
[Federal Register Volume 78, Number 232 (Tuesday, December 3, 2013)]
[Rules and Regulations]
[Pages 72755-72787]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-28628]



[[Page 72755]]

Vol. 78

Tuesday,

No. 232

December 3, 2013

Part II





 Department of Energy





-----------------------------------------------------------------------





 Federal Energy Regulatory Commission





-----------------------------------------------------------------------





18 CFR Part 40





 Version 5 Critical Infrastructure Protection Reliability Standards; 
Final Rule

  Federal Register / Vol. 78 , No. 232 / Tuesday, December 3, 2013 / 
Rules and Regulations  

[[Page 72756]]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM13-5-000]


Version 5 Critical Infrastructure Protection Reliability 
Standards

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: Pursuant to section 215 of the Federal Power Act, the 
Commission approves the Version 5 Critical Infrastructure Protection 
Reliability Standards, CIP-002-5 through CIP-011-1, submitted by the 
North American Electric Reliability Corporation (NERC), the Commission-
certified Electric Reliability Organization. The CIP version 5 
Standards address the cyber security of the bulk electric system and 
are an improvement over the current Commission-approved CIP Reliability 
Standards. The CIP version 5 Standards adopt new cyber security 
controls and extend the scope of the systems that are protected by the 
CIP Reliability Standards. The Commission also approves nineteen new or 
revised definitions associated with the CIP version 5 Standards for 
inclusion in the Glossary of Terms Used in NERC Reliability Standards. 
In addition, the Commission directs NERC to develop modifications to 
the CIP version 5 Standards and submit informational filings.

DATES: This rule will become effective February 3, 2014.

FOR FURTHER INFORMATION CONTACT: Austin Rappeport (Technical 
Information), Office of Electric Reliability, Division of Reliability 
Standards and Security, Federal Energy Regulatory Commission, 1800 Dual 
Highway, Suite 201, Hagerstown, MD 21740, Telephone: (301) 665-1393; 
Daniel Phillips (Technical Information), Office of Electric 
Reliability, Division of Reliability Standards and Security, Federal 
Energy Regulatory Commission, 888 First Street NE., Washington, DC 
20426, Telephone: (202) 502-6387; Kevin Ryan (Legal Information), 
Office of the General Counsel, Federal Energy Regulatory Commission, 
888 First Street NE., Washington, DC 20426, Telephone: (202) 502-6840; 
Matthew Vlissides (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, Telephone: (202) 502-8408.

SUPPLEMENTARY INFORMATION:

145 FERC ] 61,160

United States of America

Federal Energy Regulatory Commission

Before Commissioners: Jon Wellinghoff, Chairman; Philip D. Moeller, 
John R. Norris, Cheryl A. LaFleur, and Tony Clark.

Version 5 Critical Infrastructure Protection Reliability Standards

Docket No. RM13-5-000

Order No. 791

Final Rule

(Issued November 22, 2013)

    1. Pursuant to section 215 of the Federal Power Act (FPA),\1\ the 
Commission approves the Version 5 Critical Infrastructure Protection 
(CIP) Reliability Standards, CIP-002-5 through CIP-011-1, submitted by 
the North American Electric Reliability Corporation (NERC), the 
Commission-certified Electric Reliability Organization (ERO). The CIP 
version 5 Standards address the cyber security of the bulk electric 
system and are an improvement over the current Commission-approved CIP 
Reliability Standards. The CIP version 5 Standards adopt new cyber 
security controls and extend the scope of the systems that are 
protected by the CIP Reliability Standards. The Commission also 
approves nineteen new or revised definitions associated with the CIP 
version 5 Standards for inclusion in the Glossary of Terms Used in NERC 
Reliability Standards (NERC Glossary).
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o (2012).
---------------------------------------------------------------------------

    2. The CIP version 5 Standards identify and categorize BES Cyber 
Systems using a new methodology based on whether a BES Cyber System has 
a Low, Medium, or High Impact on the reliable operation of the bulk 
electric system. At a minimum, a BES Cyber System must be categorized 
as a Low Impact asset. Once a BES Cyber System is categorized, a 
responsible entity must comply with the associated requirements of the 
CIP version 5 Standards that apply to the impact category. The CIP 
version 5 Standards also include 12 requirements with new cyber 
security controls, which address Electronic Security Perimeters (CIP-
005-5), Systems Security Management (CIP-007-5), Incident Reporting and 
Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems 
(CIP-009-5), and Configuration Change Management and Vulnerability 
Assessments (CIP-010-1).
    The CIP version 5 Standards are an improvement over the currently-
approved CIP Reliability Standards. The Commission determines that 
categorizing BES Cyber Systems based on their Low, Medium, or High 
Impact on the reliable operation of the bulk electric system, with all 
BES Cyber Systems being categorized as at least Low Impact, offers more 
comprehensive protection of the bulk electric system. The Commission 
also finds that the new cyber security controls improve the security 
posture of responsible entities. Accordingly, the Commission approves 
the CIP version 5 Standards.
    3. In addition to approving the CIP version 5 Standards, pursuant 
to section 215(d)(5) of the FPA, we direct NERC to develop 
modifications to the CIP version 5 Standards. As discussed below, we 
also direct NERC to submit informational filings regarding certain 
issues during and following implementation of the CIP version 5 
Standards.\2\
---------------------------------------------------------------------------

    \2\ We note that the informational filings directed in this 
Final Rule are for informational purposes only and will not be 
noticed, nor require Commission action.
---------------------------------------------------------------------------

    4. First, pursuant to section 215(d)(5) of the FPA, the Commission 
directs NERC to remove language found in 17 requirements in the CIP 
version 5 Standards that requires responsible entities to implement the 
requirements in a manner to ``identify, assess, and correct'' 
deficiencies.\3\ We support NERC's move away from a ``zero tolerance'' 
approach to compliance, the development of strong internal controls by 
responsible entities, and NERC's development of standards that focus on 
the activities that have the greatest impact on Bulk-Power System 
reliability. However, the Commission is concerned that the proposed 
language is overly-vague, lacking basic definition and guidance that is 
needed, for example, to distinguish a successful internal control 
program from one that is inadequate. Alternatively, NERC may propose 
modifications that address the Commission concerns, discussed below, 
regarding the ambiguity and enforceability of the ``identify, assess, 
and correct'' language. The Commission directs NERC to submit a 
proposal for Commission approval within one year from the effective 
date of this Final Rule.\4\
---------------------------------------------------------------------------

    \3\ See NERC Petition at 33.
    \4\ The proposed one year deadline would pertain only to 
addressing the ``identify, assess and correct'' language and the 
directive concerning communication networks, not to the other 
proposed modifications discussed below.
---------------------------------------------------------------------------

    5. Second, pursuant to section 215(d)(5) of the FPA, the Commission

[[Page 72757]]

directs NERC to develop modifications that address security controls 
for Low Impact assets. As discussed below, the adoption of the Low 
Impact BES Cyber Asset category will expand the protections offered by 
the CIP version 5 Standards to additional assets that could cause cyber 
security risks to the bulk electric system. Specifically, categorizing 
BES Cyber Systems based on their Low, Medium, or High Impact on the 
reliable operation of the bulk electric system, with all BES Cyber 
Systems being categorized as at least Low Impact, offers more 
comprehensive protection of the bulk electric system. However, the CIP 
version 5 Standards do not require specific controls for Low Impact 
assets nor do they contain objective criteria from which to judge the 
sufficiency of the controls ultimately adopted by responsible entities 
for Low Impact assets. As discussed below, we direct that NERC develop 
modifications to the CIP version 5 Standards to address this concern. 
While NERC may address this concern by developing specific controls for 
Low Impact facilities, it has the flexibility to address it through 
other means, including those discussed below.
    6. Third, we approve the definition of BES Cyber Asset. In 
addition, we direct NERC, pursuant to section 215(d)(5) of the FPA, to 
develop requirements that protect transient electronic devices (e.g., 
thumb drives and laptop computers) that fall outside of the BES Cyber 
Asset definition.\5\ While we are persuaded by NERC and others that it 
would be burdensome to include transient devices as BES Cyber Assets, 
we also believe that further protections are needed in light of the 
potential vulnerabilities associated with transient devices. Further, 
as discussed below, to better understand the scope and reach of the 
term BES Cyber Asset, we direct NERC to conduct a survey of responsible 
entities during the CIP version 5 Standards implementation periods to 
determine the number of assets, by type, that fall outside the 
definition of BES Cyber Asset because the assets do not satisfy the 
``15-minute'' parameter.\6\ The Commission directs NERC to submit an 
informational filing one year from the effective date of this Final 
Rule that assesses, based on the survey results, whether the BES Cyber 
Asset definition will, with the 15-minute parameter, cover the assets 
that are necessary to ensure the reliable operation of the Bulk-Power 
System.
---------------------------------------------------------------------------

    \5\ As discussed below, NERC's definition of BES Cyber Asset 
provides that a ``Cyber Asset is not a BES Cyber Asset if, for 30 
consecutive calendar days or less, it is directly connected to a 
network within an [Electronic Security Perimeter], a Cyber Asset 
within an [Electronic Security Perimeter], or to a BES Cyber Asset, 
and it is used for data transfer, vulnerability assessment, 
maintenance, or troubleshooting purposes.''
    \6\ NERC's BES Cyber Asset definition only includes Cyber Assets 
that ``if rendered unavailable, degraded, or misused would, within 
15 minutes of its required operation, misoperation, or non-
operation, adversely impact one or more Facilities, systems, or 
equipment. . . .''
---------------------------------------------------------------------------

    7. Fourth, the Commission approves the definition of Cyber Asset. 
In addition, pursuant to section 215(d)(5) of the FPA, the Commission 
directs NERC to create a definition of communication networks and to 
develop new or modified Reliability Standards that address the 
protection of communication networks. The Commission also directs its 
staff to include the issue of protecting the nonprogrammable components 
of communications networks in the staff-led technical conference 
discussed herein.
    8. The Commission approves 30 of the 32 Violation Risk Factors 
(VRF) proposed by NERC. However, the Commission directs NERC to modify 
the VRF assignment for Reliability Standard CIP-006-5, Requirement R3 
from Lower to Medium and to modify the VRF assigned to Reliability 
Standard CIP-004-5, Requirement R4 from Lower to Medium. In addition, 
we direct NERC to modify eight of the Violation Severity Levels (VSLs) 
for the CIP version 5 Standards.
    9. The Commission approves NERC's proposal to allow responsible 
entities to transition from compliance with the currently-effective CIP 
version 3 Standards to compliance with the CIP version 5 Standards. 
Thus, CIP-002-4 through CIP-009-4 will not become effective, and CIP-
002-3 through CIP-009-3 will remain in effect until the effective date 
of the CIP version 5 Standards.\7\ The Commission also approves the 
implementation plan and effective dates proposed by NERC.
---------------------------------------------------------------------------

    \7\ On August 12, 2013, the Commission granted an extension of 
time to implement the CIP version 4 Standards from April 1, 2014 to 
October 1, 2014. N. Am. Elec. Reliability Corp., 144 FERC ] 61,123 
(2013).
---------------------------------------------------------------------------

I. Background

A. Section 215 of the FPA

    10. Section 215 of the FPA requires the Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Once approved, the Reliability 
Standards may be enforced in the United States by the ERO, subject to 
Commission oversight, or by the Commission independently.\8\ Pursuant 
to the requirements of FPA section 215, the Commission established a 
process to select and certify an ERO.\9\ The Commission subsequently 
certified NERC as the ERO.\10\
---------------------------------------------------------------------------

    \8\ 16 U.S.C. 824o(e)(3) (2012).
    \9\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \10\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on 
reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa 
Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Order Nos. 706 and 761

1. Order No. 706
    11. On January 18, 2008, the Commission issued Order No. 706, which 
approved the CIP version 1 Standards to address cyber security of the 
Bulk-Power System.\11\ In Order No. 706, the Commission approved eight 
CIP Reliability Standards (CIP-002-1 through CIP-009-1). While 
approving the CIP version 1 Standards, the Commission also directed 
NERC to develop modifications to them to enhance the protection 
provided by the CIP Reliability Standards. Subsequently, NERC filed the 
CIP version 2 and CIP version 3 Standards in partial compliance with 
Order No. 706. The Commission approved these Reliability Standards in 
September 2009 \12\ and March 2010,\13\ respectively.
---------------------------------------------------------------------------

    \11\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order 
No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order 
No. 706-B, 126 FERC ] 61,229 (2009), order on clarification, Order 
No. 706-C, 127 FERC ] 61,273 (2009).
    \12\ N. Am. Elec. Reliability Corp., 128 FERC ] 61,291, order 
denying reh'g and granting clarification, 129 FERC ] 61,236 (2009).
    \13\ N. Am. Elec. Reliability Corp., 130 FERC ] 61,271 (2010).
---------------------------------------------------------------------------

2. Order No. 761
    12. On April 19, 2012, the Commission issued Order No. 761, which 
approved the CIP version 4 Standards (CIP-002-4 through CIP-009-4).\14\ 
Reliability Standard CIP-002-4 (Critical Cyber Asset Identification) 
sets forth 17 uniform ``bright line'' criteria for identifying Critical 
Assets. The Commission also accepted NERC's proposed implementation 
schedule for the CIP version 4 Standards, which are currently scheduled 
to be fully implemented and enforceable beginning October 2014.\15\
---------------------------------------------------------------------------

    \14\ Version 4 Critical Infrastructure Protection Reliability 
Standards, Order No. 761, 77 Fed. Reg. 24,594 (Apr. 25, 2012), 139 
FERC ] 61,058 (2012), order denying reh'g, 140 FERC ] 61,109 (2012).
    \15\ As noted above, the Commission extended the compliance 
deadline for the CIP version 4 Standards in Order No. 761 from April 
2014 to October 2014.

---------------------------------------------------------------------------

[[Page 72758]]

C. NERC Petition and CIP Version 5 Standards

1. NERC Petition and Errata
    13. In its January 31, 2013 petition, NERC seeks Commission 
approval of the CIP version 5 Standards, nineteen new or revised NERC 
Glossary terms, VRF and VSL assignments, and an implementation 
plan.\16\ NERC maintains that the CIP version 5 Standards are just and 
reasonable, as they meet or exceed each of the guidelines that the 
Commission identified in Order No. 672 for evaluating a proposed 
Reliability Standard.\17\ NERC asserts that the CIP version 5 Standards 
``serve the important reliability goal of providing a cybersecurity 
framework for the identification and protection of BES Cyber Systems . 
. . to support the reliable operation of the Bulk Power System.'' \18\ 
In addition, NERC states that the CIP version 5 Standards are 
``designed to be clear and unambiguous'' and the Commission should 
approve the CIP version 5 Standards as ``clearly enforceable.'' \19\
---------------------------------------------------------------------------

    \16\ Reliability Standards CIP-002-5 through CIP-011-1 are not 
attached to this Final Rule. The complete text of CIP version 5 
Standards is available on the Commission's eLibrary document 
retrieval system in Docket No. RM13-5-000 and is posted on the ERO's 
Web site, available at http://www.nerc.com.
    \17\ See NERC Petition at 8 (citing Order No. 672, FERC Stats. & 
Regs. ] 31,204 at PP 320-337). See also NERC Petition, Exh. G (Order 
No. 672 Criteria for Approving Proposed Reliability Standards).
    \18\ Id. at 10.
    \19\ Id. at 27.
---------------------------------------------------------------------------

    14. Further, NERC maintains that the CIP version 5 Standards 
represent a significant improvement to the currently-approved CIP 
Reliability Standards, as the CIP version 5 Standards require 
responsible entities to use a new approach to categorize all cyber 
systems impacting the bulk electric system as having a Low, Medium, or 
High Impact.\20\ NERC states that the new approach to classifying cyber 
systems ``moves away from the CIP version 4 `bright-line' approach of 
only identifying Critical Assets (and applying CIP requirements only to 
their associated Critical Cyber Assets), to requiring a minimum 
classification of `Low Impact' for all BES Cyber Systems.'' \21\ NERC 
states that the adoption of the Low-Medium-High Impact categorization 
``resulted from a review of the National Institute of Standards and 
Technology (NIST) Risk Management Framework for categorizing and 
applying security controls, a review that was directed by the 
Commission in Order No. 706.'' \22\
---------------------------------------------------------------------------

    \20\ See id. at 15.
    \21\ Id.
    \22\ Id.
---------------------------------------------------------------------------

    15. NERC also notes the adoption of new language within several of 
the CIP version 5 Standards in which the standard drafting team 
incorporated ``a requirement that Responsible Entities implement cyber 
policies in a manner to 'identify, assess, and correct' deficiencies.'' 
\23\ NERC states that the ``identify, assess, and correct'' language is 
``[c]onsistent with the NIST Risk Management Framework and the 
Commission's guidance in prior orders,'' asserting that the 
``implementation of certain CIP version 5 requirements in a manner to 
`identify, assess, and correct' deficiencies emulates the FERC Policy 
Statement on Penalty Guidelines.'' \24\ NERC further states that the 
``identify, assess, and correct'' language ``is included as a 
performance expectation in the requirements, not as an enforcement 
component.'' \25\
---------------------------------------------------------------------------

    \23\ Id. at 33.
    \24\ Id.
    \25\ Id.
---------------------------------------------------------------------------

    16. NERC asserts that the CIP version 5 Standards address ``all 
applicable directives in Order No. 706'' while ``eliminating 
unnecessary documentation requirements to allow entities to focus on 
the reliability and security of the Bulk Power System.'' \26\ 
Accordingly, NERC requests that the Commission approve the CIP version 
5 Standards, the new and revised definitions, the associated VRF and 
VSL assignments, and the implementation plan. NERC requests that the 
CIP version 5 Standards become effective on ``the first day of the 
eighth calendar quarter after a Final Rule is issued in this docket.'' 
\27\
---------------------------------------------------------------------------

    \26\ Id. at 5.
    \27\ Id. at 2.
---------------------------------------------------------------------------

    17. NERC requests prompt Commission action approving the CIP 
version 5 Standards and associated implementation plan.\28\ With regard 
to the implementation plan, NERC states that the proposed language 
``would allow entities to transition from CIP Version 3 to CIP Version 
5, thereby bypassing implementation of CIP Version 4 completely upon 
Commission approval.'' \29\ NERC asserts that prompt approval of the 
CIP version 5 Standards and implementation plan ``would reduce 
uncertainty among Responsible Entities regarding implementation of the 
CIP standards.'' \30\
---------------------------------------------------------------------------

    \28\ Id. at 5.
    \29\ Id. at 4.
    \30\ Id. at 5.
---------------------------------------------------------------------------

    18. On September 30, 2013, NERC filed an errata with corrections to 
the VSLs for the CIP version 5 Standards and revisions to the 
definitions of Electronic Access Control or Monitoring Systems and 
Interactive Remote Access in which the term ``Intermediate Devices'' is 
replaced with the term ``Intermediate Systems.'' On October 1, 2013, 
NERC filed a supplemental errata to correct a formatting error in the 
September 30 errata.
2. CIP Version 5 Standards and NERC Explanation of Provisions
    19. The CIP version 5 Standards include ten new or modified 
Reliability Standards.
    20. CIP-002-5--Cyber Security--BES Cyber System Categorization: 
CIP-002-5 is the first step in identifying BES Cyber Systems, which are 
assets which must be protected by the cyber security standards. If a 
responsible entity does not identify any BES Cyber Systems, it does not 
have compliance responsibility under the rest of the proposed CIP 
Standards. However, a responsible entity that identifies BES Cyber 
Systems must comply with CIP-003-5 to CIP-011-1, according to specific 
criteria that characterize the impact of the identified BES Cyber 
Systems.
    21. In particular, CIP-002-5 adds two new terms to the NERC 
Glossary that define the assets subject to CIP protections. First, NERC 
defines a BES Cyber Asset as ``[a] Cyber Asset that if rendered 
unavailable, degraded, or misused would, within 15 minutes of its 
required operation, misoperation, or non-operation, adversely impact 
one or more Facilities, systems, or equipment, which, if destroyed, 
degraded, or otherwise rendered unavailable when needed, would affect 
the reliable operation of the Bulk Electric System.'' \31\ Second, NERC 
defines a BES Cyber System as ``[o]ne or more BES Cyber Assets 
logically grouped by a responsible entity to perform one or more 
reliability tasks for a functional entity.'' \32\
---------------------------------------------------------------------------

    \31\ Id. at 14.
    \32\ Id.
---------------------------------------------------------------------------

    22. NERC states that Reliability Standard CIP-002-5 will require 
the identification and categorization of BES Cyber Systems according to 
specific criteria that characterize their impact for the application of 
cyber security requirements commensurate with the adverse impact that 
loss, compromise, or misuse of those BES Cyber Systems could have on 
the reliable operation of the bulk electric system.\33\
---------------------------------------------------------------------------

    \33\ Id. at 11.
---------------------------------------------------------------------------

    23. NERC states that CIP-002-5 ``Attachment 1--Impact Rating 
Criteria'' identifies three categories of BES Cyber Systems. The High 
Impact category

[[Page 72759]]

covers large control centers, similar to those control centers 
identified as Critical Assets in CIP-002-4. The Medium Impact category 
covers generation and transmission facilities, similar to those 
identified as Critical Assets in CIP-002-4, along with other control 
centers not identified as Critical Assets in CIP-002-4. The Low Impact 
category covers all other BES Cyber Systems. NERC states that the Low 
Impact category provides protections for systems not included in the 
CIP version 4 Standards.\34\
---------------------------------------------------------------------------

