
[Federal Register Volume 74, Number 120 (Wednesday, June 24, 2009)]
[Notices]
[Pages 30067-30068]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-14795]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RM06-22-006; Order No. 706-C]


Mandatory Reliability Standards for Critical Infrastructure 
Protection

Issued June 18, 2009.
AGENCY: Federal Energy Regulatory Commission.

ACTION: Order denying request for clarification.

-----------------------------------------------------------------------

SUMMARY: On March 19, 2009, the Commission issued Order No. 706-B which 
clarified the scope of Critical Infrastructure Protection Reliability 
Standards which were approved in Commission Order No. 706. The 
Commission is denying a request for clarification of Order No. 706-B 
filed by the Edison Electric Institute.

DATES: Effective Date: This rule will become effective June 24, 2009.

FOR FURTHER INFORMATION CONTACT:

Jonathan First (Legal Information), Office of General Counsel, 888 
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability, 
888 First Street, NE., Washington, DC 20426, (301) 665-1601.

SUPPLEMENTARY INFORMATION: 
Before Commissioners: Jon Wellinghoff, Chairman; Suedeen G. Kelly, 
Marc Spitzer, and Philip D. Moeller.

Order Denying Request for Clarification

Issued June 18, 2009.
    1. In this order, the Commission denies the Edison Electric 
Institute's

[[Page 30068]]

(EEI's) request for clarification of Order No. 706-B.\1\ Specifically, 
the Commission denies EEI's request that the Commission clarify its 
views with regard to the need and the time frame for the Commission's 
developing a memorandum of understanding or other means of coordinating 
cyber-security related activities with the U.S. Nuclear Regulatory 
Commission (NRC). Likewise, the Commission denies EEI's request that 
the Commission clarify that the North American Electric Reliability 
Corporation (NERC) must seek stakeholder input in developing and 
implementing an ``exception process'' as discussed in Order No. 706-B.
---------------------------------------------------------------------------

    \1\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040 (2008) (Order No. 706); 
order on reh'g, Order No. 706-A, 123 FERC ] 61,174 (2008) (Order No. 
706-A); order on clarification, Order No. 706-B, 126 FERC ] 61,229 
(2009) (Order No. 706-B).
---------------------------------------------------------------------------

I. Background

    2. In Order No. 706, the Commission approved the Critical 
Infrastructure Protection (CIP) Reliability Standards that require 
certain users, owners and operators of the Bulk-Power System, including 
generator owners and operators, to comply with specific requirements to 
safeguard critical cyber assets. In addition, pursuant to section 
215(d)(5) of the Federal Power Act (FPA),\2\ the Commission directed 
the ERO to develop modifications to the CIP Reliability Standards to 
address specific concerns identified by the Commission.
---------------------------------------------------------------------------

    \2\ 16 U.S.C. 824o(d)(5)(2006).
---------------------------------------------------------------------------

    3. In Order No. 706-B, the Commission clarified the scope of the 
CIP Reliability Standards approved in Order No. 706 to assure that no 
``gap'' occurs in the applicability of these Standards. In particular, 
each of the CIP Reliability Standards provides that facilities 
regulated by the NRC are exempt from the Standard. The Commission 
explained that NRC staff had raised a concern at a joint public meeting 
of the NRC and the Commission that NRC regulations do not extend to all 
equipment within a nuclear power plant. Thus, to assure that there is 
no ``gap'' in the regulatory process, the Commission clarified that the 
``balance of plant'' equipment within a nuclear power plant in the 
United States that is not subject to NRC cyber security regulations,\3\ 
is subject to compliance with the CIP Reliability Standards approved in 
Order No. 706. The Commission explained that:
---------------------------------------------------------------------------

    \3\ U.S. Nuclear Regulatory Commission, Power Reactor Security 
Requirements; Final Rule, 74 FR 13926 (Mar. 27, 2009).

