
[Federal Register Volume 76, Number 104 (Tuesday, May 31, 2011)]
[Notices]
[Pages 31320-31322]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-13475]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC11-725B-001]


Commission Information Collection Activities (FERC-725B); Comment 
Request; Submitted for OMB Review

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of section 3507 of the 
Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy 
Regulatory Commission (Commission or FERC) has submitted the 
information collection described below to the Office of Management and 
Budget (OMB) for review of the information collection requirements. Any 
interested person may file comments directly with OMB and should 
address a copy of those comments to the Commission as explained below. 
The Commission published a Notice in the Federal Register (75 FR 65618, 
10/26/2010) requesting public comments. In addition, FERC published a 
notice in the Federal Register (76 FR 19333, 4/7/2011) indicating 
submission to OMB of the information collection described below and 
that it had not received any comments regarding the collection of 
information thus far. Subsequently, FERC staff became aware of a 
comment from the Transmission Agency of Northern California (TANC) that 
had been submitted in a timely manner but internally was indexed 
incorrectly. On May 3, 2011 the Commission issued a notice extending 
the comment period \1\ (on the notice published April 7, 2011) to June 
23, 2011. The Commission is revising its submission to OMB to reflect 
receipt of the comment.
---------------------------------------------------------------------------

    \1\ The previous comment period ending on June 23rd will be 
extended to the date 30 days after publication of this revised 
notice in the Federal Register as stated in the DATES section of 
this notice.

DATES: Comments on the collection of information are due by June 30, 
---------------------------------------------------------------------------
2011.

ADDRESSES: Address comments on the collection of information to the 
Office of Management and Budget, Office of Information and Regulatory 
Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. 
Comments to OMB should be filed electronically, c/o oira_submission@omb.eop.gov and include OMB Control Number 1902-0248 for 
reference. The Desk Officer may be reached by telephone at 202-395-
4638.
    A copy of the comments should also be sent to: Federal Energy 
Regulatory Commission, Secretary of the Commission, 888 First Street, 
NE., Washington, DC 20426. Comments may be filed either on paper or on 
CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be 
prepared in an acceptable filing format and in compliance with 
Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for 
Docket No. IC11-725B-001, due to a system issue.
    All comments may be viewed, printed or downloaded remotely via the 
Internet through FERC's homepage using the ``eLibrary'' link. For user 
assistance, contact ferconlinesupport@ferc.gov or toll-free at (866) 
208-3676, or for TTY, contact (202) 502-8659.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail 
at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax 
at (202) 273-0873.

SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B, 
Reliability Standards for Critical Infrastructure Protection (OMB 
Control No. 1902-0248), is required to implement the statutory 
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 
824o). On January 18, 2008, the Commission issued Order No. 706, 
approving eight Critical Infrastructure Protection Reliability 
Standards (CIP Standards) submitted by the North American Electric 
Reliability Corporation (NERC) for Commission approval.\2\
---------------------------------------------------------------------------

    \2\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
---------------------------------------------------------------------------

    The CIP Standards require certain users, owners, and operators of 
the Bulk-Power System to comply with specific requirements to safeguard 
critical cyber assets.\3\ These standards help protect the nation's 
Bulk-Power System against potential disruptions from cyber attacks.\4\ 
The CIP Standards include one actual reporting requirement and several 
recordkeeping requirements. Specifically, CIP-008-1 requires 
responsible entities to report cyber security incidents to the 
Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). 
In addition, the eight CIP Standards

[[Page 31321]]

require responsible entities to develop various policies, plans, 
programs, and procedures.\5\
---------------------------------------------------------------------------

    \3\ In addition, in accordance with section 215(d)(5) of the 
FPA, the Commission proposed to direct NERC to develop modifications 
to the CIP Reliability Standards to address specific concerns 
identified by the Commission.
    \4\ For a description of the CIP Standards, see the Critical 
Infrastructure Protection Section on NERC's Web site at http://
www.nerc.com/page.php?cid=2\20.
    \5\ The October notice issued in this docket contains more 
information on the reporting requirements and can be found at http://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The 
full text of the standards can be found on NERC's Web site at http:/
/www.nerc.com/page.php?cid=2[bs]20.
---------------------------------------------------------------------------