    \34\ Id.
---------------------------------------------------------------------------

    24. Once a responsible entity identifies a BES Cyber System under 
CIP-002-5, the entity must comply with the controls included in 
Reliability Standards CIP-003-5 to CIP-011-1 corresponding to its 
impact category.\35\
---------------------------------------------------------------------------

    \35\ Id.
---------------------------------------------------------------------------

    25. CIP-003-5--Cyber Security--Security Management Controls: NERC 
states that Reliability Standard CIP-003-5 will require approval by a 
CIP Senior Manager of the documented cyber security policies related to 
CIP-004-5 through CIP-009-5, CIP-010-1, and CIP-011-1. Reliability 
Standard CIP-003-5, Requirement R2, will require implementation of 
policies related to cyber security awareness, physical security 
controls, electronic access controls, and incident response to a Cyber 
Security Incident for those assets that have Low Impact BES Cyber 
Systems under CIP-002-5's categorization process. According to NERC, a 
requirement that a Cyber Security Policy be ``readily available'' was 
deleted because of general confusion around that term and because 
training requirements in CIP-004-5 provide for knowledge of reliability 
policies. NERC states that it moved several provisions of requirements 
related to information protection in previous CIP versions to CIP-011-1 
and, therefore, deleted the requirements from CIP-003-5.\36\
---------------------------------------------------------------------------

    \36\ Id. at 11-12.
---------------------------------------------------------------------------

    26. CIP-004-5--Cyber Security--Personnel and Training: NERC states 
that Reliability Standard CIP-004-5 will require documented processes 
or programs for security awareness, cyber security training, personnel 
risk assessment, and access management. Requirement R2 of CIP-004-5 
adds specific training roles for visitor control programs, electronic 
interconnectivity supporting the operation and control of BES Cyber 
Systems, and storage media as part of the treatment of BES Cyber System 
Information. NERC states that the drafting team modified the 
requirements pertaining to personnel risk assessments and access 
management in response to lessons learned from implementing previous 
versions. Reliability Standard CIP-004-5, Requirement R3, now specifies 
that the seven year criminal history check covers all locations where 
the individual has resided for six consecutive months or more without 
specifying school, work, etc., and regardless of official residence. 
Reliability Standard CIP-004-5, Requirement R4 now combines the access 
management requirements from CIP-003-4, CIP-004-4, CIP-006-4, and CIP-
007-4 into a single requirement. These requirements from the CIP 
version 4 Standards, as incorporated in Requirement R4, remain largely 
unchanged except to clarify certain terminology. NERC states that 
combining these requirements improves consistency in the authorization 
and review process. Reliability Standard CIP-004-5 modifies Requirement 
R4 by removing the obligation to maintain a list of authorized 
personnel. NERC explains that the removal is appropriate because the 
list represents only one form of evidence to demonstrate compliance 
that only authorized persons have access. Requirement R5 requires a 
registered entity to revoke a terminated employee's access concurrent 
with his or her termination, to be completed within 24 hours.\37\
---------------------------------------------------------------------------

    \37\ Id. at 12.
---------------------------------------------------------------------------

    27. CIP-005-5--Cyber Security--Electronic Security Perimeter(s): 
NERC states that Reliability Standard CIP-005-5, Requirement R1, 
focuses on the discrete Electronic Access Points rather than the 
logical ``perimeter,'' which is the focus of currently-effective CIP-
005-3. Requirement R1.2 of the currently-effective CIP-005-3 has been 
deleted from the CIP version 5 Standards. NERC explains that 
Requirement R1.2 is definitional and was used to bring dial-up modems 
using non-routable protocols into the scope of previous versions of 
CIP-005. According to NERC, the non-routable blanket exemption included 
in the CIP version 1 through version 4 Standards was removed from CIP-
002-5.
    28. CIP-006-5--Cyber Security--Physical Security of BES Cyber 
Systems: NERC states that Reliability Standard CIP-006-5 is intended to 
manage physical access to BES Cyber Systems by specifying a physical 
security plan to protect BES Cyber Systems against compromise that 
could lead to misoperation or instability. Reliability Standard CIP-
006-5 reflects the retirement of Requirements R8.2 and R8.3 of 
Commission-approved CIP-006-4, concerning the retention of testing 
records. According to NERC, the retention period is now specified in 
the compliance section of Reliability Standard CIP-006-5.\38\
---------------------------------------------------------------------------

    \38\ Id.
---------------------------------------------------------------------------

    29. CIP-007-5--Cyber Security--Systems Security Management: NERC 
states that Reliability Standard CIP-007-5 addresses system security by 
specifying technical, operational, and procedural requirements in 
support of protecting BES Cyber Systems against compromise that could 
lead to misoperation or instability of the bulk electric system. NERC 
states that it modified CIP-007-5 to conform to the formatting approach 
of the CIP version 5 Standards, along with changes to address several 
Commission directives and to make the requirements less dependent on 
specific technology so that they will remain relevant for future, yet-
unknown developing technologies. For example, according to NERC, 
Requirement R3 is a competency-based requirement, i.e., the responsible 
entity must document how it addresses the malware risk for each BES 
Cyber System, but the requirement does not prescribe a particular 
technical method in order to account for potential technological 
advancement.\39\
---------------------------------------------------------------------------

    \39\ Id. at 12-13.
---------------------------------------------------------------------------

    30. CIP-008-5--Cyber Security--Incident Reporting and Response 
Planning: NERC states that Reliability Standard CIP-008-5 mitigates the 
risk to the reliable operation of the bulk electric system resulting 
from a Cyber Security Incident by specifying incident response 
requirements. Proposed Requirement R1 requires responsible entities to 
report Cyber Security Incidents within 1 hour of recognition. 
Requirement R2 requires testing to verify response plan effectiveness 
and consistent application in responding to a Cyber Security Incident. 
Requirement R3 provides for an after-action review for tests or actual 
incidents, and requires an update to the Cyber Security Incident 
response plan based on those lessons learned. Requirement R3 also 
establishes a single timeline for a responsible entity to determine the 
lessons learned and update recovery plans. Specifically, where previous 
CIP versions specified ``30 calendar days'' for determining the lessons 
learned, followed by additional time for updating recovery plans and 
notification, proposed Requirement R3 combines those activities into a 
single 90-day timeframe.\40\
---------------------------------------------------------------------------

    \40\ Id. at 13.
---------------------------------------------------------------------------

    31. CIP-009-5--Cyber Security--Recovery Plans for BES Cyber 
Systems:

[[Page 72760]]

NERC explains that Reliability Standard CIP-009-5 provides for the 
recovery of the reliability functions performed by BES Cyber Systems by 
specifying a recovery plan to support the continued stability, 
operability, and reliability of the bulk electric system. Requirement 
R1 includes controls to protect data that would be useful in the 
investigation of an event that results in the execution of a Cyber 
System recovery plan. NERC explains that Requirement R2 includes 
operational testing to support the recovery of BES Cyber Systems. 
Requirement R3 establishes a single timeline for a responsible entity 
to determine the lessons learned and update recovery plans, similar to 
CIP-008-5.\41\
---------------------------------------------------------------------------

    \41\ Id.
---------------------------------------------------------------------------

    32. CIP-010-1--Cyber Security--Configuration Change Management and 
Vulnerability Assessments: NERC states that Reliability Standard CIP-
010-1 is a new Reliability Standard consolidating the configuration 
change management and vulnerability assessment-related requirements 
from previous versions of CIP-003, CIP-005 and CIP-007. Requirement R1 
specifies the configuration change management requirements. Requirement 
R2 establishes the configuration monitoring requirements intended to 
detect unauthorized modifications to BES Cyber Systems. NERC explains 
that Requirement R3 establishes the vulnerability assessment 
requirements intended to ensure proper implementation of cyber security 
controls while promoting continuous improvement of a responsible 
entity's cyber security posture.\42\
---------------------------------------------------------------------------

    \42\ Id.
---------------------------------------------------------------------------

    33. CIP-011-1--Cyber Security--Information Protection: NERC states 
that Reliability Standard CIP-011-1 is a new Reliability Standard 
consolidating the information protection requirements from previous 
versions of CIP-003 and CIP-007. Requirement R1 specifies information 
protection controls to prevent unauthorized access to BES Cyber System 
Information. Requirement R2 specifies reuse and disposal provisions to 
prevent unauthorized dissemination of protected information.\43\


---------------------------------------------------------------------------

    \43\ Id. at 13-14.
---------------------------------------------------------------------------

D. Notice of Proposed Rulemaking

    34. On April 18, 2013, the Commission issued a Notice of Proposed 
Rulemaking proposing to approve the CIP version 5 Standards, CIP-002-5 
through CIP-011-1 as just, reasonable, not unduly discriminatory or 
preferential, and in the public interest.\44\ The NOPR stated that the 
CIP version 5 Standards adopt new cyber security controls that are 
intended to safeguard physical and electronic access to BES Cyber 
Systems. Further, the NOPR stated that NERC proposes a new approach to 
identifying and classifying BES Cyber Systems that will require at 
least a minimum classification of Low Impact for all BES Cyber Systems. 
The NOPR also proposed to approve the nineteen new or revised 
definitions associated with the CIP version 5 Standards for inclusion 
in the NERC Glossary.
---------------------------------------------------------------------------

    \44\ Version 5 Critical Infrastructure Protection Reliability 
Standards, 78 FR 24,107 (Apr. 24, 2013), 143 FERC ] 61,055 (2013) 
(NOPRA).
---------------------------------------------------------------------------

    35. While proposing to approve the CIP version 5 Standards, the 
Commission also identified issues with the CIP version 5 Standards. The 
Commission stated in the NOPR that NERC's proposal to include language 
that requires entities to ``identify, assess, and correct'' 
deficiencies is unclear with respect to the implementation and 
compliance obligations that language imposes and that it is too vague 
to audit and enforce compliance. The NOPR sought comment on the 
``identify, assess, and correct'' language and stated that, depending 
on the comments, the Commission may direct NERC to develop 
modifications or remove the ``identify, assess, and correct'' language. 
In addition, the NOPR proposed to direct NERC to modify Reliability 
Standard CIP-003-5, Requirement R2, to require responsible entities to 
adopt specific, technically-supported cyber security controls for Low 
Impact BES Cyber Assets. The NOPR sought comment on these proposals.
    36. The NOPR identified issues with the proposed definitions of BES 
Cyber Asset, Control Center, and Cyber Asset and use of the terms 
Reliability Tasks and Intermediate Devices in the proposed definitions. 
In addition, the NOPR identified technical issues involving 
improvements to the CIP version 5 Standards, including remote access, 
communications security, and the NIST Risk Management Framework. The 
NOPR stated that, depending on the comments received, the Commission 
may direct NERC to develop modifications to certain definitions to 
eliminate ambiguities and ensure that BES Cyber Assets are adequately 
protected. The NOPR sought comment on these proposals.
    37. In the NOPR, the Commission proposed to approve 30 of the 32 
VRFs. In addition, the Commission proposed to direct NERC to modify the 
VSLs for the CIP version 5 Standards.
    38. The Commission proposed in the NOPR to approve NERC's proposal 
to allow responsible entities to transition from compliance with the 
currently-effective CIP version 3 Standards to compliance with the CIP 
version 5 Standards, essentially retiring the CIP version 4 Standards 
prior to mandatory compliance. The NOPR also sought comment on whether 
the 24-month and 36-month implementation periods proposed by NERC for 
the CIP version 5 Standards are necessary, and what activities are 
required to effect the transition during the proposed implementation 
periods.
    39. In response to the NOPR, interested entities filed 62 comments. 
The comments have assisted us in better understanding the issues and 
developing this Final Rule. We address below the issues raised in the 
NOPR and comments. The Appendix to this Final Rule lists the entities 
that filed comments on the NOPR.

E. NERC Informational Filing

    40. On October 11, 2013, NERC submitted an informational filing 
detailing a pilot program to be conducted during the transition from 
the CIP version 3 Standards to the CIP version 5 Standards. NERC 
explains that the implementation study is part of a larger program that 
includes the development of guidance, outreach to industry, and 
training for all responsible entities throughout the implementation 
period.\45\ NERC states that the goals of the implementation study 
include: (1) Improving industry's understanding of the technical 
security challenges that need to be addressed in order to comply with 
the CIP version 5 Standards; (2) providing industry with a clear 
approach to transition from the CIP version 3 Standards to the CIP 
version 5 Standards, including compliance and enforcement expectations; 
and (3) providing industry with the knowledge to understand the 
technical and compliance-related resources needed to transition to, and 
manage compliance with, the CIP version 5 Standards.\46\ NERC explains 
further that the study participants will consist of seven 
representative responsible entities with a proven record of success in 
compliance with the CIP version 3 Standards.\47\ NERC states that based 
on participation in the implementation study, future compliance with 
the CIP version 3 Standards will be waived for

[[Page 72761]]

these seven responsible entities.\48\ Finally, NERC concludes that 
following the conclusion of the implementation study in April 2014, 
NERC and the Regional Entities will prepare and publish a report that 
identifies the lessons learned and recommendations for the transition 
to the CIP version 5 Standards resulting from the implementation 
study.\49\


---------------------------------------------------------------------------

    \45\ NERC Informational Filing at 7.
    \46\ Id. at 7-8.
    \47\ Id. at 8.
    \48\ Id. at 12-13.
    \49\ Id. at 3.
---------------------------------------------------------------------------

II. Discussion

    41. Pursuant to section 215(d) of the FPA, the Commission approves 
the CIP version 5 Standards, CIP-002-5 through CIP-011-1 as just, 
reasonable, not unduly discriminatory or preferential, and in the 
public interest. We find that the CIP version 5 Standards represent an 
improvement over the currently-approved CIP Reliability Standards. In 
particular, we find that the categorization of assets under CIP-002-5 
based on their Low, Medium, or High Impact on the reliable operation of 
the bulk electric system, with all BES Cyber Systems being categorized 
as at least Low Impact, offers more comprehensive protection of the 
bulk electric system. In addition, the CIP version 5 Standards 
incorporate several new cyber security controls that will improve the 
overall security posture of the responsible entities. Further, we 
approve nineteen new or revised definitions associated with the CIP 
version 5 Standards for inclusion in the NERC Glossary. We approve the 
implementation plan and, with modifications, VRFs and VSLs proposed by 
NERC.
    42. As discussed below, pursuant to section 215(d)(5) of the FPA, 
we direct NERC to develop modifications to the CIP version 5 Standards 
to address our concerns regarding: (1) The ``identify, assess, and 
correct'' language; (2) protections for Low Impact BES Cyber Systems; 
(3) the risks posed by transient devices; and (4) the protection of 
communication networks. Further, we direct that NERC survey responsible 
entities during the CIP version 5 Standards implementation periods to 
gain a better understanding of the BES Cyber Asset definition. In 
addition, the Commission directs staff to convene a staff-led technical 
conference, within 180 days from the date of this Final Rule, 
addressing the technical issues identified in the NOPR concerning 
communications security, remote access, and the NIST Risk Management 
Framework.
    43. Below we discuss the following matters: (A) The ``identify, 
assess, and correct'' language; (B) BES Cyber Asset categorization; (C) 
new and revised NERC Glossary definitions; (D) implementation plan; (E) 
VRF and VSL assignments; and (F) other technical issues.

A. ``Identify, Assess, and Correct'' Language

NERC Petition
    44. The CIP version 5 Standards incorporate ``a requirement that 
Responsible Entities implement cyber policies in a manner to `identify, 
assess, and correct' deficiencies'' in 17 CIP requirements.\50\ NERC 
states that the ``identify, assess, and correct'' language is 
``[c]onsistent with the NIST Risk Management Framework and the 
Commission's guidance in prior orders,'' asserting that the 
``implementation of certain CIP version 5 requirements in a manner to 
`identify, assess, and correct' deficiencies emulates the FERC Policy 
Statement on Penalty Guidelines.'' \51\
---------------------------------------------------------------------------

    \50\ NERC Petition at 33.
    \51\ Id.
---------------------------------------------------------------------------

NOPR
    45. In the NOPR, the Commission stated that NERC has not explained 
the proposed ``identify, assess, and correct'' language sufficiently. 
The NOPR expressed concern that this language is unclear as to the 
implementation and compliance obligations it places on responsible 
entities and is too vague to audit and enforce compliance. The NOPR 
sought comment on the meaning of this language and on how it will be 
implemented and enforced. The NOPR stated that, depending on the 
explanations provided in the comments, the Commission may direct NERC 
to develop modifications, including directing NERC to clarify both the 
implementation and compliance obligations created by this language and 
the criteria by which auditors will be able to determine compliance, or 
the Commission may direct NERC to remove this language if it results in 
requirements that degrade the protections afforded by the CIP version 5 
Standards and are difficult to implement and enforce.
    46. The NOPR questioned whether the ``identify, assess, and 
correct'' language imposes one obligation on a responsible entity 
(i.e., to ensure the entity has a process in place to ``identify, 
assess, and correct'' a violation or, alternatively, to ensure that the 
underlying substantive requirement is not violated) or two obligations 
(i.e., to (1) ensure the entity has a process in place to ``identify, 
assess, and correct'' a violation and (2) to ensure that the underlying 
substantive requirement is not violated). The NOPR stated that the 
proposed ``identify, assess, and correct'' language is ambiguous enough 
to support both interpretations. The NOPR expressed concern that, under 
either interpretation, the ``identify, assess, and correct'' language 
is too vague to be audited, and that NERC has not explained what is 
expected of responsible entities or the intended meaning of the 
individual terms ``identify,'' ``assess,'' ``correct,'' and 
``deficiencies'' as they are used in the CIP version 5 Standards.
    47. With respect to the term ``identify,'' the NOPR observed that 
it is not clear whether a responsible entity is expected to take steps 
to recognize past deficiencies, ongoing deficiencies, or deficiencies 
that are likely to or may occur in the future. With respect to the term 
``assess,'' the NOPR stated that NERC does not explain the scope of 
activities that are implied in the term ``assess,'' which could range 
from a cursory review of an isolated ``deficiency'' to a detailed root-
cause analysis. With respect to the term ``correct,'' the NOPR 
explained that NERC did not define what it means for a responsible 
entity to ``correct'' a deficiency. The NOPR stated that this term may 
include ending a deficiency, taking measures to address the effect of a 
deficiency, or taking steps to prevent a deficiency from recurring. 
With respect to the term ``deficiency,'' the NOPR noted that NERC does 
not explain, nor does the text of the CIP version 5 Standards define, 
the term. The Commission observed that it is not clear whether 
``deficiencies'' means ``possible violations,'' as defined in NERC's 
Compliance Monitoring and Enforcement Program, or extends to a broader 
category of matters. The NOPR sought comment on these concerns and on 
any modification that may be necessary to address them.
    48. The NOPR stated that the petition does not identify a 
reasonable timeframe for identifying, assessing and correcting 
deficiencies. Without identifying a timeframe, the NOPR explained that 
it is conceivable that, as long as the responsible entity identifies, 
assesses and corrects a deficiency before, or perhaps even when, NERC, 
the Regional Entities or the Commission discover the deficiency, there 
is no possible violation of the CIP Reliability Standards, regardless 
of the seriousness of the deficiency, the duration of the deficiency, 
or the length of time between the identification and correction of the 
deficiency. The NOPR sought comment on this concern and on

[[Page 72762]]

any modifications that may be necessary to address it.
    49. The NOPR stated that the proposed ``identify, assess, and 
correct'' language allows a responsible entity to avoid audit risk. The 
NOPR explained that, without a required timeframe for identifying, 
assessing and correcting a deficiency, a responsible entity could defer 
its required assessment of its CIP compliance program until just prior 
to a scheduled audit or self-certification. The NOPR stated that NERC 
does not explain whether a responsible entity is required to disclose 
the identified deficiencies in such cases, and it is not clear whether 
the audit team can identify a potential violation if the responsible 
entity identifies the deficiency and is in the process of assessing and 
correcting it, even if the deficiency is identified long after it came 
into existence. The NOPR observed that it is also not clear how prior 
deficiencies that are identified, assessed and corrected are treated in 
assessing a responsible entity's compliance history. The NOPR sought 
comment on these concerns and on any modifications that may be 
necessary to address them.
    50. The NOPR stated that the petition does not explain how NERC 
will treat multiple corrections of deficiencies concerning the same 
requirement, or the quality of the mitigation. The NOPR explained that 
it is unclear whether previous corrections will be reported or 
otherwise made known to NERC because they are not considered potential 
violations of the CIP Reliability Standard. The NOPR sought comment on 
this concern and on any modifications that may be necessary to address 
it.
    51. In the NOPR, the Commission questioned how performance of the 
``identify, assess, and correct'' language can be uniform or consistent 
among responsible entities absent clarification of Regional Entity and 
NERC compliance techniques.
    52. The NOPR stated that neither the CIP version 5 Standards nor 
NERC's petition explain what is expected of responsible entities under 
the proposed ``identify, assess, and correct'' language. The NOPR 
expressed concern that including the assess and monitor processes in 
the language of a requirement, as proposed by NERC, could render such 
requirements unenforceable. The NOPR sought comment on this concern and 
on any modifications that may be necessary to address them.
Comments
    53. NERC comments that the Commission should approve the 
``identify, assess, and correct'' language without modification. NERC 
explains that the ``identify, assess, and correct'' language is meant 
to address ``frequently occurring security obligations (High Frequency 
Security Obligations) that present a lesser risk to reliability that 
reduces the administrative burden of the compliance process.'' \52\ 
According to NERC, the intent of the ``identify, assess, and correct'' 
language is not to eliminate accountability for responsible entities or 
hinder Regional Entity, NERC or Commission oversight. NERC states that, 
if the ``identify, assess, and correct'' language is approved, it will 
submit a compliance filing by June 1, 2014 or six months from the date 
of the final rule in this docket, whichever is later, that ``further 
outlines the compliance and enforcement aspects of this language, 
including when entities are expected to self-report or maintain 
documentation of its self-correcting process for audit, what 
constitutes potential noncompliance, and the necessary guidance for 
auditors.'' \53\
---------------------------------------------------------------------------

