VSL for a violation of Requirement R1 
when a responsible entity fails to identify a Critical Asset that falls 
within any of the Critical Asset criteria in Attachment 1, or fails to 
include an identified Critical Asset in its Critical Asset list. NERC 
further proposed to assign a ``Severe VSL'' to a responsible entity's 
violation of Requirement R2 only when it fails to include in its list 
of Critical Cyber Assets a Critical Cyber Asset it has identified. NERC 
did not propose to assign a VSL for a violation of Requirement R2 
resulting from a responsible entity's failure to identify as a Critical 
Cyber Asset a cyber asset that qualifies as a Critical Cyber Asset. The 
Commission therefore proposed to direct the ERO to modify the VSLs for 
CIP-002-4, Requirements R1 and R2, to address a failure to identify 
either Critical Assets or Critical Cyber Assets.
---------------------------------------------------------------------------

    \155\ NOPR, FERC Stats. & Regs. ] 32,679 at pp. 35-36.
---------------------------------------------------------------------------

Comments
    114. NERC and PG&E agree with the NOPR proposal to direct 
modifications to the VSLs for Requirements R1 and R2 of CIP-002-4 to 
ensure that lists of identified Critical Assets are

[[Page 24608]]

complete.\156\ Accordingly, NERC states that the VSLs for Requirements 
R1 and R2 should be modified to include the word ``complete'' in front 
of the list in the VSL language.\157\
---------------------------------------------------------------------------

    \156\ NERC Comments at 7-8; PG&E Comments at 6-7.
    \157\ The VSL for Requirement R1, for example, would read: ``The 
Responsible Entity did not develop a complete list of its identified 
Critical Assets even if such list is null.'' (emphasis added).
---------------------------------------------------------------------------

Commission Determination
    115. The Commission approves the VRFs and VSLs proposed by NERC 
subject to the modifications discussed above. As NERC now agrees, the 
Commission directs modifications to the ``Severe VSL'' for Requirements 
R1 and R2 to include the word ``complete.'' The modified VSLs will 
address situations where a responsible entity fails to identify or 
include one or more Critical Assets that fall within the Critical Asset 
criteria in Attachment 1 in its Critical Assets list pursuant to 
Requirement R1, or where a Responsible Entity fails to identify or 
include one or more Critical Cyber Assets in its Critical Cyber Asset 
list pursuant to Requirement R2.

III. Information Collection Statement

    116. The Office of Management and Budget (OMB) regulations require 
approval of certain information collection requirements imposed by 
agency rules.\158\ Upon approval of a collection(s) of information, OMB 
will assign an OMB control number and expiration date. Respondents 
subject to the filing requirement of this rule will not be penalized 
for failing to respond to these collections of information unless the 
collections of information display a valid OMB control number. The 
Paperwork Reduction Act (PRA) \159\ requires each federal agency to 
seek and obtain OMB approval before undertaking a collection of 
information directed to ten or more persons, or continuing a collection 
for which OMB approval and validity of the control number are about to 
expire.\160\
---------------------------------------------------------------------------

    \158\ 5 CFR 1320.11.
    \159\ 44 U.S.C. 3501-3520 (2006).
    \160\ 44 U.S.C. 3502(3)(A)(i), 44 U.S.C. 3507(a)(3).
---------------------------------------------------------------------------

    117. The Commission is submitting these reporting and recordkeeping 
requirements to OMB for its review and approval under section 3507(d) 
of the PRA. The Commission solicited comments on the need for this 
information, whether the information will have practical utility, the 
accuracy of provided burden estimates, ways to enhance the quality, 
utility, and clarity of the information to be collected, and any 
suggested methods for minimizing the respondent's burden, including the 
use of automated information techniques. The Commission received two 
comments regarding burden and cost estimates.
Comments
    118. Hydro-Qu[eacute]bec and NV Energy claim that the cost 
estimates included in the NOPR for Version 4 are inaccurate and 
incomplete.\161\ NV Energy states that the estimate does not include 
the significant burden of the additional security requirements that 
will be required by the identification of more Critical Assets and 
related Critical Cyber Assets. NV Energy comments that the cost 
estimate does not consider such matters as increased background 
checking, personnel risk assessments, cyber security training programs, 
and increased complexity of cyber security perimeters.
---------------------------------------------------------------------------

    \161\ Hydro-Qu[eacute]bec Comments at 6; NV Energy Comments at 
6-7.
---------------------------------------------------------------------------