    The CIP Standards do not require a responsible entity to report to 
the Commission, ERO or Regional Entities, the various policies, plans, 
programs and procedures. However, a showing of the documented policies, 
plans, programs and procedures is required to demonstrate compliance 
with the CIP Standards.
    Public Comment and FERC Response: TANC stated that they believed 
that the Commission did not adequately address or articulate the burden 
that falls on companies in complying with the CIP Standards and in 
particular, the hourly and cost burdens to comply with the 
documentation required by the CIP Standards. In looking at the 
commenter's submittal, FERC has decided to examine more carefully the 
burden calculations. Relying on OMB guidance in interpreting the 
requirements of the Paperwork Reduction Act of 1995, FERC has 
determined that its initial estimate of cost burden was indeed lower 
than is reasonable for the average respondent.
    FERC maintains that the universe of respondents breaks down into 
three main categories: (1) Entities that have identified Critical Cyber 
Assets and have undergone a previous audit; (2) Entities that have not 
identified Critical Cyber Assets but must show compliance with CIP-003 
R1 and CIP-002 R1 through R3; and (3) New entities that have come into 
compliance with the CIP Standards and undergoing their first compliance 
audit. FERC's revised burden analysis is based on the average amount of 
time expended annually to obtain or maintain the information necessary 
in the event of a compliance audit. The fact that the average company 
may experience a spike in the burden hours immediately proceeding and 
during a compliance audit is accounted for in the revised estimate.
    The differences between the first and third categories of 
respondents is that, as an entity goes through multiple compliance 
audits, their processes become streamlined and more automated, which 
then becomes reflected in a lessening of their burden. Other areas that 
cause the burden numbers to fluctuate deal with the size of the 
company, the number of overall electric assets they have, the number of 
critical assets and critical cyber assets that they identify, etc. 
Therefore, the total numbers currently used by FERC to calculate cost 
burden are considered the case for an average-sized company with an 
average number of Critical Assets and Critical Cyber Assets. It is 
expected that the actual burden experienced by respondents may be 
higher or lower than the Commission estimate, based on factors listed 
above.
    Based on observations over several audit cycles, FERC now thinks 
that the preparation of the audit paperwork for an entity undergoing 
their first compliance audit (respondent category 3) is approximately 
3,840 hours. This represents 20 technical personnel working 50% of 
their time over 8 weeks gathering and compiling all of the required 
paperwork to show compliance. In addition, a secondary period that is 
20% of the primary effort is estimated to be needed to respond and 
gather information generated from questions arising from the initial 
submission.
    Based on observations over several audit cycles, FERC now thinks 
that the burden associated with ongoing compliance and preparation for 
future audits (respondent category 1) is less than entities coming into 
compliance for the first time (respondent category 3) as they are 
familiar with the audit compliance process and presumably will have 
streamlined their processes to handle the data collection effort. FERC 
estimates this should result in a reduction of 50% of their effort. 
This would result in a burden of approximately 1,920 hours.
    Finally, for those entities that have not identified Critical Cyber 
Assets but must still show compliance with CIP-003 R1 and CIP-002 R1 
through R3 (respondent category 2), FERC agrees with TANC and now 
estimates that these entities must expend approximately 120 hours or 
the equivalent of 3 employees working 50% of their time for 2 weeks. 
FERC believes this is a reasonable estimate as the majority of these 
entities are small and therefore have fewer electrical assets to 
examine in order to determine if they have any Critical Assets, which 
is the first stage of the CIP-002 process.
    FERC has also reconsidered dividing the burden hours by three to 
reflect the NERC audit schedule of 3-5 years and is instead not 
dividing the burden hours at all. This is due to the fact that a 
company will have to be obtaining and maintaining the information 
necessary for an audit on a consistent basis, and not only during an 
audit that occurs every 3-5 years. Therefore, the revised burden hours 
presented here represent the average annual burden hours per 
respondent, including the spikes that may result during an audit.
    Action: The Commission is requesting a three-year extension of the 
existing collection with no changes to the requirements.
    Burden Statement: The revised estimated annual burden is shown 
below in accordance with the discussion above. The Commission has 
developed estimates using data from NERC's compliance registry as well 
as a 2009 survey that was conducted by NERC to assess the number of 
entities reporting Critical Cyber Assets.

----------------------------------------------------------------------------------------------------------------
                                                          Average  number   Average number  of
         Data collection                 Number of         of  responses    burden hours  per     Total annual
                                      respondents \6\     per respondent       response \7\           hours
                                   (1).................               (2)  (3)................   (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B:
    Category 1--Estimate of U.S.   345.................                 1  1,920..............           662,400
     Entities that have
     identified Critical Cyber
     Assets.
    Category 2--Estimate of U.S.   1,156...............                 1  120................           138,720
     Entities that have not
     identified Critical Cyber
     Assets.
    Category 3--New U.S. Entities  6...................                 1  3,840..............            23,040
     that have to come into
     compliance with the CIP
     Standards \8\.