    \52\ NERC Comments at 5.
    \53\ Id. at 14.
---------------------------------------------------------------------------

    54. NERC explains that the standard drafting team set out ``to 
minimize the compliance burdens associated with High Frequency Security 
Obligations.'' \54\ NERC contends that modifying or removing the 
``identify, assess, and correct'' language through the NERC standard 
development process could delay implementation of the CIP version 5 
Standards because the standard drafting team will have to consider 
alternative approaches. If the Commission directs removal or 
modifications to the ``identify, assess, and correct'' language, NERC 
states that the Commission should allow a reasonable time to develop 
changes through NERC's standard development process.
---------------------------------------------------------------------------

    \54\ Id. at 7.
---------------------------------------------------------------------------

    55. According to NERC, the ``identify, assess, and correct'' 
language is ``intended to prescribe the manner in which entities must 
implement their policies and procedures for specific areas of security 
protection.'' \55\ NERC claims that the best approach to address High 
Frequency Security Obligations is to ``focus entities on correcting 
identified deficiencies in [the] implementation of the Technical Parts 
of the proposed requirements to promote continuous awareness in an 
entity's cyber security program.'' \56\
---------------------------------------------------------------------------

    \55\ Id. at 8.
    \56\ Id.
---------------------------------------------------------------------------

    56. NERC distinguishes requirements containing the ``identify, 
assess, and correct language'' from other requirements. For 
requirements lacking the ``identify, assess, and correct'' language, 
NERC explains that responsible entities are ``obligated to: (1) Have 
the documented processes stated in the requirement, and (2) implement 
the documented processes to achieve the Technical Parts.'' \57\ NERC 
comments that ``[h]ow the entity chooses to implement the process would 
be documented for the Compliance Enforcement Authority, as required by 
the associated Measure . . . [f]or these requirements, the entity 
either has the process in place and the process achieves the Technical 
Parts or the entity does not have a process in place and/or its process 
does not achieve the Technical Parts.'' \58\
---------------------------------------------------------------------------

    \57\ Id. at 9.
    \58\ Id.
---------------------------------------------------------------------------

    57. For requirements including the ``identify, assess, and 
correct'' language, NERC states that the `` `identify, assess, and 
correct language' . . . mandates that the entity use a self-correcting 
process in its implementation of its documented policies to achieve the 
Technical Parts.'' NERC opines that the ``self-correcting language does 
not affect the underlying obligation in the requirement to achieve the 
Technical Parts.'' \59\ According to NERC, the only difference is that 
the ``identify, assess, and correct'' language ``set[s] additional 
parameters for the manner in which an entity should implement the 
process.'' \60\ NERC states, therefore, that the CIP version 5 
Standards impose two obligations upon responsible entities. According 
to NERC, the CIP version 5 Standards that require a documented process, 
regardless of whether such requirement includes the ``identify, assess 
and correct'' language, contain two obligations. The first requirement 
is to have the process mandated by the Reliability Standards and the 
second is the implementation of that process.
---------------------------------------------------------------------------

    \59\ Id.
    \60\ Id. at 9-10.
---------------------------------------------------------------------------

    58. NERC contends that specifying a uniform definition of 
`identify,' `assess,' and `correct' is impracticable given the wide 
range of systems and the number of assets that make up an entity's 
systems. NERC explains that the standard drafting team did not create 
specific definitions ``because responsible entities are in the best 
position to define their own internal compliance processes based on the

[[Page 72763]]

particular characteristics and make-up of their systems, including 
whether they will use internal controls or a different type of 
compliance management process to meet their specific system design.'' 
\61\ According to NERC, if actual experience shows that an entity's 
compliance program does not meet compliance expectations, the 
``identify, assess, and correct'' language mandates that the entity's 
processes and implementation be modified to correct any deficiencies. 
In addition, NERC states that, depending on the circumstances, ``there 
may be a potential violation if actual performance does not meet the 
Technical Parts.'' \62\
---------------------------------------------------------------------------

    \61\ Id. at 10.
    \62\ Id. at 12.
---------------------------------------------------------------------------

    59. NERC contends that the ``identify, assess, and correct'' 
language does not remove accountability for responsible entities, nor 
does it eliminate Regional Entity, NERC, and Commission oversight. NERC 
claims that, by requiring responsible entities to demonstrate how their 
``identify, assess, and correct'' process works, auditors will better 
understand a responsible entity's compliance program. NERC states that 
it is committed to developing Reliability Standard Audit Worksheets 
(RSAWs) and other guidance to support the adoption of the ``identify, 
assess, and correct'' language.
    60. According to NERC, the term ``deficiencies,'' as used in the 
sample RSAW, ``referred to potential noncompliance with the proposed 
CIP Version 5 requirement; however not all deficiencies would be 
treated as possible violations depending on the specific facts and 
circumstances surrounding a deficiency.'' \63\ NERC explains that a 
responsible entity would be expected to document the identification, 
assessment, and correction of lesser risk deficiencies for review by 
the Compliance Enforcement Authority, but that responsible entities 
would still be expected to self-report higher risk deficiencies. NERC 
comments that not requiring the individual reporting of lesser risk 
deficiencies will result in resource savings and allow entities to 
focus on security as opposed to the administrative aspects of the 
compliance process.
---------------------------------------------------------------------------

    \63\ Id.
---------------------------------------------------------------------------

    61. Regarding the timelines governing the ``identify, assess, and 
correct'' process, NERC states that ``an entity's own internal 
processes would dictate the timing aspect.'' \64\ NERC explains that a 
responsible entity would be required to explain the timing of its 
process as part of an audit, and timing would be one factor in the 
auditors review of the entity's ``identify, assess, and correct'' 
process. Comparing the ``identify, assess, and correct'' language to 
the NIST Risk Management Framework, NERC opines that ``requiring 
entities to continuously demonstrate that they are implementing 
processes in a manner that identifies, assesses, and corrects, is 
similar to the monitoring steps of the NIST Framework.'' \65\
---------------------------------------------------------------------------

    \64\ Id. at 16.
    \65\ Id. at 17.
---------------------------------------------------------------------------

    62. Numerous commenters support the ``identify, assess, and 
correct'' language and do not indicate that there is a need for 
clarification.\66\ These commenters assert that the ``identify, assess, 
and correct'' language is an improvement over the ``zero tolerance'' 
compliance approach in prior versions of the CIP Reliability Standards. 
The commenters also note that the ``identify, assess, and correct'' 
language was only added to requirements addressing lower risks to the 
reliability of the Bulk-Power System. For example, NextEra comments 
that ``identify, assess, and correct'' language is only found in 
requirements that ``involve management of high volumes of information 
or data and those that involve execution of regular, periodic tasks. 
These are areas where scale matters; where, for example, one mistake 
out of thousands of non-mistakes does not necessarily warrant the time 
and attention that must, by law, be given to `potential violations' of 
a NERC reliability standard approved under Section 215 of the FPA.'' 
\67\
---------------------------------------------------------------------------

    \66\ Alliant, AEP, APPA, Arkansas, SWP, Dominion, G&T 
Cooperatives, LADWP, MidAmerican, NARUC, OEVC, PG&E, PPL Companies, 
SCE, Tacoma, Tampa, TAPS, UI.
    \67\ NextEra Comments at 6.
---------------------------------------------------------------------------

    63. Commenters, including LADWP and Tacoma Power, claim that the 
``identify, assess, and correct'' language is clear and creates 
incentives for responsible entities to improve internal controls to 
discover, evaluate, and address deficiencies.\68\ The commenters assert 
that the ``identify, assess, and correct'' language could result in 
improved, more cost-effective reliability. The commenters generally 
disagree with the NOPR's concerns regarding the ``identify, assess, and 
correct'' language. For example, in response to the NOPR's concerns 
regarding timelines for completing ``identify, assess, and correct'' 
activities, MidAmerican states that ``[a]ny time constraint on 
entities' remediation of discovered deficiencies would introduce 
another layer of required monitoring in areas where the industry has 
determined that ministerial compliance tasks are already unduly 
burdensome and counter-productive to the need to focus entities' 
limited resources on the most critical risks.'' \69\
---------------------------------------------------------------------------

    \68\ LADWP Comments at 8-9; Tacoma Power Comments at 2.
    \69\ MidAmerican Comments at 10.
---------------------------------------------------------------------------

    64. Many commenters support retaining the ``identify, assess, and 
correct'' language in the requirements, but acknowledge the need for 
greater clarity as to how the ``identify, assess, and correct'' 
language will work in practice.\70\ EEI and other commenters support 
NERC's proposal to submit a compliance filing that provides more detail 
regarding the ``identify, assess, and correct'' language. BPA, ISO New 
England and other commenters support allowing NERC to clarify the 
``identify, assess, and correct'' language in a separate document in 
order not to delay implementation of the beneficial technical 
requirements in the CIP version 5 Standards.
---------------------------------------------------------------------------

    \70\ Ameren, BPA, EEI, EPSA, Exelon, FirstEnergy, Idaho Power, 
ITC, ISO New England, KCP&L, Luminant, MISO, NASUCA National Grid, 
NRECA, NextEra, NAGF, Northeast Utilities, NorthWestern, Portland, 
Southern Indiana, Wisconsin, Xcel.
---------------------------------------------------------------------------

    65. Some commenters support modifying or removing the ``identify, 
assess, and correct'' language.\71\ These commenters question whether 
the ``identify, assess, and correct'' language is auditable and 
enforceable due to a lack of clarity. While SPP RE comments that the 
``zero-defect'' compliance aspect of the CIP Version 3 Reliability 
Standards is problematic, SPP RE also believes that the ``identify, 
assess, and correct'' language is unclear, subject to multiple 
interpretations, and difficult to audit.\72\ TVA believes that it is 
imperative that the CIP standards, whose violations must necessarily be 
described generally at high levels, must be sufficiently clear in terms 
of what requirements are being imposed on Registered Entities and the 
``identify, assess, and correct'' language is too vague to ascertain 
how compliance will be audited.\73\ While SCE&G favors retaining the 
``identify, assess, and correct'' concept, SCE&G also contends that it 
is misplaced in NERC's proposed CIP version 5 Standards where it is 
embedded in the technical parts of the requirements.\74\
---------------------------------------------------------------------------

    \71\ Encari, GSOC, SPP Parties, SCE&G, SPP RE, and TVA.
    \72\ SPP RE Comments at 2-3.
    \73\ TVA Comments at 2-3.
    \74\ SCE&G Comments at 2.
---------------------------------------------------------------------------

    66. Commenters express differing views on the obligations imposed 
by the ``identify, assess, and correct'' language irrespective of their 
position on whether

[[Page 72764]]

that language should be retained. For example, MISO indicates that the 
``identify, assess, and correct'' language could be interpreted as 
imposing a new obligation or not imposing a new obligation on 
responsible entities.\75\ MidAmerican and Luminant assert that the 
``identify, assess, and correct'' language would not impose a new 
compliance obligation. However, according to LADWP and OEVC, the 
``identify, assess, and correct'' language would impose a new 
obligation (i.e., to have an ``identify, assess, and correct'' process 
in place). Other commenters, including GSOC and ITC, ask the Commission 
to clarify that the ``identify, assess, and correct'' language cannot 
be separately violated and that only a failure to comply with the 
underlying substantive requirement can result in a violation.
---------------------------------------------------------------------------

    \75\ MISO Comments at 4.
---------------------------------------------------------------------------

Commission Determination
    67. For the reasons discussed below, the Commission concludes that 
the ``identify, assess, and correct'' language, as currently proposed 
by NERC, is unclear with respect to the obligations it imposes on 
responsible entities, how it would be implemented by responsible 
entities, and how it would be enforced. Accordingly, we direct NERC, 
pursuant to section 215(d)(5) of the FPA, to develop modifications to 
the CIP version 5 Standards that address our concerns. Preferably, NERC 
should remove the ``identify, assess, and correct'' language from the 
17 CIP version 5 requirements, while retaining the substantive 
provisions of those requirements.\76\ Alternatively, NERC may propose 
equally efficient and effective modifications that address the 
Commission's concerns regarding the ``identify, assess, and correct'' 
language.\77\ The Commission directs NERC to submit the modifications 
to the CIP Reliability Standards within one year from the effective 
date of this Final Rule.
---------------------------------------------------------------------------

    \76\ The 17 requirements are: CIP-003-5, Requirements R2 and R4; 
CIP-004-5, Requirements R2 through R5; CIP-006-5 Requirements R1 and 
R2; CIP-007-5, Requirements R1 through R5; CIP-009-5, Requirement 
R2; CIP-010-1, Requirements R1 and R2; and CIP-011-1, Requirement 
R1.
    \77\ See Mandatory Reliability Standards for the Bulk-Power 
System, Order No. 693, FERC Stats. & Regs. ] 31,242, at P 186, order 
on reh'g, Order No. 693-A, 120 FERC ] 61,053 (2007).
---------------------------------------------------------------------------

    68. In Order No. 672, the Commission provided general guidance on 
the conditions under which a Reliability Standard would be approved 
under Section 215 of the Federal Power Act.\78\ Among other things, the 
Commission explained that proposed Reliability Standards should be 
clear and unambiguous regarding what is required for compliance and who 
is required to comply.\79\ Based on our experience with the ongoing 
development and implementation of the Reliability Standards, including 
the CIP Reliability Standards, we believe that clarity and certainty in 
the language of Reliability Standard requirements is necessary to 
ensure consistent application by responsible entities, as well as 
consistent enforcement by NERC and the Regional Entities.\80\ Language 
in a requirement that could be subject to multiple interpretations 
raises the specter of inconsistent application and enforcement, which 
could result in risks to Bulk-Power System reliability.\81\ Therefore, 
as a fundamental expectation, NERC must strive to develop clear and 
unambiguous Reliability Standards.
---------------------------------------------------------------------------

    \78\ Order No. 672, FERC Stats. & Regs. ] 31,204 at PP 320-337.
    \79\ Id. P 325.
    \80\ See id. P 327 (stating that a proposed Reliability Standard 
should include ``a clear criterion or measure of whether an entity 
is in compliance'' and should ``contain or be accompanied by an 
objective measure of compliance so that it can be enforced and so 
that enforcement can be applied in a consistent and non-preferential 
manner.'').
    \81\ See Order No. 693, FERC Stats. & Regs. ] 31,242, at P 274 
(finding that ``it is essential that the Requirements for each 
Reliability Standard . . . are sufficiently clear and not subject to 
multiple interpretations.'').
---------------------------------------------------------------------------

    69. As we indicated in the NOPR, we support NERC's move away from a 
``zero tolerance'' approach to compliance, the development of strong 
internal controls by responsible entities, and NERC's development of 
standards that focus on the activities that have the greatest impact on 
Bulk-Power System reliability.\82\ Thus, we are sympathetic to these 
underlying motives as described by NERC that resulted in the 
incorporation of the ``identify, assess, and correct'' language within 
17 provisions of the CIP version 5 Standards. Nonetheless, as explained 
below, the language proposed by NERC is ambiguous and results in an 
unacceptable amount of uncertainty with regard to consistent 
application, responsible entities understanding their obligations, and 
NERC and the regions providing consistent application in audits and 
other compliance settings.
---------------------------------------------------------------------------

    \82\ See NOPR, 143 FERC ] 61,055 at P 57.
---------------------------------------------------------------------------

    70. The Commission raised concerns in the NOPR with the ``identify, 
assess, and correct'' language and sought comment on the implementation 
and enforceability of the ``identify, assess, and correct'' language. 
The commenters, however, do not clarify how the ``identify, assess, and 
correct'' language would be implemented and enforced. Rather, the 
diversity of explanations provided by commenters reinforces our 
concerns. In its petition and comments, NERC does not clarify 
adequately the language and, instead, indicates that it is willing to 
submit a future compliance filing that ``further outlines the 
compliance and enforcement aspects of this language, including when 
entities are expected to self-report or maintain documentation of its 
self-correcting process for audit, what constitutes potential 
noncompliance, and the necessary guidance for auditors.'' \83\ NERC's 
proposal that the Commission approve this language in numerous 
requirements of the CIP version 5 Standards, while postponing a 
detailed explanation regarding the understanding, compliance 
implications and proper implementation of the proposed language to a 
future time, is an inadequate approach.
---------------------------------------------------------------------------

    \83\ NERC Comments at 14.
---------------------------------------------------------------------------

    71. Moreover, there is confusion among the commenters as to what 
the ``identify, assess, and correct'' language requires of responsible 
entities. For example, commenters differ on whether the ``identify, 
assess, and correct'' language imposes a new obligation on responsible 
entities. The Commission raised questions in the NOPR concerning, among 
other things, reasonable timeframes for identifying and correcting a 
deficiency, whether the language could be used to avoid audit risk, and 
how the implementation and performance of the language can be expected 
to be consistent across responsible entities and regions, but did not 
receive adequate responses.\84\ We received inconsistent explanations 
in response to these inquiries, which we take as another indication of 
the vagueness of the ``identify, assess, and correct'' language.
---------------------------------------------------------------------------

    \84\ See NOPR, 143 FERC ] 61,055 at PP 51, 52, and 54.
---------------------------------------------------------------------------

    72. Regarding the meaning of the terms ``identify,'' ``assess,'' 
``correct,'' and ``deficiencies,'' NERC states that it would be 
impracticable to develop uniform definitions and that responsible 
entities are in the best position to define these terms in the context 
of their internal compliance programs. While we understand NERC's 
desire to allow for flexibility as responsible entities develop their 
internal control programs, we are, nonetheless, concerned that the NERC 
proposal lacks basic definition and guidance that is needed, for 
example, to distinguish a successful internal control program from one 
that is inadequate. As a result, we conclude that the ``identify, 
assess, and correct''

[[Page 72765]]

language, as currently proposed, injects an unacceptable degree of 
ambiguity into the otherwise reasonable substantive requirements of the 
CIP version 5 Standards.
    73. As indicated earlier, we support the underlying concerns that 
prompted the ``identify, assess and correct'' language, namely 
encouraging the development of strong internal controls and focusing 
resources on activities that best promote reliability of the Bulk-Power 
System. We believe, however, that it may be more appropriate for NERC 
to achieve these goals by articulating defined goals in the compliance 
and enforcement process and identifying clear expectations that would 
justify the exercise of enforcement discretion. For example, the 
Reliability Assurance Initiative process when fully developed may 
afford a consistent, informed approach that provides incentives for 
entities to develop robust internal control programs.\85\
---------------------------------------------------------------------------

    \85\ The Reliability Assurance Initiative program is a NERC 
initiative to transform the current compliance and enforcement 
program into one that focuses on high reliability risk areas and 
reduces the administrative burden on registered entities. See http://www.nerc.com/pa/comp/Pages/Reliability-Assurance-Initiative.aspx.
---------------------------------------------------------------------------

    74. We emphasize that if NERC wishes to propose modifications other 
than, or in addition to, removing the ``identify, assess and correct'' 
language from the CIP version 5 requirements, we will be open to 
consideration of various approaches for resolving the High Frequency 
Security Obligations scenario NERC identifies. We understand the 
concern to be that while it is necessary for Bulk-Power System 
reliability to identify, control, and minimize violations of 
requirements addressing this scenario, responsible entities may not be 
able to prevent all such violations. Moreover, while it is possible 
that a single violation of such a requirement could result in 
significant harm to Bulk-Power System reliability, or that multiple or 
repeated violations by an individual responsible entity could indicate 
a reliability vulnerability or inadequate internal controls, individual 
violations of such requirements likely pose a low risk. With respect to 
these types of requirements, we are receptive to the concept that Bulk-
Power System reliability may be better served, at lower cost to 
responsible entities, for Regional Entities and NERC to provide 
incentives for them to proactively identify and mitigate potential 
noncompliance outside the enforcement context by enhancing their 
internal controls.
    75. We would prefer approaches that would not involve the placement 
of compliance language within the text of the Reliability Standards to 
address these issues. We understand that NERC has inserted the 
``identify, assess, and correct'' language into the CIP Reliability 
Standard requirements to move its compliance processes towards a more 
risk-based model. With this objective in mind, we believe that a more 
appropriate balance might be struck to address the underlying concerns 
by developing compliance and enforcement processes that would grant 
NERC and the Regional Entities the ability to decline to pursue low 
risk violations of the Reliability Standards. Striking this balance 
could be accomplished through a modification to the Compliance 
Monitoring and Enforcement Program. We believe that such an approach 
would: (1) Empower NERC and the Regional Entities to implement risk-
based compliance monitoring techniques that avoid zero defect 
enforcement when appropriate; (2) allow the Commission to retain 
oversight over the enforcement of Reliability Standards; and (3) ensure 
that all Reliability Standards are drafted to be sufficiently clear and 
enforceable.
    76. Accordingly, the Commission directs NERC, pursuant to section 
215(d)(5) of the FPA, to develop modifications to the CIP version 5 
Standards that address our concerns. Preferably, NERC should remove the 
``identify, assess, and correct'' language from the 17 CIP version 5 
requirements. The Commission directs NERC to submit these modifications 
for Commission approval within one year from the effective date of this 
Final Rule. Alternatively, NERC may develop a proposal to enhance the 
enforcement discretion afforded to itself and the Regional Entities, as 
discussed above.