Commission Determination
    119. After a review of the comments on the Commission's cost 
estimate, we maintain the cost estimate provided in the NOPR. While we 
recognize that implementing the Reliability Standards is not without 
cost, the benefits to reliability must be recognized. In response to 
Hydro-Qu[eacute]bec and NV Energy's concerns, we note that the estimate 
provided in the NOPR addresses the potential for an incremental 
increase in costs across the industry and does not address the full 
cost of implementing the CIP Reliability Standards by an entity. We 
anticipate that the savings associated with the change from the entity-
specific risk-based assessment methodology, which had to be reviewed 
and updated each year, to a bright-line approach will offset some, if 
not all, of the incremental cost increase for entities that have 
previously identified a Critical Cyber Asset. With regards to NV 
Energy's comments, we note that the proposed revisions to the Version 4 
CIP Reliability Standards address the manner for the identification of 
Critical Assets, and do not revise current requirements pertaining to 
background checking, personnel risk assessments, cyber security 
training programs, and cyber security perimeters.
    120. Burden Estimate: The principal differences in the existing 
information collection requirements and the burden imposed by the 
Reliability Standards in this Final Rule are triggered by the changes 
in Reliability Standard CIP-002-4. The previous risk-based assessment 
methodology for identifying Critical Assets is being replaced by 17 
uniform ``bright line'' criteria for identifying Critical Assets (in 
CIP-002-4, Attachment 1, ``Critical Asset Criteria''). Reliability 
Standard CIP-002-4 requires each responsible entity to use the bright 
line criteria as a ``checklist'' to identify Critical Assets, initially 
and in an annual review, instead of performing the more technical and 
individualized risk analysis involved in complying with the previously-
effective CIP Reliability Standards. As in past versions of these 
Standards, each Responsible Entity will then identify the Critical 
Cyber Assets associated with its updated list of Critical Assets. If 
application of the bright line criteria results in the identification 
of new Critical Cyber Assets, such assets become subject to the 
remaining standards (approved CIP-003-4, CIP-004-4, CIP-005-4, CIP-006-
4, CIP-007-4, CIP-008-4, and CIP-009-4), and the information collection 
requirements contained therein.
    121. We estimate that the burden associated with the annual review 
of the assets (by the estimated 1,501 applicable entities) will be 
simplified by the ``Critical Asset Criteria'' in Reliability Standard 
CIP-002-4. Rather than each entity annually reviewing and updating a 
risk-based assessment methodology that frequently required technical 
analysis and judgment decisions, the bright line criteria will provide 
a straightforward checklist for all entities to use. Thus, we estimate 
that the revised Reliability Standard will reduce the burden associated 
with the annual review, as well as provide a consistent and clear set 
of criteria for all entities to follow.
    122. The estimated changes to burden as contained in the Final Rule 
in RM11-11 follow.

[[Page 24609]]



--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                                      Annual Burden Hrs.
   FERC-725B Data Collection (per    Number of  Respondents     Average Number of       Average Number of     Effect of Final Rule           upon
             Version 4)                       \162\           Annual Responses Per      Burden Hours Per      in RM11-11, on Total    Implementation of
                                                                   Respondent            Response \163\           Annual Hours             RM11-11
                                     (1)...................  (2)...................  (3)...................  (1) x (2) x (3).......  ...................
--------------------------------------------------------------------------------------------------------------------------------------------------------
Entities that (previously and now)   345 [no change].......  1.....................  1,880 [reduction of 40  reduction of 13,800                 648,600
 will identify at least one                                                           hours from 1,920 to     hours.
 Critical Cyber Asset [category a].                                                   1,880 hours] hours.
Entities that (previously and now)   1,144 [reduction of 12  1.....................  120 [no change].......  reduction of 1,440                  137,280
 will not identify any Critical       entities from 1,156                                                     hours [for the 12
 Cyber Assets [category b].           to 1,144].                                                              entities].
Entities that will newly identify a  increase of 12          1.....................  3,840 \165\...........  increase of 46,080....               46,080
 Critical Asset/Critical Cyber        [formerly 0].
 Asset due to the requirements in
 RM11-11 \164\ [category c].
    Net Total......................  1,501.................  ......................  ......................  +30,840...............              831,960
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The revisions to the cost estimates based on requirements of this 
Final Rule are:
     Each entity that has identified Critical Cyber Assets has 
a reduction of 40 hours (345 entities x 40 hrs. @$96/hour = $1,324,800 
reduction).
---------------------------------------------------------------------------