[[Page 31322]]

 
    Entities no longer required    Category 1: -2......                 1  Category 1 (2                  -3,840
     to comply with CIP Standards                                           respondents):
     (Two category 1 respondents                                            1,920.
     and four category 2
     respondents).
                                   Category 2: -4......  ................  Category 2 (4                    -480
                                                                            respondents): 120.
                                  ------------------------------------------------------------------------------
        Totals...................  1,501...............  ................  ...................           819,840
----------------------------------------------------------------------------------------------------------------

    The total estimated annual cost burden to respondents is:
---------------------------------------------------------------------------

    \6\ The NERC Compliance Registry as of 9/28/2010 indicated that 
2079 entities were registered for NERC's compliance program. Of 
these, 2057 were identified as being U.S. entities. Staff concluded 
that of the 2057 U.S. entities, only 1501 were registered for at 
least one CIP-related function. According to an April 7, 2009, memo 
to industry, NERC's VP and Chief Security Officer noted that only 
31% of entities responded to an earlier survey and reported that 
they had at least one Critical Asset, and only 23% reported having a 
Critical Cyber Asset. Staff applied the 23% reporting to the 1501 
figure to obtain an estimate. The 6 new entities listed here are 
assumed to match a similar set of 6 entities that would drop out in 
an existing year. Thus, the net estimate of respondents remains at 
1501 per year.
    \7\ Calculations:
    Respondent category 3:
    20 employees x (working 50%) x (40 hrs/week) x (8 weeks) = 3200 
hours
    20 employees x (working 20%) x (3200 hrs) = 640 hours
    Total = 3840
    Respondent category 2:
    3 employees x (working 50%) x (40 hrs/week) x (2 weeks) = 120 
hours
    Respondent category 1:
    50% of 3840 hours = 1920
    \8\ These respondents and those in the subsequent column of the 
table (with the corresponding burden and cost figures) were not 
included in the 60-day public notice due to an oversight by 
Commission staff.
---------------------------------------------------------------------------

     Category 1, Entities that have identified Critical Assets 
= 658,560 (662,400-3,840) hours @ $96 = $63,221,760
     Category 2, Entities that have not identified Critical 
Assets = 138,240 (138,720-480) hours @ $96 = $13,271,040
     Category 3, New U.S. Entities that have to comply with CIP 
Standards = 23,040 hours @ $96 = $2,211,840
     Storage Costs for Entities that have identified Critical 
Assets \9\ = 345 Entities @ $15.25 = $5,261
---------------------------------------------------------------------------

    \9\ This cost category was not included in the 60-day public 
notice due to an oversight by Commission staff.
---------------------------------------------------------------------------

     Total Cost for the FERC-725B = $78,709,901

The hourly rate of $96 is the average cost of legal services ($230 per 
hour), technical employees ($40 per hour) and administrative support 
($18 per hour), based on hourly rates from the Bureau of Labor 
Statistics (BLS) and the 2009 Billing Rates and Practices Survey 
Report.\10\ The $15.25 rate for storage costs for each entity is an 
estimate based on the average costs to service and store 1 GB of data 
to demonstrate compliance with the CIP Standards.\11\
---------------------------------------------------------------------------

    \10\ Bureau of Labor Statistics figures were obtained from 
http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing 
Rates figures were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were 
based on the national average billing rate (contracting out) from 
the above report and BLS hourly earnings (in-house personnel). It is 
assumed that 25% of respondents have in-house legal personnel.
    \11\ Based on the aggregate cost of an IBM advanced data 
protection server.
---------------------------------------------------------------------------

    The reporting burden includes the total time, effort, or financial 
resources expended to generate, maintain, retain, disclose, or provide 
the information including: (1) Reviewing instructions; (2) developing, 
acquiring, installing, and utilizing technology and systems for the 
purposes of collecting, validating, verifying, processing, maintaining, 
disclosing and providing information; (3) adjusting the existing ways 
to comply with any previously applicable instructions and requirements; 
(4) training personnel to respond to a collection of information; (5) 
searching data sources; (6) completing and reviewing the collection of 
information; and (7) transmitting, or otherwise disclosing the 
information.
    Comments are invited on: (1) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimates of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information to be collected; and (4) ways to 
minimize the burden of the collections of information on those who are 
to respond, including the use of appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology, e.g. permitting electronic submission of 
responses.

    Dated: May 25, 2011.
Kimberly D. Bose,
Secretary.
[FR Doc. 2011-13475 Filed 5-27-11; 8:45 am]
BILLING CODE 6717-01-P