B. BES Cyber Asset Categorization and Protection

1. Reliability Based Criteria
NERC Petition
    77. Reliability Standard CIP-002-5 requires responsible entities to 
categorize BES Cyber Systems as having a Low, Medium, or High Impact. 
NERC states that CIP-002-5 requires ``the identification and 
categorization of BES Cyber Systems according to specific criteria that 
characterize their impact for the application of cyber security 
requirements commensurate with the adverse impact that loss, 
compromise, or misuse of those BES Cyber Systems could have on the 
reliable operation of the [bulk electric system].'' \86\ NERC states 
that the new approach to classifying cyber systems, which requires a 
minimum classification of ``Low Impact'' for all BES Cyber Systems, 
``resulted from a review of the NIST Risk Management Framework for 
categorizing and applying security controls, a review that was directed 
by the Commission in Order No. 706.'' \87\
---------------------------------------------------------------------------

    \86\ NERC Petition at 11.
    \87\ Id. at 15.
---------------------------------------------------------------------------

NOPR
    78. In the NOPR, the Commission pointed out that NERC's proposed 
categorization process is based on facility ratings, such as generation 
capacity and voltage levels, whereas the NIST Risk Management Framework 
categorizes systems based on cyber security principles regarding the 
confidentiality, integrity, and availability of systems.\88\ The 
Commission stated in the NOPR that NERC's new approach to categorizing 
BES Cyber Systems, which requires at least a minimum classification of 
``Low Impact'' for all BES Cyber System, is a step closer to 
comprehensively protecting assets that could cause cyber security risks 
to the bulk electric system.\89\ The Commission proposed to accept 
NERC's proposal, recognizing that the Commission may revisit the 
categorization of assets under the CIP Reliability Standards at a later 
date should the need arise.\90\
---------------------------------------------------------------------------

    \88\ NOPR, 143 FERC ] 61,055 at P 61.
    \89\ Id. P 59.
    \90\ Id. P 64.
---------------------------------------------------------------------------

Comments
    79. The commenters generally support the proposed bulk electric 
system categorization process, with some commenters raisings discrete 
concerns with certain aspects of the NOPR.
    80. NERC, BPA, and CenterPoint support the proposed categorization 
process. NERC states that the proposed Low, Medium, or High Impact 
categories were derived from a review of the NIST Risk Management 
Framework conducted in response to the Commission's directive in Order 
No. 706.\91\ NERC explains that, based on the review of the NIST Risk 
Management Framework, the standard drafting team determined that a Low, 
Medium, or High Impact categorization based on facility ratings is 
appropriate ``because it (1) reflects the well understood and commonly 
used method for categorizing assets within the electricity sector; (2) 
provides a clear and measurable method for identifying assets; and (3) 
directly

[[Page 72766]]

relates to a facility's impact on the Bulk Electric System, which is 
consistent with the NIST Framework approach to categorizing assets 
based on risk.'' \92\
---------------------------------------------------------------------------

    \91\ BPA Comments at 6; CenterPoint Comments at 2-3; NERC 
Comments at 18-19.
    \92\ NERC Comments at 18-19.
---------------------------------------------------------------------------

    81. NERC, BPA and CenterPoint comment that, although the proposed 
reliability-based criteria put forth in CIP version 5 differ from the 
NIST Risk Management Framework, where the categorization process is 
based on the loss of confidentiality, integrity, and availability 
systems, the difference is reasonable. Specifically, NERC, BPA and 
CenterPoint note that the NIST standards are information protection 
standards whereas the CIP Standards are reliability standards, which 
require a slightly different approach to categorization aimed more 
broadly at the reliability of the Bulk-Power System across all entities 
rather than categorization by a single organization.\93\
---------------------------------------------------------------------------

    \93\ NERC Comments at 19; BPA Comments at 6; CenterPoint 
Comments at 2-3.
---------------------------------------------------------------------------

    82. TVA states that it ``would be in favor of transitioning to a 
NIST categorization model if the control scoping and implementation was 
conducted in accordance with NIST-800-37, revision 1.'' \94\ TVA 
asserts that the NIST Risk Management Framework, if applied correctly, 
provides near real time management of risks, and establishes 
responsibility and accountability for information system security. TVA 
concludes that the NIST Risk Management Framework ``has the potential 
to provide the utility industry with a proven and effective security 
framework that includes targeted components uniquely written for the 
control system environment.'' \95\
---------------------------------------------------------------------------

    \94\ TVA Comments at 4.
    \95\ Id.
---------------------------------------------------------------------------

    83. ITC states that blackstart resources, which are designated as 
Low Impact under proposed CIP-002-5, should be designated as Medium 
Impact assets to ensure sufficient protection of the bulk electric 
system.\96\ ITC states that blackstart resources are of similar 
importance as other assets designated as Medium Impact and, therefore, 
blackstart resources should be protected as such, including the 
appropriate VRF designation.\97\ ITC avers that blackstart resources 
``are analogous to Criteria 2.3 generation resources because they are 
necessary to avoid an Adverse Reliability Impact as defined by NERC, 
and should therefore be classified as Medium Impact.'' \98\ ITC 
contends that NERC's rationale for classifying blackstart resources as 
Low Impact assets is faulty. Specifically, ITC argues that classifying 
blackstart resources as Low Impact ``because of concerns over 
additional compliance costs leading to withdrawal of Blackstart 
resources from the market'' is not an appropriate rationale for 
approving a reliability rule.\99\
---------------------------------------------------------------------------

    \96\ ITC Comments at 8.
    \97\ Id.
    \98\ Id. at 9.
    \99\ Id.
---------------------------------------------------------------------------

    84. SPP RE asserts that the proposed categorization process fails 
to address connectivity as directed in Order No. 761. Specifically, SPP 
RE notes that the Commission directed NERC to ``address a cyber asset's 
connectivity and its potential to compromise the reliable operation of 
the Bulk-Power System with respect to the BES Cyber Asset 
categorization criteria.'' \100\ SPP RE recommends that the Commission 
direct NERC to modify the BES Cyber Asset categorization process ``to 
require control centers performing the functional obligations of 
Balancing Authority or Generation Operator to be categorized as medium 
impact at a minimum if the control center systems are network 
interconnected'' with other control center systems.\101\
---------------------------------------------------------------------------

    \100\ SPP RE Comments at 5 (citing Order No. 761, 139 FERC ] 
61,058 at P 91).
    \101\ Id at 6.
---------------------------------------------------------------------------

    85. Tampa seeks clarification concerning the CIP-002-5, Attachment 
1 impact rating criteria as they relate to certain generating units. 
Specifically, Tampa requests clarification ``whether individual units 
less that 20 MVA (gross nameplate rating) and generating plants/
facilities less than 75 MVA (gross aggregate nameplate rating) are 
excluded from consideration as Low Impact assets.'' \102\ Tampa 
questions whether there is a criterion that would qualify a generation 
facility as Low Impact besides failing to meet the two criteria that 
qualify a facility as Medium Impact, or are all remaining generation 
facilities captured by the Low Impact definition. Tampa also questions 
whether the bulk electric system definition acts as a floor for Low 
Impact facilities under which Low Impact facilities would not include 
facilities that are excluded from the definition of the bulk electric 
system. Tampa requests that the Commission clarify that only those 
generation facilities equal to or greater than 1500 MW or that are 
designated by either a planning coordinator or transmission planner 
will be considered Medium Impact, with all remaining generating 
facilities considered Low Impact, subject to any bulk electric system 
definition floor.\103\
---------------------------------------------------------------------------

    \102\ Tampa Comments at 4.
    \103\ Id.
---------------------------------------------------------------------------

    86. Wisconsin questions the applicability section of the proposed 
CIP version 5 Standards. Specifically, Wisconsin asserts that the CIP 
version 5 Standards, as written, could be read to exclude reliability 
coordinators and other entities from the CIP Standards because section 
4.2.2 in each of the CIP Standards limits applicability to a 
responsible entity's bulk electric system facilities. Wisconsin notes 
that neither reliability coordinators nor interchange authorities have 
bulk electric system facilities. Wisconsin requests that the Commission 
require NERC to remove section 4.2.2 from each of the CIP Standards to 
ensure that the standards are clear and unambiguous with regard to 
applicability.\104\
---------------------------------------------------------------------------

    \104\ Wisconsin Comments at 4.
---------------------------------------------------------------------------

Commission Determination
    87. The Commission finds reasonable the categorization of BES Cyber 
Systems set forth in Reliability Standard CIP-002-5. The new approach 
to categorizing BES Cyber Systems, which requires at least a minimum 
classification of Low Impact for BES Cyber Systems, better assures the 
protection of assets that can cause cyber security risks to the bulk 
electric system. The Commission may revisit the categorization of BES 
Cyber Assets should experience gained from implementing and enforcing 
Reliability Standard CIP-002-5 warrant such action.
    88. With regard to ITC's comments on blackstart resources, we are 
not persuaded that blackstart resources should be designated as Medium 
Impact BES Cyber Assets. While we believe that system recovery is 
important to the reliable operation of the Bulk-Power System, we accept 
the ERO's approach on this matter as adequate. Further, since 
blackstart resources are designated as Low Impact, entities may have 
discretion regarding appropriate security controls that will apply. 
Although we determine not to direct changes at this time, we may 
revisit this determination after implementation of the CIP version 5 
Standards if we determine that blackstart resources lack a sufficient 
level of protection. ITC is also encouraged to raise its concerns 
regarding blackstart resources through NERC's standards development 
process.
    89. With respect to SPP RE's concerns on the issue of connectivity, 
the Commission does not direct changes at this time. The majority of 
bulk electric system control centers are designated as High Impact BES 
Cyber Assets under Reliability Standard CIP-002-5 because of the 
interconnected nature of these

[[Page 72767]]

facilities. We share SPP RE's concern, however, that balancing 
authority and generation operator control centers are interconnected 
and some of these facilities will likely fall into the Low Impact 
category. The Commission may revisit this determination if we find that 
Low Impact control centers lack a sufficient level of protection 
following implementation of the CIP version 5 Standards.
    90. As noted above, Tampa requests clarification concerning the 
CIP-002-5 impact rating criteria as it relates to certain generating 
units. The Commission clarifies that, consistent with our 
determinations in Order No. 773, only those plants, facilities, and 
assets that are covered under the bulk electric system definition, or 
included in the definition under the exceptions process in Appendix 5C 
of the NERC rules of procedure, will be required to comply with the CIP 
Reliability Standards.\105\ Similarly, the Low Impact category will not 
include assets that are not covered under the bulk electric system 
definition or excluded from the definition under the exceptions process 
in Appendix 5C of the NERC rules of procedure. The Commission 
understands that the Low Impact category is intended to address all BES 
Cyber Systems on the bulk electric system that do not meet the criteria 
for Medium or High Impact.
---------------------------------------------------------------------------

    \105\ Revisions to Electric Reliability Organization Definition 
of Bulk Electric System and Rules of Procedure, Order No. 773, 141 
FERC ] 61,236, at P 43 (2012) (noting that ``[t]he [bulk electric 
system] definition, coupled with the exception process will ensure 
that facilities not necessary for the operation of the 
interconnected transmission network will be properly 
categorized.''), order on reh'g, Order No. 773-A, 143 FERC ] 61,053, 
order denying clarification, 144 FERC ] 61,174 (2013).
---------------------------------------------------------------------------

    91. With respect to Wisconsin's comments, we do not agree that 
section 4.2.2 excludes reliability coordinators and interchange 
authorities from the CIP Reliability Standards as the facilities 
associated with both classes of entities can be accurately described as 
BES Cyber Systems under the NERC glossary. Section 4.1 of the 
applicability section of CIP-002-5 explicitly identifies reliability 
coordinators (section 4.1.6) and interchange authorities (section 
4.1.5) as applicable entities. Section 4.2 of the Reliability Standard 
identifies the ``Facilities, systems and equipment'' owned by 
responsible entities ``to which these requirements [of CIP-002-5] are 
applicable,'' and section 4.2.2 provides that for all entities other 
than distribution providers, the applicable facilities are ``[a]ll BES 
Facilities.'' In Order No. 773, we determined that the term ``bulk 
electric system'' incorporates ``associated equipment'' that broadly 
includes facilities such as control centers and other assets.\106\ We 
are satisfied that the CIP version 5 Standards explicitly apply to 
reliability coordinators and interchange authorities and that they are 
not precluded from having applicable facilities based on the language 
of the standards.
---------------------------------------------------------------------------

    \106\ Order No. 773, 141 FERC ] 61,236 at P 53 (noting that 
``core [bulk electric system] definition also continues to capture 
equipment associated with the facilities included in the bulk 
electric system.'').
---------------------------------------------------------------------------

    92. According to NERC, development of the BES Cyber System 
categorization process included a review of the NIST Risk Management 
Framework.\107\ There is a significant distinction, however, between 
NERC's categorization process and the NIST Risk Management Framework. 
In particular, NERC's categorization process is based on facility 
ratings, such as generation capacity and voltage levels.\108\ In 
contrast, the NIST Risk Management Framework categorizes systems based 
on cyber security principles regarding the confidentiality, integrity, 
and availability of systems. Commenters such as NERC and BPA aver that 
such differences are reasonable and justified because the NIST 
standards are information protection standards whereas the CIP 
Standards are reliability standards, aimed more broadly at the 
reliability of the Bulk-Power System across all entities rather than 
categorization by a single organization. We find this explanation to be 
reasonable and, therefore, we do not direct any modifications regarding 
the BES Cyber System categorization process in Reliability Standard 
CIP-002-5 at this time. However, as discussed below, the NIST Risk 
Management Framework, as well as other issues relating to the CIP 
Reliability Standards, will be the subject of a future staff-led 
technical conference.
---------------------------------------------------------------------------

    \107\ See NERC Petition at 31.
    \108\ See NOPR at, 143 FERC ] 61,055 P 63.
---------------------------------------------------------------------------

2. Protection of Low Impact BES Cyber Assets
NERC Petition
    93. Reliability Standard CIP-003-5, Requirement R2, which pertains 
to the obligations for BES Cyber Systems identified as Low Impact, 
provides:

    R2. Each Responsible Entity for its assets identified in CIP-
002-5, Requirement R1, Part R1.3 [i.e., low impact systems], shall 
implement, in a manner that identifies, assesses, and corrects 
deficiencies, one or more documented cyber security policies that 
collectively address the following topics, and review and obtain CIP 
Senior Manager approval for those policies at least once every 15 
calendar months: . . .
    2.1 Cyber security awareness;
    2.2 Physical security controls;
    2.3 Electronic access controls for external routable protocol 
connections and Dial-up Connectivity; and
    2.4 Incident response to a Cyber Security Incident.
    An inventory, list, or discrete identification of low impact BES 
Cyber Systems or their BES Cyber Assets is not required.

    This is the only CIP version 5 requirement applicable to Low Impact 
systems.
NOPR
    94. In the NOPR, the Commission expressed concern with Requirement 
R2 of Reliability Standard CIP-003-5, which requires responsible 
entities to ``implement . . . documented cyber security policies'' that 
address: (1) Cyber security awareness, (2) physical security controls, 
(3) electronic access controls and (4) incident response to a cyber 
security incident. The NOPR explained that Requirement R2 sets forth 
the single compliance obligation for BES Cyber Systems categorized as 
Low Impact.\109\ The Commission expressed concern that NERC's proposal 
to limit the protections for Low Impact BES Cyber Systems to documented 
policies, as opposed to requiring specific cyber security protections, 
could result in ambiguities that lead to inconsistent and inefficient 
implementation of the CIP Reliability Standards with regard to Low 
Impact BES Cyber Systems and may not provide an adequate roadmap for 
responsible entities to follow to ensure the reliable operation of the 
bulk electric system.\110\
---------------------------------------------------------------------------

    \109\ NOPR, 143 FERC ] 61,055 at P 66.
    \110\ Id. P 70.
---------------------------------------------------------------------------

    95. The NOPR proposed to direct that NERC develop a modification to 
CIP-003-5, Requirement R2, to require responsible entities to adopt 
specific, technically-supported cyber security controls for Low Impact 
assets, as opposed to the proposed unspecified policies.\111\ The NOPR 
sought comment on (1) The value of adopting specific controls for Low 
Impact assets that reflect their cyber security risk level and (2) the 
lack of a requirement to have an inventory, list or discrete 
identification of Low Impact BES Cyber Systems.
---------------------------------------------------------------------------

    \111\ Id.
---------------------------------------------------------------------------

Comments
Low Impact Protections
    96. The majority of commenters oppose the Commission proposal to 
require entities to adopt specific cyber security controls for Low 
Impact assets and support CIP-003-5, Requirement

[[Page 72768]]

R2 as filed. Other commenters support NERC's proposal, but also believe 
that additional guidance regarding the protection of Low Impact assets 
would be beneficial. Several commenters do not support NERC's proposal 
on Low Impact assets, but not based on the concerns raised in the NOPR.
    97. The majority of commenters support proposed CIP-003-5, 
Requirement R2 as filed and oppose the NOPR proposal to require 
specific, technically-supported controls for Low Impact BES Cyber 
Assets.\112\ Generally, commenters state that the CIP-003-5, 
Requirement R2 requirement for responsible entities to develop and 
implement documented cyber security policies is appropriate for assets 
that will be categorized as having a limited effect on the bulk 
electric system. NERC characterizes the requirement to develop and 
implement cyber security policies for Low Impact assets as ``a 
significant step in more comprehensively protecting assets that could 
cause cyber security risks to the bulk electric system.'' \113\
---------------------------------------------------------------------------

    \112\ See, e.g., Comments of Alliant, Ameren, AEP, APPA, 
Arkansas, BPA, CenterPoint, Consumers Energy, Dominion, EEI, 
Holland, Idaho Power, ISO New England, Luminant, MidAmerican, NARUC, 
National Grid, NRECA, NextEra, NERC, NAGF, Northeast Utilities, 
NIPSCO, PG&E, Pepco, Portland, PPL Companies, Southern Indiana, SWP, 
Tacoma, Tampa, TVA, TAPS, UI, Xcel.
    \113\ NERC Comments at 21.
---------------------------------------------------------------------------

    98. EEI asserts that the proposed protections for Low Impact assets 
include basic physical and electronic perimeter-type access controls 
for every bulk electric system facility housing any BES Cyber Asset, 
including Low Impact assets.\114\ CenterPoint, Consumers Energy, and 
Holland comment that CIP-003-5, Requirement R2 establishes an auditable 
requirement that responsible entities develop and implement cyber 
security policies covering the four areas identified in Requirement R2.
---------------------------------------------------------------------------

    \114\ EEI Comments at 13-14.
---------------------------------------------------------------------------

    99. APPA, Holland and others, comment that requiring responsible 
entities to adopt specific cyber security controls for Low Impact BES 
Cyber Systems would significantly increase the cost and administrative 
burden associated with the protection of Low Impact BES Cyber Systems 
with little to no increase in bulk electric system reliability.\115\ 
NextEra, among other commenters, asserts that a requirement to adopt 
specific, technically-supported controls for Low Impact BES Cyber 
Systems would take time and resources away from the protection of 
Medium and High Impact BES Cyber Systems.\116\ ISO New England raises a 
concern that adopting a new requirement for specific controls for Low 
Impact assets could have unintended consequences, such as the 
withdrawal of blackstart resources.\117\
---------------------------------------------------------------------------

    \115\ E.g., APPA Comments at 14; SWP Comments at 5; Consumers 
Energy Comments at 3; Idaho Power Comments at 2-3; NARUC Comments at 
5-6; NRECA Comments at 8-9; PHI Comments at 4; SCE Comments at 4; 
TAPS Comments at 4.
    \116\ NextEra Comments at 5; Alliant Comments at 5; EEI Comments 
at 14; KCP&L Comments at 4; NRECA Comments at 8-9.
    \117\ ISO New England Comments at 9.
---------------------------------------------------------------------------

    100. Some comments oppose the NOPR proposal to require specific, 
technically-supported controls for Low Impact BES Cyber Assets, but 
acknowledge that additional guidance regarding the protection of Low 
Impact assets would be beneficial.\118\ Specifically, SPP Parties, 
LADWP and KCP&L posit that additional guidance would aid responsible 
entities in understanding what security measures they should adopt for 
Low Impact assets, as well as help ensure that audit requirements are 
clear. AEP suggests that, if the Commission directs NERC to require 
prescriptive controls for Low Impact assets, such requirements should 
include a caveat that the controls will only be implemented where 
technically feasible.
---------------------------------------------------------------------------

    \118\ E.g., SPP Parties Comments at 3; LADWP Comments at 11; 
KCP&L Comments at 4.
---------------------------------------------------------------------------

    101. OEVC and SPP RE do not support proposed CIP-003-5, Requirement 
R2, but for different reasons. OEVC states that the category of Low 
Impact BES Cyber Assets is flawed because it encompasses entities that 
do not have an impact on the bulk electric system and, as such, exceeds 
the authority granted in FPA section 215.\119\ SPP RE claims that only 
requiring documented policies that cover broadly-defined topics 
provides insufficient protection for Low Impact BES Cyber Assets.\120\ 
SPP RE comments that the failure to require specific controls is 
problematic for auditors in that CIP-003-5, Requirement R2 lacks 
specific control objectives with which to measure an entity's 
compliance. SPP RE recommends defining an appropriate set of control 
objectives as opposed to defining the controls themselves.\121\
---------------------------------------------------------------------------