    a nuclear power plant licensee may seek an exception from the 
ERO to the extent that the licensee believes that specific equipment 
within the balance of plant is subject to NRC cyber security 
regulations. If the ERO grants the exception, that equipment within 
the balance of plant would not be subject to compliance with the CIP 
Reliability Standards. We would expect that the ERO would make such 
determinations with the consultation of NRC and oversight of 
Commission staff. Thus, to further the development of this ERO 
process, the ERO should consider the appropriateness of developing a 
memorandum of understanding with the NRC, or revising existing 
agreements, to address such matters as NRC staff consultation in the 
exception application process and sharing of Safeguard[s] 
Information.\4\
---------------------------------------------------------------------------

    \4\ Id. P 50. Safeguards information is a special category of 
sensitive unclassified information to be protected pursuant to 
Section 147 of the Atomic Energy Act, 42 U.S.C. 2167 (2006). 
Safeguards information concerns the physical protection of operating 
power reactors, spent fuel shipments, strategic special nuclear 
material, or other radioactive material. See 10 CFR 73.21 (2009) 
(setting forth requirements for the protection of safeguards 
information, including access to such information).

    4. In response to comments suggesting that the NRC and the 
Commission develop a memorandum of understanding, the Commission agreed 
that it is advisable for the two commissions to coordinate their 
respective cyber security-related activities with regard to nuclear 
power plants.\5\ However, the Commission declined to resolve for 
purposes of the proceeding the need for a new memorandum of 
understanding between the two commissions.
---------------------------------------------------------------------------

    \5\ Id. P 55.
---------------------------------------------------------------------------

II. EEI Request for Clarification

    5. EEI requests that the Commission clarify its views with respect 
to the need and the time frame for the Commission's developing a 
memorandum of understanding or other means of coordinating cyber 
security-related activities with the NRC. EEI suggests that, given the 
volume of work on cyber security matters and recent regulatory changes 
such as the NRC's issuance of its cyber security regulations, it is 
vital that the Commission and the NRC commit to develop a memorandum of 
understanding on an expeditious schedule. EEI expresses concern that 
the Commission's deferral of a decision on the need for a memorandum of 
understanding may lead to confusion and regulatory uncertainty.
    6. EEI also requests that the Commission clarify that NERC should 
seek stakeholder input in developing and implementing both the 
``exception process'' and any process for sharing Safeguards 
Information. EEI posits that stakeholder input and industry technical 
expertise will be critical to implementing both processes.

III. Discussion

    7. The Commission denies EEI's request for clarification. The 
Commission and the NRC entered into a memorandum of agreement in 
September 2004.\6\ The Commission views the decision of whether to 
develop a new or revised memorandum of agreement with the NRC, and the 
timing of that decision, as an intra-governmental matter between the 
two commissions. Accordingly, the Commission will not make commitments 
to EEI or others in this proceeding regarding the scope or timing of 
any coordinated activities between the Commission and the NRC.
---------------------------------------------------------------------------

    \6\ The memorandum of agreement is available on the Commission's 
Web site, at http://www.ferc.gov/legal/maj-ord-reg/mou.asp.
---------------------------------------------------------------------------

    8. As for EEI's request that the Commission clarify that NERC 
should seek stakeholder input in developing and implementing an 
exception process and process for sharing Safeguard Information, we 
note that NERC sought stakeholder input in a ``Town Hall Meeting'' on 
``Auditing of U.S. Nuclear Plants for CIP Standards Compliance'' held 
on June 11, 2009. We expect that NERC will allow for further 
stakeholder input regarding these processes. Thus, we see no need to 
address EEI's request.

The Commission orders:

    Edison Electric Institute's request for clarification is hereby 
denied, as discussed in the body of this order.

    By the Commission.
Kimberly D. Bose,
Secretary.
[FR Doc. E9-14795 Filed 6-23-09; 8:45 am]
BILLING CODE 6717-01-P