    \162\ The NERC Compliance Registry as of September 28, 2010 
indicated that 2,079 entities were registered for NERC's compliance 
program. Of these, 2,057 were identified as being U.S. entities. 
Staff concluded that of the 2,057 U.S. entities, approximately 1,501 
were registered for at least one CIP related function. According to 
an April 7, 2009 memo to industry, NERC noted that only 31 percent 
of entities responding to an earlier survey reported that they had 
at least one Critical Asset, and only 23 percent reported having a 
Critical Cyber Asset. Staff applied the 23 percent (an estimate 
unchanged for Version 4 standards) to the 1,501 figure to estimate 
the number of entities that identified Critical Cyber Assets under 
Version 3 CIP Standards.
    \163\ Calculations for figures prior to applying reductions:
     Respondent category b:
    3 employees x (working 50 percent) x (40 hrs/week) x (2 weeks) = 
120 hours.
     Respondent category c:
    20 employees x (working 50 percent) x (40 hrs/week) x (8 weeks) 
= 3200 hours (working 20 percent) x (3200 hrs) = 640 hours.
     Total = 3840.
     Respondent category a:
    50 percent of 3840 hours (category d) = 1920.
    \164\ We estimate 12 (or 1%) of the existing entities that 
formerly had no identified Critical Cyber Assets will have them 
under the Reliability Standards. This Final Rule does not affect the 
burden for the 6 new U.S. Entities that were estimated to newly 
register or otherwise become subject to the CIP Standards each year 
in FERC-725B, and therefore are not included in this chart.
    \165\ This estimated burden estimate applies only to the first 
three-year audit cycle. In subsequent audit cycles these entities 
will move into category a, or be removed from the burden as an 
entity that no longer is registered for a CIP related function.
---------------------------------------------------------------------------

     12 Entities that formerly had not identified Critical 
Cyber Assets, but now will have them, has
    [cir] A reduction of 120 hours and an increase of 3,840 hours (for 
a net increase of 3,720 annual hours), giving 12 entities x 3,720 hrs. 
@ $96/hour = $4,285,440.
    [cir] Storage costs = 12 entities @ $15.25/entity = $183.
    Total Net Annual Cost for the FERC-725B requirements contained in 
the Final Rule in RM11-11= $2,960,823 ($4,285,440 + $183 - $1,324,800).
    The estimated hourly rate of $96 is the average cost of legal 
services ($230 per hour), technical employees ($40 per hour) and 
administrative support ($18 per hour), based on hourly rates from the 
Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and 
Practices Survey Report.\166\ The $15.25 per entity for storage costs 
is an estimate based on the average costs to service and store 1 GB of 
data to demonstrate compliance with the CIP Standards.\167\
---------------------------------------------------------------------------

    \166\ Bureau of Labor Statistics figures were obtained from 
http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing 
Rates figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were 
based on the national average billing rate (contracting out) from 
the above report and BLS hourly earnings (in-house personnel). It is 
assumed that 25 percent of respondents have in-house legal 
personnel.
    \167\ Based on the aggregate cost of an advanced data protection 
server.
---------------------------------------------------------------------------

    Title: Mandatory Reliability Standards, Version 4 Critical 
Infrastructure Protection Standards.
    Action: Revised Collection FERC-725B.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This Final Rule approves the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. The Reliability Standards help ensure the 
reliable operation of the Bulk-Power System by providing a 
cybersecurity framework for the identification and protection of 
Critical Assets and associated Critical Cyber Assets. As discussed 
above, the Commission approves NERC's proposed Version 4 CIP Standards 
pursuant to section 215(d)(2) of the FPA because they represent an 
improvement to the previously-effective CIP Reliability Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standards and made a determination that its action is 
necessary to implement section 215 of the FPA.
    123. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE., Washington, DC 20426 [Attention: 
Ellen Brown, Office of the Executive Director, email: 
DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873].
    124. Comments concerning this information collection can be sent to 
the Office of Management and Budget, Office of Information and 
Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for 
the Federal Energy Regulatory Commission, phone: (202) 395-4718, fax: 
(202) 395-7285].

IV. Environmental Analysis

    125. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a

[[Page 24610]]

significant adverse effect on the human environment.\168\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\169\ The actions taken here 
fall within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------

    \168\ Regulations Implementing the National Environmental Policy 
Act, 52 FR 47897 (Dec. 17, 1987), Order No. 486, FERC Stats. & 
Regs., Regulations Preambles 1986-1990 ] 30,783 (1987).
    \169\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act

    126. The Regulatory Flexibility Act of 1980 (RFA) \170\ generally 
requires a description and analysis of final rules that will have 
significant economic impact on a substantial number of small entities. 
The RFA mandates consideration of regulatory alternatives that 
accomplish the stated objectives of a proposed rule and that minimize 
any significant economic impact on a substantial number of small 
entities. The Small Business Administration's (SBA) Office of Size 
Standards develops the numerical definition of a small business.\171\ 
The SBA has established a size standard for electric utilities, stating 
that a firm is small if, including its affiliates, it is primarily 
engaged in the transmission, generation and/or distribution of electric 
energy for sale and its total electric output for the preceding twelve 
months did not exceed four million megawatt hours.\172\
---------------------------------------------------------------------------