    \119\ OEVC Comments at 10.
    \120\ SPP RE Comments at 6.
    \121\ Id. at 7-8.
---------------------------------------------------------------------------

    102. NARUC raises a concern that the breadth of the Low Impact 
category has the potential to blur the clear jurisdictional lines in 
FPA section 215. NARUC concludes that a ``lighter touch,'' such as 
NERC's proposed documented policies under CIP-003-5, Requirement R2, is 
the appropriate manner to address assets that by definition are low 
priority.\122\
---------------------------------------------------------------------------

    \122\ NARUC Comments at 6.
---------------------------------------------------------------------------

Inventory of Low Impact Assets
    103. The majority of commenters oppose adopting a requirement for 
responsible entities to develop and maintain an inventory, list or 
discrete identification of Low Impact BES Cyber Assets.\123\ NERC, EEI, 
Idaho Power, NRECA, TVA, Xcel and others argue that developing and 
maintaining an inventory or list of Low Impact assets would create an 
unnecessary administrative burden without any corresponding reliability 
benefit.\124\ Luminant comments that a requirement to develop and 
maintain an inventory or list of Low Impact assets would be an 
administrative task that would create additional intelligence source 
data that must be protected.\125\ EEI suggests that Low Impact assets 
should be identified at the site facility level and not the individual 
device level.\126\
---------------------------------------------------------------------------

    \123\ See Comments of Ameren, Arkansas, BPA, Consumers Energy, 
Dominion, EEI, Idaho Power, LADWP, Luminant, MidAmerican, NRECA, 
NERC, NAGF, NIPSCO, PG&E, PEPCO, SCE, SPP Parties, Tampa, TVA, UI, 
and Xcel.
    \124\ See also Ameren Comments at 11; BPA Comments at 8; 
Consumers Energy Comments at 4; Dominion Comments at 10; SCE 
Comments at 4; SPP Parties at 3; Luminant Comments at 4; NAGF 
Comments at 4; PG&E Comments at 7; PHI Comments at 4; SCE Comments 
at 4; Tampa Comments at 5-6; and UI Comments at 6.
    \125\ Luminant Comments at 4.
    \126\ EEI Comments at 14-15.
---------------------------------------------------------------------------

    104. According to NERC, no added reliability benefit would result 
from a separate requirement to create and continuously update a list of 
Low Impact assets. NERC notes, however, that CIP-002-5 Part 1.3 
requires responsible entities to identify each bulk electric system 
asset that contains a Low Impact BES Cyber System and, therefore, 
responsible entities should have a list of bulk electric system 
locations containing Low Impact BES Cyber Systems that could be used 
for audit purposes.\127\ In contrast, SPP RE states that the lack of a 
requirement for responsible entities to maintain an inventory of Low 
Impact BES Cyber Assets poses an audit challenge because neither the 
responsible entity nor the auditor will have a reasonable assurance 
that every BES Cyber System or BES Cyber Asset has been accounted for 
and properly categorized.\128\
---------------------------------------------------------------------------

    \127\ NERC Comments at 22-23.
    \128\ SPP RE Comments at 7-8.
---------------------------------------------------------------------------

    105. LADWP supports removing the language from CIP-003-5, 
Requirement R2, stating that an inventory or list of Low Impact BES 
Cyber Systems or BES Cyber Assets is not required. LADWP

[[Page 72769]]

agrees with the Commission that the process of identifying and 
categorizing assets into Low, Medium, and High Impact categories will 
lend itself to compiling a list or inventory of all BES Cyber Assets, 
including Low Impact assets. LADWP suggests that, since entities will 
already be maintaining a list for internal classification purposes, a 
requirement to maintain a list of Low Impact BES Cyber Assets would not 
impose additional burdens.\129\
---------------------------------------------------------------------------

    \129\ LADWP Comments at 13.
---------------------------------------------------------------------------

Commission Determination
Specific Controls for Low Impact BES Cyber Systems
    106. Based on the explanations provided by NERC and other 
commenters, we adopt the NOPR proposal with modifications. As we 
explain below, while we do not require NERC to develop specific 
controls for Low Impact facilities, we do require NERC to address the 
lack of objective criteria against which NERC and the Commission can 
evaluate the sufficiency of an entity's protections for Low Impact 
assets. While NERC may address this concern by developing specific 
controls for Low Impact facilities, it has the flexibility to address 
it through other means, including those discussed below.
    107. As highlighted by commenters, the adoption of the Low Impact 
BES Cyber Asset category will expand the protections offered by the CIP 
version 5 Standards to additional assets that could cause cyber 
security risks to the bulk electric system. As discussed above, 
categorizing BES Cyber Systems based on their Low, Medium, or High 
Impact on the reliable operation of the bulk electric system, with all 
BES Cyber Systems being categorized as at least Low Impact, offers more 
comprehensive protection of the bulk electric system. The CIP version 5 
Standards, however, do not require specific controls for Low Impact 
assets nor do they contain clear, objective criteria from which to 
judge the sufficiency of the controls ultimately adopted by responsible 
entities for Low Impact BES Cyber Systems.
    108. In addition, the absence of objective criteria to evaluate the 
controls chosen by responsible entities for Low Impact assets 
introduces an unacceptable level of ambiguity and potential 
inconsistency into the compliance process, and creates an unnecessary 
gap in reliability. This ambiguity will make it difficult for 
registered entities to develop, and NERC and the regions to objectively 
evaluate, the effectiveness of procedures developed to implement 
Reliability Standard CIP-003-5, Requirement R2. Therefore, pursuant to 
section 215(d)(5) of the FPA, we direct NERC to develop modifications 
to the CIP version 5 Standards to address this concern. We believe that 
NERC can effectively address this concern in a number of ways, 
including: (1) Requiring specific controls for Low Impact assets, 
including subdividing the assets into different categories with 
different defined controls applicable to each subcategory; (2) 
developing objective criteria against which the controls adopted by 
responsible entities can be compared and measured in order to evaluate 
their adequacy, including subdividing the assets into different 
categories with different defined control objectives applicable to each 
subcategory; (3) defining with greater specificity the processes that 
responsible entities must have for Low Impact facilities under 
Reliability Standard CIP-003-5, Requirement R2; or (4) another equally 
efficient and effective solution. We believe that this approach allows 
NERC the flexibility to develop appropriate modification(s), while also 
considering the stakeholder concerns expressed in NOPR comments 
regarding the possible rigidity of requiring a ``one-size-fits-all'' 
set of controls.
    109. We disagree with OEVC's assertion that the Low Impact category 
is flawed because it applies to responsible entities that do not have 
an impact on the bulk electric system and, as such, exceeds the 
authority granted in FPA section 215. Reliability Standard CIP-002-5 
encompasses cyber assets that meet the definition of a BES Cyber Asset 
and that are associated with facilities that are part of the bulk 
electric system.\130\ Further, only those cyber assets that meet the 
definition of a BES Cyber Asset and are a part of a BES Cyber System 
must comply with the controls in the CIP Reliability Standards. 
Accordingly, Low Impact assets fall within the scope of FPA section 
215. While SPP RE raises concerns regarding the auditability of 
Reliability Standard CIP-003-5, Requirement R2, in the absence of 
specific control objectives, other commenters such as CenterPoint and 
Consumers Energy assert that Requirement R2 establishes an auditable 
requirement that responsible entities both develop and implement cyber 
security policies addressing the four identified areas. We believe that 
our directive to NERC will address any concerns over the auditability 
of the protections adopted under CIP-003-5, Requirement R2.
---------------------------------------------------------------------------

    \130\ See Reliability Standard CIP-002-5 (Cyber Security--BES 
Cyber System Categorization) at Section 3 (the stated purpose of 
CIP-002-5 is ``[t]o identify and categorize BES Cyber Systems and 
their associated BES Cyber Assets for the application of cyber 
security requirements commensurate with the adverse impact that 
loss, compromise, or misuse of those BES Cyber Systems could have on 
the reliable operation of the [bulk electric system].'').
---------------------------------------------------------------------------

    110. As discussed above, NERC has flexibility in how it addresses 
our concern. For example, NERC could follow the recommendation of SPP 
RE and define an appropriate set of control objectives for Low Impact 
assets, rather than define the specific controls that would apply to 
Low Impact assets. Alternatively, NERC may propose specific controls 
that apply to Low Impact assets, including subdividing the assets into 
different categories with different defined controls or control 
objectives applicable to each subcategory, or it could define with 
greater specificity the processes that responsible entities must have 
for Low Impact facilities under CIP-003-5, Requirement R2. NERC may 
also propose an alternative approach that addresses our concern in an 
equally efficient and effective manner. Whatever approach NERC decides 
to take, we emphasize that the criteria NERC proposes for evaluating a 
responsible entities' protections for Low Impact facilities should be 
clear, objective, commensurate with their impact on the system, and 
technically justified.
Inventories of Low Impact BES Cyber Systems
    111. In the NOPR, the Commission sought comment on the benefit of 
requiring a list or inventory of Low Impact BES Cyber Systems.\131\ 
Based on the comments, we are persuaded that it would be unduly 
burdensome to require responsible entities to create and maintain an 
inventory of Low Impact assets for audit purposes. Creating and 
maintaining such a list could also divert resources away from the 
protection of Medium and High Impact assets. Further, we note that 
NERC's approach is consistent with its move away from embedding 
documentation obligations in the substantive requirements of 
Reliability Standards.
---------------------------------------------------------------------------

    \131\ See NOPR, 143 FERC ] 61,055 at P 71.
---------------------------------------------------------------------------

    112. We agree with NERC's comment that, while not requiring a list 
or inventory, ``NERC stresses that entities will need to be able to 
demonstrate compliance with CIP-002-5, which requires such entities to 
identify the assets that are associated with its Low

[[Page 72770]]

Impact BES Cyber Systems.'' \132\ Thus, NERC indicates that, while not 
necessarily in the form of a discrete list, an entity must have the 
ability to identify the nature and location of all Low Impact assets 
that it owns or controls for audit and compliance purposes. Likewise, 
as explained by NERC, pursuant to Reliability Standard CIP-002-5, 
Requirement R1, Part 1.3, auditors have the ability to ensure that Low 
Impact systems are accounted for by confirming that a responsible 
entity has identified ``each asset that contains a low impact BES Cyber 
System[.]'' \133\ We find this explanation to be reasonable.
---------------------------------------------------------------------------

    \132\ NERC Comments at 22.
    \133\ Reliability Standard CIP-002-5 (Cyber Security--BES Cyber 
System Categorization), at Requirement 1, Part 1.3.
---------------------------------------------------------------------------

C. Proposed Definitions

    113. In its petition, NERC proposes nineteen CIP-related 
definitions for inclusion in the NERC Glossary. This includes fifteen 
new definitions and four revised definitions, as well as the retirement 
of two definitions.\134\ The NOPR proposed to approve the definitions 
for inclusion in the NERC Glossary. The NOPR also sought comment on 
certain aspects of the proposed definitions. The Commission stated in 
the NOPR that, depending on the adequacy of the explanations provided 
in response to the NOPR questions, the Commission may direct NERC to 
develop modifications to certain proposed definitions to eliminate 
ambiguities and ensure that BES Cyber Assets are adequately protected.
---------------------------------------------------------------------------

    \134\ Newly proposed definitions include BES Cyber Asset, BES 
Cyber System, BES Cyber System Information, CIP Exceptional 
Circumstances, CIP Senior Manager, Control Center, Dial-up 
Connectivity, Electronic Access Control or Monitoring Systems 
(EACMS), Electronic Access Point (EAP), External Routable 
Connectivity, Interactive Remote Access, Intermediate System, 
Physical Access Control Systems (PACS), Protected Cyber Assets 
(PCA), and Reportable Cyber Security Incident. Revised definitions 
include Cyber Assets, Cyber Security Incident, Electronic Security 
Perimeter (ESP), and Physical Security Perimeter (PSP). Retired 
definitions include Critical Assets and Critical Cyber Assets.
---------------------------------------------------------------------------

    114. As discussed below, we approve the nineteen definitions. In 
addition, pursuant to section 215(d)(5) of the FPA, the Commission 
directs NERC to develop requirements that address issues raised by the 
definitions and to submit an informational filing.
1. Definition--BES Cyber Asset
NERC Petition
    115. NERC proposes the following definition of a BES Cyber Asset:

    A Cyber Asset that if rendered unavailable, degraded, or misused 
would, within 15 minutes of its required operation, misoperation, or 
non-operation, adversely impact one or more Facilities, systems, or 
equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable when needed, would affect the reliable operation of the 
Bulk Electric System. Redundancy of affected Facilities, systems, 
and equipment shall not be considered when determining adverse 
impact. Each BES Cyber Asset is included in one or more BES Cyber 
Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 
consecutive calendar days or less, it is directly connected to a 
network within an ESP, a Cyber Asset within an ESP, or to a BES 
Cyber Asset, and it is used for data transfer, vulnerability 
assessment, maintenance, or troubleshooting purposes.)
a. 15-Minute Parameter
NOPR
    116. The NOPR sought comment on the purpose and effect of the 15-
minute parameter in the BES Cyber Asset definition. In particular, the 
NOPR sought comment on the types of Cyber Assets that would meet the 
``within 15 minutes'' parameter.\135\ Further, the NOPR sought comment 
on the types of assets or devices that the 15-minute parameter would 
exclude and, in particular, whether the ``within 15 minutes'' parameter 
excludes devices that have an impact on the reliable operation of the 
bulk electric system.\136\ The NOPR also sought comment on whether the 
use of a specified time period as a basis for identifying assets for 
protection is consistent with the procedures adopted under other cyber 
security standards, such as the NIST Risk Management Framework, that 
apply to industrial control and Supervisory Control and Data 
Acquisition (SCADA) systems, as well as traditional information 
technology systems.\137\
---------------------------------------------------------------------------

    \135\ NOPR, 143 FERC ] 61,055 at P 77.
    \136\ Id.
    \137\ Id.
---------------------------------------------------------------------------

Comments
    117. Most commenters support the 15-minute parameter,\138\ stating 
that the 15-minute parameter is consistent with existing Commission-
approved Reliability Standards. Other commenters contend that the 15-
minute parameter is arbitrary and lacks justification.
---------------------------------------------------------------------------

    \138\ E.g., Ameren, AEP, EEI, Idaho Power, KCP&L, Luminant, 
MidAmerican, MISO, NERC, NAGF, PPL, Tampa, UI.
---------------------------------------------------------------------------

    118. NERC, AEP, EEI, Idaho Power and PPL state that the proposed 
15-minute parameter provides a level of consistency for the 
identification of BES Cyber Assets that could have a real-time impact 
on the reliability of the bulk electric system.\139\ Similarly, KCP&L 
and UI support the 15-minute parameter as a proxy for real-time 
operations, and KCP&L explains that the proposed definition should not 
automatically exempt any assets that have an impact on the reliable 
operation of the bulk electric system.\140\
---------------------------------------------------------------------------

    \139\ AEP Comments at 6; EEI Comments at 26; Idaho Power 
Comments at 3-4; NERC Comments at 24; PPL Comments at 6.
    \140\ KCPL Comments at 4, UI Comments at 7-8.
---------------------------------------------------------------------------

    119. NERC, Luminant, and MISO comment that the 15-minute parameter 
is consistent with Commission-approved reliability standards.\141\ 
Luminant notes that 15-minute parameter is consistent with the 
disturbance recovery period under Reliability Standard BAL-002-1. NERC 
and MISO state that the Commission has previously approved the use of a 
15-minute parameter to identify generation assets under the CIP version 
4 Standards.\142\
---------------------------------------------------------------------------

    \141\ Luminant Comments at 4; MISO Comments at 6; NERC Comments 
at 25.
    \142\ NERC Comments at 24; MISO Comments at 6.
---------------------------------------------------------------------------

    120. According to NERC, the 15-minute parameter will typically 
include SCADA, EMS systems transmission protection systems, and 
generation control systems. NERC states that the 15-minute parameter 
will generally exclude systems that collect data for engineering 
analysis and support, and maintenance, and generally includes systems 
that provide input to an operator for real-time operations or trigger 
automated real-time operations.\143\ Tampa asserts that Cyber Assets 
and BES Cyber Systems that actively and directly support the reliable 
operation of the bulk electric system would be captured under the 
proposed definition since such assets need to be available at all 
times.\144\
---------------------------------------------------------------------------

    \143\ NERC Comments at 26-27. See also Tampa Comments at 9.
    \144\ Tampa Comments at 9.
---------------------------------------------------------------------------

    121. NIPSCO and OEVC contend that the 15-minute parameter is 
arbitrary and unsupported. NIPSCO states that it is not clear how the 
15-minute parameter should be tested or determined under the proposed 
definition and questions whether responsible entities should be running 
studies or analysis addressing the loss of cyber assets or whether the 
15-minute parameter should be attributed to a cyber asset based on the 
associated facility.\145\ OEVC argues that NERC has not explained the 
15-minute parameter and opines that the 15-minute parameter is 
``unnecessary as it imposes an arbitrary time period.'' \146\

[[Page 72771]]

SPP RE states that it cannot comment on whether the 15-minute parameter 
is appropriate to establish a distinction between real-time and non-
real time operations, but SPP RE is concerned with the audit 
implications raised by the 15-minute parameter.\147\
---------------------------------------------------------------------------

    \145\ NIPSCO Comments at 5.
    \146\ OEVC Comments at 9.
    \147\ SPP RE Comments at 8-9.
---------------------------------------------------------------------------

Commission Determination
    122. We approve NERC's proposed definition of BES Cyber Asset. 
Based on the comments, we understand that the 15-minute parameter is 
intended to capture assets involved in real-time operations, such as 
systems that provide input to an operator for real-time operations or 
trigger automated real-time operations. According to NERC, ``the 15-
minute parameter is not about detecting and responding to a 
Cybersecurity Incident within 15 minutes; rather the 15-minute 
parameter is about identifying those assets that, when called upon in 
real-time or rendered unavailable in real-time, could impact reliable 
operations.'' \148\ The 15-minute parameter is also not without 
precedent since the Commission approved similar language in the CIP 
version 4 Standards with respect to generating units.\149\
---------------------------------------------------------------------------

    \148\ NERC Comments at 26. Further, NERC states that ``[t]he 15-
minute parameter is essentially used as a measurable proxy for real-
time operations in the CIP context,'' Id. at 25. NERC explains that 
the NERC Glossary defines the term ``Real-Time'' as ``[p]resent time 
as opposed to future time.'' The CIP drafting team chose not to use 
this definition in defining BES Cyber Asset in order to provide a 
more measurable time frame and avoid confusion during 
implementation. Id.
    \149\ See Order No. 761, 139 FERC ] 61,058 at P 35 (2012).
---------------------------------------------------------------------------

    123. As explained by NERC, the 15-minute parameter will typically 
result in the identification of SCADA, Energy Management Systems, 
transmission protection systems, and generation control systems as BES 
Cyber Assets.\150\ Further, according to NERC, ``[t]ypical systems that 
might be excluded by the 15-minute parameter are systems that collect 
data for engineering analysis and support, and maintenance rather than 
providing input to the operator for real-time operations or triggering 
automated real-time operations. Such excluded systems would include 
those used to collect data for the purpose of determining maintenance 
schedules for assets such as transformers or for engineering 
analysis.'' \151\ While NERC provides these generalized expectations, 
NERC also explains that ``whether a particular asset is included or 
excluded from the definition of BES Cyber Asset is necessarily 
dependent upon the individual facts and circumstances of how an entity 
uses that asset.'' \152\ We also observe that some commenters express 
concern over using a time period to determine the impact of a cyber 
system. Since the identification of BES Cyber Assets is a critical step 
to applying the CIP version 5 Standards, we are interested in better 
understanding more fully the scope of assets that will be identified as 
BES Cyber Assets as a result of the application of the 15-minute 
parameter.
---------------------------------------------------------------------------

    \150\ See NERC Comments at 26.
    \151\ Id.
    \152\ Id. at 27.
---------------------------------------------------------------------------

    124. Accordingly, the Commission directs NERC to conduct a survey 
of Cyber Assets that are included or excluded under the new BES Cyber 
Asset definition during the CIP version 5 Standards implementation 
periods. Such data will help provide a better understanding of the BES 
Cyber Asset definition. Based on the survey data, NERC should explain 
in an informational filing the following: (1) Specific ways in which 
entities determine which Cyber Assets meet the 15 minute parameter; (2) 
types or functions of Cyber Assets that are excluded from being 
designated as BES Cyber Assets and the rationale as to why; (3) common 
problem areas with entities improperly designating BES Cyber Assets; 
and (4) feedback from each region participating in the implementation 
study on lessons learned with the application of the BES Cyber Asset 
definition. The informational filing should not provide a level of 
detail that divulges CEII data. This filing should also help other 
entities implementing CIP version 5 in identifying BES Cyber Assets.
    125. The Commission directs NERC to submit the informational filing 
one year after the effective date of this Final Rule. Based on the 
information in the informational filing, the Commission may revisit 
whether the BES Cyber Asset definition should include the 15-minute 
parameter.
b. 30-Day Exemption
NOPR
    126. NERC's proposed definition of BES Cyber Asset provides in part 
that ``[a] Cyber Asset is not a BES Cyber Asset if, for 30 consecutive 
calendar days or less, it is directly connected to a network within an 
[Electronic Security Perimeter], a Cyber Asset within an [Electronic 
Security Perimeter], or to a BES Cyber Asset, and it is used for data 
transfer, vulnerability assessment, maintenance, or troubleshooting 
purposes.'' In the NOPR, the Commission sought comment on the purpose 
and anticipated effect of the 30-day exemption language in the BES 
Cyber Asset definition. Specifically, the Commission sought comment on 
whether the clause could result in the introduction of malicious code 
or new attack vectors to an otherwise trusted and protected system, as 
demonstrated in recent real-world incidents.\153\ In addition, the NOPR 
sought comment on the types of Cyber Assets used for ``data transfer, 
vulnerability assessment, maintenance, or troubleshooting purposes,'' 
as this language is used in the BES Cyber Asset definition.\154\
---------------------------------------------------------------------------

    \153\ NOPR, 143 FERC ] 61,055 at P 78.
    \154\ Id.
---------------------------------------------------------------------------

Comments
    127. Most commenters support the proposed 30-day exemption.\155\ 
NERC and other commenters state that the 30-day exemption is necessary 
because removing the language would require responsible entities to 
implement the full set of CIP version 5 requirements on transient 
systems,\156\ which they assert would be impractical and costly.\157\ 
EEI supports the 30-day exemption and maintains that it would be 
``virtually impossible'' for entities to prove compliance with full-
time physical security protections around portable devices or 
programmable electronic devices that are briefly connected to a network 
and then removed. EEI states that ``to practically and auditably 
preserve the stringent protections in place around BES Cyber Assets as 
currently defined, the temporarily connected devices . . . exclusion 
must be preserved.'' \158\
---------------------------------------------------------------------------

    \155\ NERC, EEI, Ameren, AEP, Tacoma, CenterPoint, UI, Dominion, 
ISO New England, MidAmerican, Exelon, National Grid, NextEra, 
NorthWestern, PPL Companies, and Wisconsin.
    \156\ NERC states that ``[a]n example of such a transient device 
is a laptop connected on a temporary basis to run vulnerability 
assessment software or to perform computer network traffic 
analysis.'' NERC Comments at 28.
    \157\ UI Comments at 8; G&T Cooperatives Comments at 14; NERC 
Comments at 28.
    \158\ EEI Comments at 26.
---------------------------------------------------------------------------

    128. While some commenters acknowledge that connecting test 
equipment and other transient systems to trusted networks introduces 
new attack vectors and potentially malicious code, several commenters, 
such as MidAmerican, argue that BES Cyber Systems will have adequate 
security protections by virtue of implementing the CIP version 5 
Standards as proposed.\159\ Specifically, NERC and others maintain 
that, since CIP-007-5,

[[Page 72772]]

Requirement R3 requires the prevention of malicious code, BES Cyber 
Systems will be safeguarded from threats posed by transient systems.
---------------------------------------------------------------------------

    \159\ CenterPoint Comments at 5; G&T Cooperatives Comments at 
14-15; ISO-NE Comments at 11; MidAmerican Comments at 18.
---------------------------------------------------------------------------

    129. Encari and KCP&L do not support the 30-day exemption in the 
BES Cyber Asset definition. Encari states that the proposed BES Cyber 
Asset definition does not adequately address risks posed by transient 
or temporarily connected systems, adding that the 30-day exemption 
period appears ``arbitrary.'' \160\ Encari also states that this 
language is prone to abuse, arguing that entities could briefly 
disconnect Cyber Assets regularly used for used for data transfer, 
vulnerability assessment, maintenance, or troubleshooting purposes in 
order to restart the 30-day qualification period, making it relatively 
easy to circumvent CIP implementation on transient systems.
---------------------------------------------------------------------------

    \160\ Encari Comments at 4.
---------------------------------------------------------------------------

    130. KCP&L remarks that ``due to a lack of alternative protective 
measures,'' it does not support the 30-day language excluding 
temporarily connected systems.\161\ KCP&L believes that implementation 
of the CIP version 5 standards on transient systems, while burdensome, 
will prevent a gap in protective measures.\162\
---------------------------------------------------------------------------

    \161\ KCP&L Comments at 5.
    \162\ Id.
---------------------------------------------------------------------------

    131. Tacoma Power recommends that, since there is no clear guidance 
as to how transient systems should be managed to ensure malicious code 
is not introduced into protected environments, clarification is 
needed.\163\
---------------------------------------------------------------------------

    \163\ Tacoma Power Comments at 3-4.
---------------------------------------------------------------------------

Commission Determination
    132. Based on the explanation provided by NERC and other 
commenters, we will not direct modifications regarding the 30-day 
exemption in the definition of BES Cyber Asset. While we are persuaded 
that it would be unduly burdensome for responsible entities to treat 
all transient devices as BES Cyber Assets, we remain concerned whether 
the CIP version 5 Standards provide adequately robust protection from 
the risks posed by transient devices. Accordingly, as discussed below, 
we direct NERC to develop either new or modified standards to address 
the reliability risks posed by connecting transient devices to BES 
Cyber Assets and Systems.
    133. As explained by NERC, the 30-day exemption is intended to 
remove transient devices from the scope of the CIP version 5 Standards. 
We recognize that including transient devices in the definition of BES 
Cyber Asset would subject transient devices to the full suite of cyber 
security protections in the CIP version 5 Standards. We are persuaded 
by commenters' explanations that it would be unduly burdensome to 
protect transient devices in the same manner as BES Cyber Assets 
because transient devices are portable and frequently connected and 
disconnected from systems.
    134. NERC and other commenters also assert that the CIP version 5 
Standards require the protection of BES Cyber Assets from malicious 
code, thus obviating the need to include transient devices within the 
scope of the BES Cyber Asset definition. For example, NERC avers that 
``responsible entities have an affirmative obligation pursuant to CIP-
007-5 to prevent malicious code from being introduced on the applicable 
BES Cyber Systems, no matter where it might originate.'' \164\ However, 
relying on a single security control to protect information systems is 
contrary to the fundamental cyber security concept of defense-in-depth, 
which the Commission continues to believe is the most appropriate way 
to address cyber security. A transient device introduced directly into 
a system bypasses most of the protection provided by the layers of 
security controls provided by the CIP Reliability Standards. It cannot 
be assumed that anti-malware programs are completely effective in 
detecting, removing, and blocking malware, especially when they are 
commonly thwarted by the introduction of zero-day attacks.\165\
---------------------------------------------------------------------------

    \164\ NERC Comments at 29.
    \165\ SANS defines a zero-day attack as a computer threat that 
tries to exploit computer application vulnerabilities that are 
unknown to others or undisclosed to the software developer.
---------------------------------------------------------------------------

    135. As the Commission highlighted in the NOPR, transient devices 
have been the source of incidents where malware was introduced into 
electric generation industrial control systems in real-world 
situations.\166\ Further, since these devices can move between 
electronic security perimeters, transient devices could spread malware 
across a responsible entity's BES Cyber Systems absent appropriate 
controls. While we agree that it would be overly-burdensome to include 
transient devices in the BES Cyber Asset definition, we agree with 
Encari and KCP&L that there is a gap in the CIP version 5 Standards 
regarding transient devices, and these devices pose a risk to BES Cyber 
Assets that is not addressed in an adequately robust manner in the CIP 
version 5 Standards.
---------------------------------------------------------------------------

    \166\ See NOPR, 143 FERC ] 61,055 at n.69 (referencing 
Department of Homeland Security Industrial Control Systems Cyber 
Emergency Response Team (ICS-CERT) Monthly Monitor (October-December 
2012) at 1. Available at http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_OctDec2012.pdf. The October-December 2012 ICS-CERT 
Monthly Monitor describes two recent situations where malware was 
introduced into two electric generation industrial control systems 
(ICS) through removable media (i.e., USB drive) that was being used 
to back-up a control system environment and updates.).
---------------------------------------------------------------------------

    136. Accordingly, pursuant to section 215(d)(5) of the FPA, the 
Commission directs NERC to develop either a new or modified Reliability 
Standard that addresses the risks posed by transient devices. For 
example, the requirements should recognize that transient devices, 
unlike BES Cyber Assets, are generally portable and frequently 
connected and disconnected from systems. The Commission expects NERC to 
consider the following security elements when designing a Reliability 
Standard for transient devices and removable media: (1) Device 
authorization as it relates to users and locations; (2) software 
authorization; (3) security patch management; (4) malware prevention; 
(5) detection controls for unauthorized physical access to a transient 
device and; (6) processes and procedures for connecting transient 
devices to systems at different security classification levels (i.e. 
High, Medium, Low Impact). We believe that NIST SP 800-53 Maintenance 
and Media Protection security control families, as well as the existing 
Requirements in CIP-004-5, CIP-006-5, and CIP-007-5, can serve as a 
guide to NERC and the industry in the development of appropriate 
reliability objectives for transient devices. We believe that 
addressing transient devices in a new or modified Reliability Standard 
as discussed above provides a balanced approach to addressing the risks 
associated with transient devices without imposing unduly burdensome 
requirements on responsible entities.
2. Definition--Control Center
NERC Petition
    137. NERC proposes the following definition of a control center:

    One or more facilities hosting operating personnel that monitor 
and control the Bulk Electric System (BES) in real-time to perform 
the reliability tasks, including their associated data centers, of: 
(1) A Reliability Coordinator, (2) a Balancing Authority, (3) a 
Transmission Operator for transmission Facilities at two or more 
locations, or (4) a Generator Operator for generation Facilities at 
two or more locations.
NOPR
    138. The Commission sought comment on the meaning of the phrase 
``generation Facilities at two or more locations'' and, specifically, 
whether the phrase includes two or more units at

[[Page 72773]]

one generation plant and/or two or more geographically dispersed units.
Comments
    139. Commenters generally explain that the phrase ``generation 
Facilities at two or more locations'' is intended to capture control 
centers that control two or more geographically dispersed generation 
units.\167\ NERC and other commenters state that the definition is not 
intended to capture assets associated with two or more units at one 
generation plant.\168\ Portland opines that an interpretation of the 
phrase that captures multiple generating units at the same generating 
plant ``could have the unintended consequence of making what are 
clearly control rooms into control centers.'' \169\
---------------------------------------------------------------------------

    \167\ Ameren, Dominion, EEI, Idaho Power, KCP&L, Luminant, 
MidAmerican, NERC, NAGF, Portland, SPP RE, Tampa, TVA.
    \168\ Dominion Comments at 14; Idaho Power at 4; MidAmerican 
Comments at 18; NERC Comments at 30; SPP RE Comments at 10; Tampa 
Comments at 7.
    \169\ Portland Comments at 5. See also TVA Comments at 6.
---------------------------------------------------------------------------

    140. Ameren states that although it understands the term to refer 
to two or more geographically dispersed units, it would support asking 
NERC to more clearly define the term.\170\ Waterfall advocates for a 
risk-based definition of control center, noting that the risk control 
centers pose to the bulk electric system is based on sabotage or mis-
operation. According to Waterfall, any set of equipment capable of 
nearly-simultaneously sabotaging a large amount of generating capacity 
should be classified as a control center no matter where the generation 
is located.\171\
---------------------------------------------------------------------------

    \170\ Ameren Comments at 17-18.
    \171\ Waterfall Comments at 7.
---------------------------------------------------------------------------

Commission Determination
    141. We approve the definition of Control Center. Consistent with 
the comments, we clarify that the phrase ``generation Facilities at two 
or more locations'' refers to control centers that control two or more 
geographically dispersed generation units as opposed to assets 
associated with two or more units at one generation plant. In response 
to the comments raised by Ameren and Waterfall, we find that definition 
of Control Center is sufficiently clear. However, entities may seek 
additional clarification or modification through the NERC standards 
development process. We also find that the CIP version 5 Reliability 
Standards take a risk-based approach to Control Centers because, under 
Reliability Standard CIP-002-5, responsible entities must categorize 
generation operator Control Centers as High, Medium, or Low Impact 
based on facility ratings.
3. Definition--Cyber Asset
NERC Petition
    142. NERC's currently-effective Glossary definition of Cyber Asset 
provides:

    Programmable electronic devices and communication networks 
including hardware, software, and data.

    NERC proposes the following definition of a Cyber Asset:

    Programmable electronic devices, including the hardware, 
software, and data in those devices.

    Thus, NERC's proposed definition of Cyber Asset removes the phrase 
``communication networks.''
NOPR
    143. The Commission stated in the NOPR that NERC's proposed 
definition of Cyber Asset removes the phrase ``communication networks'' 
from the currently-effective Glossary definition of Cyber Asset, 
highlighting the fact that the FPA defines ``cybersecurity incident'' 
as follows:

    A malicious act or suspicious event that disrupts, or was an 
attempt to disrupt, the operation of those programmable electronic 
devices and communication networks, including hardware, software and 
data that are essential to the reliable operation of the bulk power 
system.[\172\]
---------------------------------------------------------------------------

    \172\ NOPR, 143 FERC ] 61,055 at P 81 (citing 16 U.S.C. 
824o(a)(8) (2012) (emphasis added)).

    144. The NOPR indicated that NERC's revised definition of Cyber 
Asset appears to remove a type of asset the statute defines as 
essential to the reliable operation of the Bulk-Power System.\173\
---------------------------------------------------------------------------

    \173\ NOPR, 143 FERC ] 61,055 at P 81.
---------------------------------------------------------------------------

    145. In the NOPR, the Commission sought comment regarding the 
purpose and intended effect of removing ``communication networks'' from 
the definition of a Cyber Asset.\174\ Further, the Commission sought 
comment on whether the removal of ``communication networks'' from the 
definition could create a gap in cyber security and the CIP Reliability 
Standards.\175\ In addition, the Commission sought an explanation as to 
the purpose and intended effect of the phrase ``data in those devices'' 
and, in particular, whether the phrase excludes data being transferred 
between devices.\176\
---------------------------------------------------------------------------

    \174\ Id. P 82.
    \175\ Id.
    \176\ Id.
---------------------------------------------------------------------------

Comments
    146. Most commenters support NERC's proposal that removes the 
phrase ``communication networks'' from the definition of Cyber 
Asset.\177\ NERC and other commenters contend that the inclusion of 
communication networks in the currently-effective definition of Cyber 
Asset has caused confusion in the implementation of the CIP Reliability 
Standards since communication networks are generally outside the 
control of responsible entities.\178\ NERC, KCP&L, MidAmerican, and 
Tampa comment that communication networks include programmable 
electronic device components that could still qualify as Cyber Assets, 
even though the nonprogrammable electronic components of the 
communication networks, such as cabling, would not qualify.\179\ NAGF 
argues that, although it may be appropriate to address the physical 
protection of communication cabling in the future, ``the remainder of 
the NERC CIP standards, as currently drafted, cannot be applied to 
communication cabling.'' \180\
---------------------------------------------------------------------------

    \177\ Ameren, AEP, BPA, Dominion, ISO New England, KCP&L, 
MidAmerican, MISO, NERC, EEI, Exelon, NAGF, National Grid, NextEra, 
NorthWestern, Portland, PPL Companies, Tacoma, Tampa, UI, and 
Wisconsin.
    \178\ AEP Comments at 6-7; KCP&L Comments at 5; MISO Comments at 
7-8; NERC Comments at 31-32; Portland Comments at 5-6.
    \179\ KCP&L Comments at 5; MidAmerican at 19; NERC Comments at 
31-32; Tampa Comments at 8.
    \180\ NAGF Comments at 6.
---------------------------------------------------------------------------

    147. Other commenters claim that removing ``communication 
networks'' from the definition of Cyber Asset could create security 
gaps.\181\ SPP RE comments that removing communication networks is 
inconsistent with the Commission's interpretation of CIP-006-3, 
Requirement R1.1, which requires the protection of data being 
transmitted over physical media by either physical or logical 
means.\182\ Idaho Power agrees with the NOPR that excluding 
communication networks from the Cyber Asset definition could lead to a 
gap in security; however Idaho Power is concerned about how the CIP 
version 5 Standards would apply to every component of a communication 
network.\183\ Idaho Power notes that the term ``communication network'' 
itself is open to interpretation and creates confusion as to what 
assets are covered by the CIP Reliability Standards. Therefore, Idaho 
Power suggests that the Commission direct NERC to define 
``communication network'' through the standard drafting process and 
direct

[[Page 72774]]

NERC to more fully explain how the CIP version 5 Standards would apply 
to communication networks.\184\
---------------------------------------------------------------------------

    \181\ Idaho Power, SPP RE.
    \182\ SPP RE Comments at 11.
    \183\ Idaho Power Comments at 4.
    \184\ Id. at 5.
---------------------------------------------------------------------------

Commission Determination
    148. We approve NERC's revised Cyber Asset definition. After 
considering the explanations provided by commenters, we are persuaded 
that it is not necessary to maintain the phrase ``communications 
network'' within the text of the Cyber Asset definition to ensure that 
the programmable electronic components of these networks receive 
protection under the CIP Reliability Standards. We further recognize 
that maintaining the phrase ``communication networks'' within the Cyber 
Asset definition would likely cause confusion and possibly complicate 
the implementation of the CIP version 5 Standards, as many 
communication network components, such as cabling, cannot strictly 
comply with the CIP Reliability Standards. We anticipate that the 
removal of this phrase from the Cyber Asset definition will minimize 
the number of technical feasibility exceptions needed for strict 
compliance with the CIP version 5 Standards.
    149. Nevertheless, we remain concerned that a gap in protection may 
exist, as the CIP version 5 Standards do not address security controls 
needed to protect the nonprogrammable components of communications 
networks. We observe that a number of other information security 
standards, including NIST SP 800-53 and ISO 27001, address the 
protection of communication mediums, for instance in NIST SP 800-53 Rev 
3, security control PE-4 includes examples of protecting communication 
medium including: (i) Locked wiring closets; (ii) disconnected or 
locked spare jacks; and/or (iii) protection of cabling by conduit or 
cable trays.\185\ Similarly, ISO 27001 also emphasizes the protection 
of telecommunications cabling from interception or damage in control 
A.9.2.3.\186\
---------------------------------------------------------------------------

    \185\ See NIST SP 800-53 Revision 3, security control family 
Physical and Environmental Protection, Annex 2, page 54.
    \186\ BSI ISO/IEC (2005). Information technology--Security 
techniques--Information security management systems--Requirements 
(ISO/IEC 27001:2005).British Standards Institute.
---------------------------------------------------------------------------

    150. We direct NERC to create a definition of communication 
networks and to develop new or modified Reliability Standards to 
address the reliability gap discussed above. The definition of 
communications networks should define what equipment and components 
should be protected, in light of the statutory inclusion of 
communication networks for the reliable operation of the Bulk-Power 
System. The new or modified Reliability Standards should require 
appropriate and reasonable controls to protect the nonprogrammable 
aspects of communication networks. The Commission directs NERC to 
submit these modifications for Commission approval within one year from 
the effective date of this final rule. We also direct Commission staff 
to include this issue in the staff-led technical conference discussed 
herein.\187\
---------------------------------------------------------------------------

    \187\ See infra P 223.
---------------------------------------------------------------------------

4. Reliability Tasks
NERC Petition
    151. NERC's definitions of the terms BES Cyber System, Control 
Center, and Reportable Cyber Security Incident include the undefined 
term ``reliability tasks.'' For example, the proposed definition of BES 
Cyber System provides:

    One or more BES Cyber Assets logically grouped by a responsible 
entity to perform one or more reliability tasks for a functional 
entity.
NOPR
    152. The Commission raised the concern in the NOPR whether the use 
of the undefined term ``reliability tasks'' will lead to confusion 
during implementation. Therefore, the Commission sought comment on the 
meaning and scope of the phrase ``reliability tasks'' and whether there 
is a common understanding of this phrase to assure accurate and 
consistent implementation of the definitions and, hence, the CIP 
version 5 Standards.\188\
---------------------------------------------------------------------------

    \188\ NOPR, 143 FERC ] 61,055 at P 84.
---------------------------------------------------------------------------

Comments
    153. Most commenters state that ``reliability tasks'' has a well-
understood meaning and does not need further definition.\189\ NERC, 
EEI, NAGF and other commenters explain that ``reliability tasks'' 
refers to the tasks associated with the functions defined in the NERC 
Functional Model.\190\ NERC asserts that the use of the undefined term 
``should not cause confusion in implementation or result in 
interpretation requests'' since industry has a common understanding of 
the term ``reliability tasks.'' \191\ SPP RE and UI explain their 
understanding of the term ``reliability tasks'' as referring to the 
bulk electric system reliability operating services listed in the 
Guidelines and Technical Basis section of CIP-002-5.\192\
---------------------------------------------------------------------------

    \189\ AEP, CenterPoint, Dominion, EEI, Exelon, Luminant, NERC, 
NAGF, National Grid, NextEra, NorthWestern, PPL Companies, SPP RE, 
Tampa, and Wisconsin.
    \190\ AEP Comments at 8; Dominion Comments at 12; EEI Comments 
at 29; NAGF Comments at 7; NERC Comments at 33-34; Tampa Comments at 
8.
    \191\ NERC Comments at 34.
    \192\ SPP RE Comments at 11, UI Comments at 10.
---------------------------------------------------------------------------

    154. Other commenters advocate for defining the phrase 
``reliability tasks'' either because there is no commonly understood 
meaning or to clarify that the term refers to tasks associated with 
functions listed in the NERC Functional Model.\193\ Ameren suggests 
that a definition of the term ``reliability tasks'' reference the CIP-
002-5 guidance document to provide more clarity.\194\ MISO states that 
the term ``reliability tasks'' should be defined in order to avoid 
ambiguity and to ensure consistent interpretation in enforcement 
proceedings.\195\
---------------------------------------------------------------------------

    \193\ Ameren, Idaho Power, KCP&L, and MISO.
    \194\ Ameren Comments at 18.
    \195\ MISO Comments at 8.
---------------------------------------------------------------------------

Commission Determination
    155. We are satisfied that responsible entities have a common 
understanding of ``reliability tasks'' in the NERC definitions and, 
thus, we conclude that there is no need to direct NERC to define the 
phrase. Consistent with the comments of NERC and others, we understand 
that ``reliability tasks'' refers to the tasks associated with the 
functions defined in the NERC Functional Model.
    156. While some commenters suggest that the phrase ``reliability 
tasks'' is best understood as referring to the bulk electric system 
reliability operating services listed in the Guidelines and Technical 
Basis section of CIP-002-5, we believe that the NERC Functional Model 
is the basis for the phrase ``reliability task'' while the Guidelines 
and Technical Basis section provides clarity on how the term applies to 
the CIP version 5 Standards.
5. Intermediate Devices
NERC Petition
    157. NERC proposes to define Electronic Access Control or 
Monitoring Systems (EACMS) and Interactive Remote Access as follows:

    EACMS--Cyber Assets that perform electronic access control or 
electronic access monitoring of the Electronic Security Perimeter(s) 
or BES Cyber Systems. This includes Intermediate Devices.
    Interactive Remote Access--[. . .] Remote access originates from 
a Cyber Asset that is not an Intermediate Device and not located 
within any of the Responsible Entity's Electronic Security 
Perimeter(s) or at a defined Electronic Access Point (EAP). [. . .]