    \170\ 5 U.S.C. 601-612.
    \171\ 13 CFR 121.101.
    \172\ 13 CFR 121.201, Sector 22, Utilities & n.1.
---------------------------------------------------------------------------

    127. This Final Rule may have a significant economic impact on some 
small entities. The Commission estimates that 12 of the total small 
entities applicable to this final rule will experience a total one-time 
impact of $4,285,623 (an average of $357,135 per entity). However, the 
Commission has determined that 12 small entities is not a ``substantial 
number'' in terms of the total number of regulated small entities under 
this Final Rule. The Final Rule applies to the all NERC Registered 
Entities listed in the ``Applicability'' section of Reliability 
Standard CIP-002-4.\173\ This list includes reliability coordinators, 
balancing authorities, interchange authorities, transmission service 
providers, transmission owners, transmission operators, generator 
owners, generator operators, load serving entities and regional 
entities. Using the NERC registry, the Commission found that the number 
of small entities applicable to this rule is 306. The Commission does 
not consider 12 out of 306 (3.9%) to be a substantial number.
---------------------------------------------------------------------------

    \173\ See Reliability Standard CIP-002-4, http://www.nerc.com/files/CIP-002-4.pdf.
---------------------------------------------------------------------------

    128. In the September 15, 2011 NOPR, the Commission requested 
comment on the potential implementation cost and subsequent cost 
increases that could be experienced by such small entities. No comments 
were received.
    129. Based on the foregoing, the Commission certifies that the 
modified Reliability Standards will not have a significant impact on a 
substantial number of small entities. Accordingly, no regulatory 
flexibility analysis is required.

VI. Document Availability

    130. In addition to publishing the full text of this document in 
the Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's 
Public Reference Room during normal business hours (8:30 a.m. to 5 p.m. 
Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426.
    131. From FERC's Home Page on the Internet, this information is 
available on eLibrary. The full text of this document is available on 
eLibrary in PDF and Microsoft Word format for viewing, printing, and/or 
downloading. To access this document in eLibrary, type the docket 
number excluding the last three digits of this document in the docket 
number field.
    132. User assistance is available for eLibrary and the FERC's Web 
site during normal business hours from FERC Online Support at 202-502-
6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

VII. Effective Date and Congressional Notification

    133. These regulations are effective June 25, 2012. The Commission 
has determined, with the concurrence of the Administrator of the Office 
of Information and Regulatory Affairs of OMB, that this rule is not a 
``major rule'' as defined in section 351 of the Small Business 
Regulatory Enforcement Fairness Act of 1996.

List of Subjects in 18 CFR Part 40

    Electric power, Electric utilities, Reporting and recordkeeping 
requirements.

    By the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

Appendix

                               Commenters
------------------------------------------------------------------------
               Abbreviation                           Commenter
------------------------------------------------------------------------
AMP.......................................  American Municipal Power,
                                             Inc.
Constellation.............................  Constellation Energy Group,
                                             Inc. (intervened w/o
                                             comment).
Dominion..................................  Dominion Resources Services,
                                             Inc.
Exelon....................................  Exelon Corporation.
FirstEnergy...............................  FirstEnergy Service Company.
G&T Cooperatives..........................  Associated Electric
                                             Cooperative, Inc.; Basin
                                             Electric Power Cooperative;
                                             and Tri-State Generation
                                             and Transmission
                                             Association, Inc.
Hydro-Qu[eacute]bec.......................  Hydro-Qu[eacute]bec
                                             Trans[Eacute]nergie.
ISO/RTO Council...........................  The ISO/RTO Council.
ITC.......................................  International Transmission
                                             Company d/b/a
                                             ITCTransmission, Michigan
                                             Electric Company, LLC, ITC
                                             Midwest LLC and ITC Great
                                             Plains LLC.
KCP&L.....................................  Kansas City Power & Light
                                             Company and KCP&L Greater
                                             Missouri Operations
                                             Company.
MISO......................................  Midwest Independent
                                             Transmission System
                                             Operator, Inc.
NERC......................................  North American Electric
                                             Reliability Corporation.
PG&E......................................  Pacific Gas and Electric
                                             Company.
NV Energy.................................  Sierra Pacific Power Company
                                             and Nevada Power Company.

[[Page 24611]]

 
SPP RE....................................  Southwest Power Pool
                                             Regional Entity.
Tallahassee...............................  City of Tallahassee,
                                             Florida.
Trade Associations........................  American Public Power
                                             Association; Electricity
                                             Consumers Resource Council;
                                             Edison Electric Institute;
                                             Electric Power Supply
                                             Association; National Rural
                                             Electric Cooperative
                                             Association; and
                                             Transmission Access Policy
                                             Study Group.
------------------------------------------------------------------------

[FR Doc. 2012-9893 Filed 4-24-12; 8:45 am]
BILLING CODE 6717-01-P