[[Page 72775]]


    Both proposed definitions include the undefined term ``Intermediate 
Device.''
NOPR
    158. The Commission explained in the NOPR that the term 
``Intermediate Systems'' was originally referred to as ``Intermediate 
Device'' in previous draft versions of the CIP version 5 Standards. The 
Commission raised the concern that this inconsistency may lead to 
confusion in the application of the CIP version 5 Standards.\196\ 
Therefore, the NOPR sought comment on whether the defined term 
``Intermediate Systems'' is the appropriate reference in the 
definitions of Electronic Access Control or Monitoring Systems (EACMS) 
and Interactive Remote Access, as opposed to the undefined term 
``intermediate devices.'' \197\
---------------------------------------------------------------------------

    \196\ NOPR, 143 FERC ] 61,055 at P 85.
    \197\ Id. P 86.
---------------------------------------------------------------------------

Comments
    159. NERC clarifies that ``Intermediate Systems'' is the 
appropriate term in the definitions of EACMS and Interactive Remote 
Access and states that it will submit an errata change to correct the 
oversight.\198\
---------------------------------------------------------------------------

    \198\ NERC Comments at 35.
---------------------------------------------------------------------------

    160. In a September 30, 2013 errata filing in this proceeding 
(docket RM13-5-000), NERC proposes to replace the undefined term 
``Intermediate Device'' with the defined term ``Intermediate System'' 
in the definitions of EACMS and Interactive Remote Access.
Commission Determination
    161. The Commission approves the definitions of EACMS and 
Interactive Remote Access, with the term Intermediate System, as 
proposed in NERC's September 30, 2013 errata.

D. Implementation Plan

NERC Petition
    162. NERC proposes an implementation plan for the CIP version 5 
Standards that addresses two distinct issues. First, NERC proposes 
language that would provide a transition from CIP version 3 to CIP 
version 5, thereby bypassing implementation of CIP version 4:

    Notwithstanding any order to the contrary, CIP-002-4 through 
CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 
remain in effect and are not retired until the effective date of the 
Version 5 CIP Cyber Security Standards under this implementation 
plan.

    NERC explains that the language is intended to alleviate 
uncertainty resulting from ``industry stakeholders not knowing whether 
the Commission will act on CIP Version 5 prior to the CIP Version 4 
effective date, April 1, 2014. . . .'' \199\
---------------------------------------------------------------------------

    \199\ NERC Petition at 43.
---------------------------------------------------------------------------

    163. Second, NERC proposes a 24-month implementation period for 
``High Impact'' and ``Medium Impact'' BES Cyber Systems, and a 36-month 
implementation period for ``Low Impact'' BES Cyber Systems.
NOPR
    164. In the NOPR, the Commission proposed to approve the 
implementation plan for the CIP version 5 Standards to allow 
responsible entities to transition from compliance with the currently-
effective CIP version 3 Standards to compliance with the CIP version 5 
Standards, essentially retiring the CIP version 4 Standards prior to 
mandatory compliance.\200\ Thus, upon Commission approval in a Final 
Rule, the CIP version 5 Standards would supersede Reliability Standards 
CIP-002-4 through CIP-009-4, and CIP-002-3 through CIP-009-3 would 
remain in effect and would not be retired until the effective date of 
the CIP version 5 Standards.
---------------------------------------------------------------------------

    \200\ NOPR, 143 FERC ] 61,055 at P 89.
---------------------------------------------------------------------------

    165. With regard to the proposed implementation periods, the 
Commission sought in the NOPR comment on the activities and any other 
considerations that justify 24-month and 36-month implementation 
periods for the CIP version 5 Standards.\201\ In addition, the 
Commission sought comment on whether responsible entities can achieve 
compliance with the CIP version 5 Standards in a shorter period for 
those Cyber Assets that responsible entities have identified to comply 
with the currently-effective CIP Reliability Standards.\202\ Finally, 
the NOPR sought comment on the feasibility of a shorter implementation 
period and the reasonable time frame for a shorter implementation 
period.\203\
---------------------------------------------------------------------------

    \201\ Id. P 90.
    \202\ Id.
    \203\ Id.; see generally Version 5 Critical Infrastructure 
Protection Reliability Standards, et al., 144 FERC ] 61,123 (2013) 
(granting a six-month extension of the compliance deadline for the 
CIP version 4 Reliability Standards to facilitate the transition 
from the CIP version 3 Reliability Standards to the CIP version 5 
Reliability Standards).
---------------------------------------------------------------------------

Comments
    166. While the majority of commenters support NERC's implementation 
plan as-filed, other commenters either request additional time to 
implement CIP version 5 or request flexibility to transition to CIP 
version 5 prior to the proposed effective date.
    167. The majority of comments support approval of NERC's 
implementation plan as-filed.\204\ NERC comments that bypassing CIP 
version 4 will allow entities to devote the necessary resources and 
attention to implement the improved cyber security controls in CIP 
version 5. NERC, APPA, CenterPoint, and EEI, among others, identify 
activities that responsible entities are expected to undertake during 
the proposed 24- and 36-month implementation periods, including re-
evaluating cyber assets and systems based on the new criteria, budget 
for and acquire resources required to implement the new controls, 
implement the new requirements and then assess implementation of each 
requirement for compliance.\205\
---------------------------------------------------------------------------

    \204\ E.g., Ameren, AEP, APPA, CenterPoint, Consumers Energy, 
Dominion, EPSA, G&T Cooperatives, Holland, ITC, ISO New England, 
KCP&L, LADPW, Luminant, MidAmerican, MISO, NASUCA, National Grid, 
NERC, NAGF, Northeast Utilities, PPL Companies, SCE, SWP, Southern 
Indiana, Tampa, TVA, UI, and Xcel.
    \205\ APPA Comments at 19; CenterPoint Comments at 7; EEI 
Comments at 17-19; LADWP Comments at 15; NRECA Comments at 10; NERC 
Comments at 37-39; PHI Comments at 2-3; Tampa Comments at 11-12; UI 
Comments at 3-4.
---------------------------------------------------------------------------

    168. In response to the Commission's concerns about the 
implementation periods, APPA, Dominion and SWP assert that the 24- and 
36-month implementation periods are reasonable, and provide time for 
entities to budget and acquire the necessary resources to comply with 
CIP version 5.\206\ LADWP cautions that, because vendors of specialized 
security equipment can require significant lead times and skilled 
contractors may not be able to implement upgrades within a short period 
of time, the proposed 24- and 36-month implementation periods are 
appropriate and necessary.\207\
---------------------------------------------------------------------------

    \206\ APPA Comments at 17-19; Dominion Comments at 5-6; SWP 
Comments at 6.
    \207\ LADWP Comments at 15.
---------------------------------------------------------------------------

    169. SCE&G contends that the proposed 24-month implementation 
period for High and Medium Impact assets ``is aggressive and likely 
insufficient.'' \208\ SCE&G proposes that the Commission extend the 
implementation period for Medium and High Impact assets to 36-months. 
FirstEnergy supports the proposed implementation plan and notes that 
the implementation periods ``represent an ambitious, but reasonable, 
industry-vetted goal to achieve compliance with what is essentially a 
new cyber security framework.'' \209\ Therefore, FirstEnergy asks the 
Commission to clarify that it will accept, on a case-by-case basis,

[[Page 72776]]

requests for time extensions to comply with the CIP version 5 Standards 
when presented with extraordinary circumstances.
---------------------------------------------------------------------------

    \208\ SCE&G Comments at 6.
    \209\ FirstEnergy Comments at 4.
---------------------------------------------------------------------------

    170. NRECA and SPP Parties support the proposed 24- and 36-month 
implementation periods, but suggest that the Commission should permit 
responsible entities to shift to compliance with the CIP version 5 
Standards prior to the effective date.\210\ In addition, SPP Parties 
notes that there is little guidance for entities to transition between 
the different versions of the CIP Standards and, therefore, entities 
should not be penalized for maintaining compliance with the prior 
version of the CIP Standards as they transition to the new version of 
the standards. Finally, NERC indicates that it plans to develop 
transition guidance documents and a pilot program to assist responsible 
entities as they move from compliance with the CIP version 3 Standards 
to the CIP version 5 Standards.\211\
---------------------------------------------------------------------------

    \210\ NRECA Comments at 10-11, SPP Parties Comments at 4.
    \211\ See NERC Comments at 39-40.
---------------------------------------------------------------------------

Commission Determination
    171. The Commission adopts the NOPR proposal to approve the 
implementation plan for the CIP version 5 Standards as proposed by 
NERC. Therefore, CIP-002-4 through CIP-009-4 will not become effective, 
and CIP-002-3 through CIP-009-3 will remain in effect until the 
effective date of the CIP version 5 Standards. In addition, we are 
persuaded by the majority of commenters that the 24-month 
implementation period for High and Medium Impact BES Cyber Systems and 
the 36-month implementation period for Low Impact BES Cyber Systems are 
reasonable. Commenters cite several potentially resource-intensive 
tasks, including the hiring and training of new personnel, and 
activities specific to newly affected BES Cyber Systems, as 
justification for the 24 and 36-month implementation periods.
    172. The Commission also supports NERC's proposal to develop 
transition guidance documents and a pilot program to assist responsible 
entities as they move from compliance with the CIP version 3 Standards 
to the CIP version 5 Standards.\212\ The Commission agrees that a pilot 
program will assist responsible entities by offering best practices and 
lessons learned during this transition.
---------------------------------------------------------------------------

    \212\ See NERC Comments at 39-40.
---------------------------------------------------------------------------

    173. In response to SCE&G, we decline to extend the proposed 24-
month implementation period for Medium and High Impact assets. The 
overwhelming majority of commenters, including NERC, indicate that the 
proposed implementation periods are reasonable based on the investments 
and activities required to implement the CIP version 5 Standards. To 
the extent that extraordinary circumstances may hinder timely 
compliance, we suggest that responsible entities work with their 
relevant compliance enforcement authority and NERC to address 
implementation issues.
    174. Similarly, in response to NRECA and SPP Parties, we are not 
persuaded that there is a need to entertain requests to shift to 
compliance with the CIP version 5 Standards prior to the effective date 
of the standards. As NERC notes, the implementation periods and 
associated pilot program are required, in part, to ``allow the Regional 
Entities and NERC to make adjustments in their systems and approach to 
compliance with proposed CIP Version 5 while obtaining experience with 
entities in transition.'' \213\ Issues of early compliance can be 
addressed by NERC and Regional Entities as appropriate.
---------------------------------------------------------------------------

    \213\ NERC Comments at 40.
---------------------------------------------------------------------------

E. Violation Risk Factor/Violation Severity Level Assignments

    175. NERC requests approval of the Violation Risk Factors (VRF) and 
Violation Severity Levels (VSL) assigned to the CIP version 5 
Standards. In particular, NERC requests approval of 32 VRFs, one set 
for each requirement in the proposed CIP version 5 Standards.
    176. We approve 30 VRFs and direct NERC to modify the VRF for CIP-
006-5, Requirement R3 from Lower to Medium and CIP-004-5, Requirement 
R4 from Lower to Medium. In addition, we direct NERC to modify the VSLs 
for the CIP version 5 Standards, as discussed below.
1. Lower VRF for Maintenance and Testing of Physical Access Control 
Systems
NERC Petition
    177. NERC assigns a Lower VRF to Reliability Standard CIP-006-5, 
Requirement R3, which addresses the maintenance and testing of Physical 
Access Control Systems.
NOPR
    178. In the NOPR, the Commission stated that the NERC mapping 
document comparing the CIP version 4 and CIP version 5 Standards 
identifies Reliability Standard CIP-006-4, Requirement R8, which 
addresses the maintenance and testing of all physical security 
mechanisms, as the comparable Requirement in the CIP version 4 
Standards.\214\ Reliability Standard CIP-006-4, Requirement R8 is 
assigned a VRF of Medium. The NOPR stated that the Commission's VRF 
guidelines require, among other things, consistency within a 
Reliability Standard (guideline 2) and consistency between requirements 
that have similar reliability objectives (guideline 3).\215\ The 
Commission stated that the petition does not explain the change from a 
Medium VRF to a Lower VRF for a comparable requirement. The Commission 
proposed to direct NERC to modify the VRF assigned to CIP-006-5, 
Requirement R3 from Lower to Medium, consistent with the treatment of 
the comparable requirement in the CIP version 4 Standards, within 90 
days of the effective date of a final rule in this proceeding.
---------------------------------------------------------------------------

    \214\ Mapping Document Showing Translation of CIP-002-4 to CIP-
009-4 into CIP-002-5 to CIP-009-5, CIP-010-1, and CIP-011-1. Page 
20-21. Accessible from: http://www.nerc.com/docs/standards/sar/Mapping_Document_012913.pdf.
    \215\ See N. Amer. Elec. Reliability Corp., 119 FERC ] 61,145, 
order on reh'g and compliance filing, 120 FERC ] 61,145, at PP 8-13 
(2007) (VRF Order). The guidelines are: (1) Consistency with the 
conclusions of the Blackout Report; (2) Consistency within a 
Reliability Standard; (3) Consistency among Reliability Standards; 
(4) Consistency with NERC's Definition of the Violation Risk Factor 
Level; and (5) Treatment of Requirements that Co-mingle More Than 
One Obligation.
---------------------------------------------------------------------------

Comments
    179. NERC and MISO argue that the Lower VRF for Reliability 
Standard CIP-006-5, Requirement R3 appropriately reflects the reduced 
reliability risk in Requirement R3 as compared to CIP-006-4, 
Requirement R8.\216\ NERC states that Requirement R8 requires 
``[t]esting and maintenance period of all physical security mechanisms 
on a cycle no longer than three years.'' NERC states that CIP-006-5 now 
requires maintenance and testing ``at least once every 24 calendar 
months.'' NERC asserts that, because maintenance and testing of 
Physical Access Control Systems will occur more frequently pursuant to 
the CIP version 5 Standards, the reliability risk is reduced and a 
Lower VRF is appropriate.
---------------------------------------------------------------------------

    \216\ NERC Comments at 41-42; MISO Comments at 10.
---------------------------------------------------------------------------

    180. Most commenters do not support modifying the VRF proposed by 
NERC.\217\ Commenters state that that the VRF for Requirement R3 should 
be Lower because Requirement R3 is unlikely to pose a direct threat to 
reliability if violated. BPA supports the Lower VRF for Requirement R3 
because, although ``testing and maintenance is an

[[Page 72777]]

important task, failure to test any single component will have minimal 
impact of the overall performance of the Physical Access Control System 
and the BES.'' \218\ However, AEP states that the modification proposed 
in the NOPR ``ensure[s] consistency within a Reliability Standard and 
consistency between requirements that have similar reliability 
objectives.'' \219\
---------------------------------------------------------------------------

    \217\ BPA, Idaho Power, KCP&L, MISO, and NERC.
    \218\ BPA Comment at 9.
    \219\ AEP Comments at 8.
---------------------------------------------------------------------------

Commission Determination
    181. We adopt the NOPR proposal and direct NERC to modify the VRF 
assignment for CIP-006-5, Requirement R3 from Lower to Medium. This 
modification will ensure that the CIP version 5 Standards afford 
similar treatment to the testing and monitoring of Physical Access 
Control Systems (PACS) as the CIP version 4 Standards. We are not 
persuaded by commenters' arguments that a Lower VRF assignment is 
appropriate for CIP-006-5, Requirement R3.
    182. First, we do not agree that the shortening of the review cycle 
from three years to two years warrants changing the VRF categorization 
to Lower as suggested by NERC and MISO. A medium risk requirement is 
defined as a requirement that, if violated, could directly affect the 
electrical state or the capability of the bulk electric system, or the 
ability to effectively monitor and control the bulk electric 
system.\220\ Physical Access Control Systems are used to support the 
effective monitoring and control of the Bulk-Power System facilities 
through the use of cameras, alarms, and other control mechanisms. We 
are not convinced that shortening the required review period from three 
years to two years ameliorates the potential impact of a violation of 
this requirement to justify a Lower VRF. A failure to monitor or limit 
unauthorized access to critical plant equipment or facilities due to an 
inoperable Physical Access Control System could result in tampering, 
sabotage, or the unauthorized alteration of equipment associated with 
High or Medium Impact BES Cyber Systems.
---------------------------------------------------------------------------

    \220\ See Violation Risk Factors, accessible from: http://www.nerc.com/files/violation_risk_factors.pdf.
---------------------------------------------------------------------------

    183. In addition, we disagree with BPA's assertion that CIP-006-5, 
Requirement R3 is administrative in nature and will have a minimal 
impact on the overall performance of Physical Access Control Systems. 
As described above, the CIP-006-5, Requirement R3 control is a 
technical control that sets the minimum expectations for maintenance 
and testing of Physical Access Control Systems at bulk electric system 
facilities. Thus, we find that a Medium VRF designation is appropriate 
for CIP-006-5, Requirement R3.
    184. Consistent with our discussion above, the Commission directs 
NERC to modify the VRF assignment for CIP-006-5, Requirement R3 from 
Lower to Medium, within 90 days of the effective date of this Final 
Rule.
2. Lower VRF for Access Authorizations
NERC Petition
    185. NERC assigns a VRF Factor to proposed CIP-004-5, Requirement 
R4, which relates to access management programs addressing electronic 
access, unescorted physical access, and access to BES Cyber System 
Information. Requirement R4 obligates a responsible entity to have a 
process for authorizing access to BES Cyber System Information, 
including periodic verification that users and accounts are authorized 
and necessary.
NOPR
    186. The Commission stated in the NOPR that Recommendation 40 of 
the U.S.-Canada Power System Blackout Task Force, Final Report on the 
August 14, 2003 Blackout in the United States and Canada: Causes and 
Recommendations (Blackout Report) states that access to operationally 
sensitive computer equipment should be ``strictly limited to employees 
or contractors who utilize said equipment as part of their job 
responsibilities.'' \221\ In addition, the NOPR stated that 
Recommendation 44 of the Blackout Report states that entities should 
``develop procedures to prevent or mitigate inappropriate disclosure of 
information.'' \222\ The NOPR stated that these two Blackout Report 
recommendations relate to the protection of critical bulk electric 
system equipment and information, and we believe these recommendations 
support assigning access management programs, such as those required 
under CIP-004-5, Requirement R4, a Medium VRF. The NOPR stated that the 
Commission's VRF guidelines require, among other things, consistency 
with the conclusions of the Blackout Report (guideline 1).
---------------------------------------------------------------------------

    \221\ See U.S.-Canada Power System Blackout Task Force, Final 
Report on the August 14, 2003 Blackout in the United States and 
Canada: Causes and Recommendations (April 2004) (Blackout Report) at 
167. The Blackout Report is available at https://reports.energy.gov/BlackoutFinal-Web.pdf.
    \222\ See id. p. 169.
---------------------------------------------------------------------------

    187. The NOPR stated that NERC proposes to assign a Medium VRF to 
CIP-004-5, Requirement R5, which addresses access revocation. The NOPR 
stated that this proposed assignment results in a potential 
inconsistency between VRFs within CIP-004-5. The NOPR stated that 
Guideline 2 of the Commission's VRF guidelines requires consistency 
within a Reliability Standard. The NOPR stated that access 
authorization, addressed in CIP-004-5, Requirement R4, is the companion 
to access revocation, addressed in CIP-004-5, Requirement R5. The NOPR 
stated that this relationship is demonstrated by the history of the CIP 
Reliability Standards; in the CIP version 1 through 4 Standards, access 
authorization and access revocation are two sub-requirements of a main 
requirement addressing the maintenance of a list of persons with 
authorized cyber or authorized unescorted physical access.\223\ The 
NOPR stated that the petition does not explain the potential 
inconsistency between VRFs in CIP-004-5.
---------------------------------------------------------------------------

    \223\ E.g., Reliability Standard CIP-004-4a, Requirement R4 
states:
    R4. Access--The Responsible Entity shall maintain list(s) of 
personnel with authorized cyber or authorized unescorted physical 
access to Critical Cyber Assets, including their specific electronic 
and physical access rights to Critical Cyber Assets.
    R4.1. The Responsible Entity shall review the list(s) of its 
personnel who have such access to Critical Cyber Assets quarterly, 
and update the list(s) within seven calendar days of any change of 
personnel with such access to Critical Cyber Assets, or any change 
in the access rights of such personnel. The Responsible Entity shall 
ensure access list(s) for contractors and service vendors are 
properly maintained.
    R4.2. The Responsible Entity shall revoke such access to 
Critical Cyber Assets within 24 hours for personnel terminated for 
cause and within seven calendar days for personnel who no longer 
require such access to Critical Cyber Assets.
---------------------------------------------------------------------------

    188. The NOPR proposed to modify the VRF assigned to CIP-004-5, 
Requirement R4 from Lower to Medium, consistent with the Blackout 
Report and to ensure consistency between VRFs within CIP-004-5, within 
90 days of the effective date of a final rule in this proceeding. The 
NOPR sought comment on the proposal.
Comments
    189. NERC states that the Commission should not direct a 
modification to the VRF for CIP-004-5, Requirement R4. NERC explains 
that, in developing the VRF for Requirement R4, the drafting team 
adopted the Lower VRF used in CIP-003-4, Requirement R5, which is the 
comparable requirement from the CIP version 4 Standards, to provide for 
consistency. NERC explains further that the standard drafting team 
concluded that, because Requirement R4 is largely administrative and 
violations of the requirements do not pose a significant risk to the 
Bulk Electric System, a Lower

[[Page 72778]]

VRF was still appropriate. NERC states, by contrast, that the drafting 
team concluded that a Medium VRF was appropriate for CIP-004-5, 
Requirement R5 to reflect the greater risk to the bulk electric system 
in the event of a failure to revoke access. Finally, NERC notes that 
the standard drafting team determined that failure to revoke access 
following termination of an employee presents a greater risk to 
reliability and thus a Medium VRF was appropriate for access 
revocation.
    190. Most comments do not support modifying the VRF proposed by 
NERC.\224\ BPA supports the Lower VRF for CIP-004-5, Requirement R4, 
because Requirement R4 ``concerns only documentation of risk assessment 
programs and regular performance of background checks.'' \225\ Ameren 
concurs that CIP-004-5, Requirement R4 is ``an administrative 
documentation requirement [that] does not warrant this heightened level 
of protection.'' \226\ In addition, Ameren and BPA question the 
Commission's position that the Blackout Report supports modifying the 
VRF associated with Requirement R4.\227\ Idaho Power opines that a 
failure to maintain an administrative requirement does not necessarily 
expose the bulk electric system to a significant risk.\228\ MISO, for 
its part, states that ``it is unlikely that violations of [Requirement 
R4] would pose a direct threat to the reliability of the BES.'' \229\
---------------------------------------------------------------------------

    \224\ Ameren, BPA, Idaho Power, KCP&L, MISO, and NERC.
    \225\ BPA Comments at 9.
    \226\ Ameren Comments at 13.
    \227\ Id.
    \228\ Idaho Power Comments at 7.
    \229\ MISO Comments at 10.
---------------------------------------------------------------------------

    191. SPP RE states that it supports the NOPR's proposed 
modification because ``[a]ccess control, both physical and electronic, 
is a cornerstone to protecting Cyber Assets from unauthorized access. 
While failure to revoke access is generally considered a greater risk, 
not properly authorizing access also poses a moderate risk.'' \230\ AEP 
supports the NOPR's proposed modification to the VRF for Requirement R4 
for the same reason that it supports raising the VRF for Reliability 
Standard CIP-006-5, Requirement R3; specifically, to ``ensure 
consistency within a Reliability Standard and consistency between 
requirements that have similar reliability objectives.'' \231\
---------------------------------------------------------------------------

    \230\ SPP RE Comments at 12.
    \231\ AEP Comments at 8.
---------------------------------------------------------------------------

Commission Determination
    192. The Commission adopts the NOPR proposal and directs NERC to 
modify the VRF assignment for CIP-004-5, Requirement R4 from Lower to 
Medium. This modification is necessary to reflect that access to 
operationally sensitive computer equipment should be strictly limited 
to employees or contractors who utilize the equipment in performance of 
their job responsibilities, and to prevent or mitigate disclosure of 
sensitive information consistent with Recommendations 40 and 44 of the 
2003 Blackout Report. In addition, a Medium VRF assignment ensures 
consistency with the Commission's VRF guidelines.
    193. We disagree with NERC's contention that the risk posed by a 
violation of CIP-004-5, Requirement R5, which addresses authorization 
of physical and electronic access, is minor in comparison to a 
violation of CIP-004-5, Requirement R5, which addresses access 
revocation. NERC fails to address the concerns raised in the NOPR 
concerning the inconsistency between the proposed VRF assignments for 
CIP-004-5, Requirement R4 and Requirement R5 or explain why we should 
ignore the Commission's VRF guidelines.
    194. We do not agree with NERC, Ameren, and Idaho Power's 
contention that Requirement R4 warrants a Lower VRF categorization 
because it is administrative in nature. While CIP-004-5, Requirement R4 
mandates that entities must document access and maintain access lists, 
the underlying control itself is technical in nature because the 
documented access privileges must be implemented appropriately on the 
protected devices and in the affected facilities in order to comply 
with the standard. With respect to Ameren and BPA's comments, the 
Blackout Report recommendations were intended to address the risks 
posed by individual grants of access through the use of policies, as 
the task force specifically recommended that entities develop policies 
and procedures to control access ensuring that (1) access is strictly 
limited to employees or contractors who utilize said equipment as part 
of their job responsibilities and (2) access of other staff are 
strictly controlled via escort and monitored.\232\
---------------------------------------------------------------------------

    \232\ See U.S.--Canada Power System Blackout Task Force, Final 
Report on the August 14, 2003 Blackout in the United States and 
Canada: Causes and Recommendations (April 2004) (Blackout Report) at 
167. The Blackout Report is available at https://reports.energy.gov/BlackoutFinal-Web.pdf.
---------------------------------------------------------------------------

    195. We agree with SPP RE that the CIP-004-5, Requirement R4 access 
authorization process is intended to serve as a preventive control that 
ensures access is granted on a need to have basis with only the 
permissions required for job performance. We also agree that the 
periodic review of access authorizations is a companion detective 
control that is designed to ensure authorized access is still required, 
and there have been no errors in the granting or revocation of access. 
When considered in context with the fact that CIP-004-5, Requirement R5 
is assigned a Medium VRF, we conclude that a Medium VRF assignment is 
appropriate for CIP-004-5, Requirement R4.
    196. Consistent with the discussion above, we direct NERC to modify 
the VRF assignment for CIP-004-5, Requirement R4 from Lower to Medium, 
within 90 days of the effective date of this Final Rule.
3. Violation Severity Levels
NERC Petition
    197. NERC requests approval for 32 sets of VSLs--one set for each 
requirement in the CIP version 5 Standards.\233\
---------------------------------------------------------------------------

    \233\ NERC Petition at 2.
---------------------------------------------------------------------------

NOPR
    198. In the NOPR, the Commission proposed to direct that NERC file 
a modified version of the VSLs due to inconsistencies with previous 
Commission orders and typographical errors in the content of the VSLs. 
The Commission stated that certain VSLs for the CIP version 5 Standards 
are inconsistent with Commission guidance.\234\ The NOPR stated, for 
example, that Reliability Standard CIP-007-5, Requirement R4.4 requires 
entities to ``review a summation or sampling of logged events . . . at 
no greater than 15 days.'' The NOPR stated that the High VSL gradation 
for Requirement R4.4 provides that an entity must miss ``two or more 
intervals'' for the violation to reach High severity over the specified 
time period. In addition, the NOPR stated that CIP-003-5, Requirement 
R4 provides the framework for a CIP Senior Manager to delegate 
authorities and that the proposed VSL is based upon the number of 
incorrect delegations. The NOPR stated that the Commission has 
previously indicated that VSL assignments are to be based on ``a single 
violation of a Reliability Standard, and not based on a cumulative 
number of occasions of the same requirements over a period of time.'' 
\235\ The NOPR stated that these are two examples of proposed VSL 
assignments that are inconsistent

[[Page 72779]]

with the Commission's VSL guidelines.\236\
---------------------------------------------------------------------------

    \234\ N. Amer. Elec. Reliability Corp., 123 FERC ] 61,284 
(Violation Severity Level Order), order on reh'g, 125 FERC ] 61,212 
(2008).
    \235\ Violation Severity Level Order, 123 FERC ] 61,284 at PP 
35-36.
    \236\ The NOPR cited other examples, including the Violation 
Severity Level assignments for CIP-003-5, Requirement R3, CIP-004-5, 
Requirement R1, CIP-007-5, Requirement R4, CIP-009-5, Requirement 
R3.
---------------------------------------------------------------------------

    199. The NOPR stated that certain VSLs are unclear or contain 
typographical errors. The NOPR stated, as an example, that in the 
proposed VSL for CIP-004-5, Requirement R4.2, the Moderate and High 
gradations are identical.\237\ The NOPR stated that the typographical 
errors could create confusion and potentially hinder both compliance 
with and enforcement of the CIP Reliability Standards.\238\
---------------------------------------------------------------------------

    \237\ See NERC Petition, Exh. E (Table of VRFs and VSLs Proposed 
for Approval and Analysis of how VRFs and VSLs Were Determined Using 
Commission Guidelines), at 21.
    \238\ The NOPR cited the following Requirements: CIP-003-5, 
Requirements R1, R2, R3; CIP-007-5, Requirement R5; CIP-008-5, 
Requirements R2, R3; CIP-009-5, Requirements R2, R3.
---------------------------------------------------------------------------

    200. The NOPR stated that NERC also proposes VSLs that include the 
terms ``identify,'' ``assess,'' ``correct,'' and ``deficiencies'' for 
the 16 CIP version 5 ``identify, assess, and correct'' 
requirements.\239\ The NOPR stated that the Commission may direct 
modifications to the ``identify, assess, and correct'' language based 
on the comments received. The NOPR stated that if the Commission 
directs NERC to remove or modify the ``identify, assess, and correct'' 
language in the requirements, the VSLs may no longer be consistent with 
VSL Guideline 3, that VSLs use the same terminology as the associated 
requirement.\240\
---------------------------------------------------------------------------

    \239\ The NOPR stated that although NERC proposed 17 
Requirements with the ``identify, assess, and correct'' language, 
the Violation Severity Level assignment for CIP-003-5, Requirement 
R4 does not refer to the ``identify, assess, and correct'' language.
    \240\ See Automatic Underfrequency Load Shedding and Load 
Shedding Plans Reliability Standards, Order No. 763, 139 FERC ] 
61,098, at PP 91, 95 (2012) (citing VSL Guideline 3, the Commission 
directed NERC to change a Violation Severity Level for Reliability 
Standard PRC-006-1, Requirement R8 to remove the phrase ``more than 
5 calendar days, but'' because the Requirement did not contain a 
five-day grace period for providing data to planning coordinators 
that was included in the Violation Severity Level).
---------------------------------------------------------------------------

    201. The NOPR sought comment on the proposal to direct NERC to file 
a modified version of the VSLs within 90 days of the effective date of 
a final rule in this proceeding.
Comments
    202. NERC states that the proposed VSLs are based on a single 
violation and that ``the standard drafting team based its VSL 
assignment on how much time had passed before the responsible entity 
complied with the requirement, if ever, not the number of violations.'' 
\241\ NERC states that it will submit an errata for the VSLs that were 
unclear or contained typographical errors.\242\
---------------------------------------------------------------------------

    \241\ NERC Comments at 44.
    \242\ On September 30, 2013, NERC filed an errata with, inter 
alia, corrections to the VSLs for the CIP version 5 Standards. On 
October 1, 2013, NERC filed a supplemental errata to correct a 
formatting error in the September 30 errata.
---------------------------------------------------------------------------

    203. BPA supports the VSLs proposed by NERC, stating that ``basing 
the VSL on the number of deficiencies is consistent with the concept of 
the `identify, assess, and correct' requirement.'' \243\ Encari 
supports removing the ``identify, assess, and correct'' language from 
the VSLs.
---------------------------------------------------------------------------

    \243\ BPA Comments at 10; KCP&L Comments at 6.
---------------------------------------------------------------------------

    204. Southern Indiana states that it takes no position on the 
NOPR's proposed modifications to the VSLs. Southern Indiana states that 
VRFs and VSLs are not dispositive of the level of penalties associated 
with CIP violations (i.e., there are numerous adjustment factors) and 
that the Commission should make clear that any penalties for CIP 
violations should be tailored to each responsible entity's effect on 
the bulk electric system.
Commission Determination
    205. Consistent with the NOPR proposal, we direct NERC to develop 
modifications to the VSLs for certain CIP version 5 Standard 
requirements to: (1) remove the ``identify, assess, and correct'' 
language from the text of the VSLs for the affected requirements; (2) 
address typographical errors; and (3) clarify certain unexplained 
elements. For the VSLs that include ``identify, assess, and correct'' 
language, we direct NERC to ensure that these VSLs are modified to 
reflect any revisions to the requirement language in response to our 
directives. We grant NERC the discretion to decide how best to address 
these modifications be it through an errata filing to this proceeding 
or separate filing.
    206. With respect to the VSL language for CIP-003-5, Requirements 
R1 and R2, the Commission notes that the language ``as required by R[1 
or 2]'' and ``according to Requirement R[1 or 2]'' is redundant and 
potentially confusing and hereby directs NERC to provide clarification 
to this language.
    207. With respect to the VSL language for CIP-003-5, Requirement 
R4, the Commission agrees with NERC that basing the VSL language on a 
timeline is appropriate, but notes that the VSL language does not match 
the table and analysis documents within Appendix E of the CIP version 5 
Petition. After considering NERC's comments, the Commission understands 
that the correct VSL for this requirement includes timeline gradations. 
We therefore direct NERC to clarify the VSL language for this 
requirement to reflect this understanding.
    208. We direct NERC to change the VSL gradation for CIP-004-5, 
Requirement R4 to be percentage based, instead of using the number of 
BES Cyber Systems or sites for storing BES Cyber System information. 
This change will allow for fair treatment for entities that may only 
have a single BES Cyber system or storage location.\244\
---------------------------------------------------------------------------

    \244\ In the September 30 errata, NERC addressed our concern 
regarding the VSL assignment for CIP-004-5, Requirement R4.
---------------------------------------------------------------------------

    209. With respect to the VSL language for CIP-008-5, Requirement 
R2, the Commission believes that NERC inserted a typographical error 
into the petition, creating a gap between 18 months and 19 months in 
the VSLs. We therefore direct NERC to clarify this language in a 
further filing.
    210. With respect to the VSL language in CIP-009-5 Part 3.1, we 
believe that the number of days listed in the VSLs is inconsistent. For 
example, the moderate VSL for Part 3.1.2 has a timeframe of 90--210 
calendar days, while the High VSL has a timeframe of greater than 120 
calendar days. The Commission believes that the 120 day metric is 
appropriate for these time-based VSL gradations and directs NERC to 
change the ``210 calendar days'' language to ``120 calendar days'' 
where appropriate. In short, notwithstanding any changes the Commission 
requires for VRFs and VSLs, the Commission clarifies that any penalties 
for violations of the CIP Standards must be tailored to each 
responsible entity's effect on the BES, with particular consideration 
given to small utilities that individually pose less of a reliability 
and security risk.

F. Other Technical Issues

    211. In the NOPR, the Commission stated that, ``while we propose to 
approve the CIP version 5 Standards based upon the improvements to the 
currently-approved CIP Reliability Standards, we believe that the cyber 
security protections proposed in the CIP version 5 Standards could be 
enhanced in certain areas.'' \245\ The NOPR sought comment on the 
issues of communications security, remote access, and differences 
between the CIP version 5 Standards and NIST. The Commission further 
stated in the NOPR that, ``depending on the adequacy of the 
explanations provided in response'' to the NOPR questions, the 
Commission

[[Page 72780]]

may direct NERC to develop modifications to certain aspects of the CIP 
Reliability Standards or, alternatively, conclude that while no changes 
are necessary at this time, NERC must consider these issues in 
preparing the next version of CIP Standards.\246\
---------------------------------------------------------------------------

    \245\ NOPR, 143 FERC ] 61,055 at P 105.
    \246\ Id.
---------------------------------------------------------------------------

1. Communications Security
NOPR
    212. In the NOPR, the Commission stated that communications 
security, which is a basic layer to any defense-in-depth security 
strategy for typical industrial control systems, involves securing the 
data being transmitted across a network. The Commission explained that 
a variety of cryptographic tools, such as encryption, integrity checks, 
and multi-factor authentication, can enhance a responsible entity's 
defense-in-depth security strategies.\247\ In addition, the NOPR 
outlined the Commission's concerns regarding the exemption of 
communication networks from protection based solely on specific types 
of technology, such as non-routable communication systems. The 
Commission sought comment on (1) whether the adoption of communications 
security protections, such as cryptography and protections for non-
routable protocol, would improve the CIP Standards and (1) whether the 
CIP standards adequately protect non-routable communication systems.
---------------------------------------------------------------------------

    \247\ Id. P 107.
---------------------------------------------------------------------------

Comments
    213. EEI, MISO, NAGF and other commenters support the concept of 
communications security through the use of various forms of 
cryptography as part of a defense-in-depth cyber security posture, 
although not necessarily as part of the CIP Reliability Standards.\248\ 
NERC, KCP&L, Tacoma and others express concerns regarding potential 
adverse effects that mandating cryptography for all BES Cyber Systems 
might have on Bulk-Power System reliability.\249\ NERC, EEI, LAWDP and 
others comment that the deployment of cryptographic protocols may: (1) 
Prohibitively increase latency in communications; (2) obfuscate data 
needed for testing and problem diagnosis; and (3) introduce 
communication errors from complex key management across organizations. 
With regard to the exemption of communication networks, most 
commenters, including NERC, contend that non-routable protocols and 
devices will be adequately protected under the CIP version 5 
Standards.\250\
---------------------------------------------------------------------------

    \248\ See also Idaho Power; Mid-American; SPP RE; Tampa; Venafi 
and Waterfall.
    \249\ E.g., AEP; Idaho Power; PPL and TVA.
    \250\ E.g., Dominion; Gist; LADWP; NAGF and Tampa.
---------------------------------------------------------------------------

    214. SPP RE, Waterfall, and Venafi comment that protecting 
communication systems is a critical concept in cyber security and that 
the use of cryptography under certain circumstances will improve the 
confidentiality, availability, and integrity of essential data. Thus, 
they recommend that the Commission require encryption of inter-site 
communications for communication networks where such protections are 
readily available and practical.
    215. EEI, Dominion, Tacoma Power, TVA, and other commenters 
indicate that the Commission should refrain from mandating specific 
technology solutions through mandatory standards, and suggest that 
cryptography and other emerging technologies should be thoroughly 
discussed throughout the electric industry. NERC, NAGF, and MISO 
suggest addressing the NOPR questions on cryptography through a 
technical conference or other guidance. NERC indicates that a technical 
conference would provide the appropriate forum to begin discussing the 
issues associated with communications security and cryptography.
    216. With regard to the NOPR concerns regarding the exemption of 
communication networks from the CIP standards, NERC and other 
commenters generally agree that additional protections for non-routable 
protocols and the systems that use them are not needed at this 
time.\251\ NERC explains that the external routable connectivity 
limitation generally applies to requirements that either require or can 
take advantage of the high speed connections that are typically 
associated with routable connectivity. Idaho Power states that non-
routable protocols are inherently more secure than routable protocols 
and states that the CIP Standards provide adequate protection for 
devices that use non-routable protocols.
---------------------------------------------------------------------------

    \251\ See, e.g., Ameren; Dominion; Idaho Power; LADWP; NAGF and 
TVA.
---------------------------------------------------------------------------

2. Remote Access
NOPR
    217. ``Remote access'' refers to the ability to access a non-public 
computer network from external locations. The Commission explained in 
the NOPR that, while remote access provides greater flexibility in 
accessing remote computer networks, this flexibility creates new 
security risks by allowing a potentially unsecured device access into 
an entity's network. The Commission discussed the complexities and 
potential vulnerabilities associated with remote access, including the 
need for an entity to verify that an employee, vendor automated system 
initiating remote access to the entity's internal networks has the 
appropriate access permissions.\252\ The Commission requested comment 
on whether the adoption of more stringent controls for remote access 
would improve the CIP Reliability Standards.
---------------------------------------------------------------------------

    \252\ NOPR, 143 FERC ] 61,055 at PP 110-111.
---------------------------------------------------------------------------

Comments
    218. Most commenters assert that the CIP version 5 Standards 
sufficiently address protections for interactive remote access in CIP-
004-5, Requirement R4 and CIP-005-5, Requirement R2.\253\ MISO 
recommends that additional remote access protections beyond those in 
CIP-005-5, Requirement R2 should be voluntary, due to the differences 
in entity size and capabilities. EEI and KCP&L assert that remote 
access issues deserve a thorough discussion and recommendations, not a 
piecemeal approach.
---------------------------------------------------------------------------

    \253\ See, e.g., Ameren; Dominion; KCP&L Portland; SPP RE; 
Tacoma and UI.
---------------------------------------------------------------------------

    219. Waterfall comments that remote access mechanisms are among the 
most serious strategic threats to reliability. Waterfall suggests that, 
when remote access is needed, unidirectional gateways provide greater 
security than firewalls and should be mandated by future standards.
3. Differences Between the CIP Version 5 Standards and NIST
NOPR
    220. In the NOPR, the Commission expressed concern that the CIP 
version 5 Standards do not address certain aspects of cyber security in 
as comprehensive a manner as the NIST Risk Management Framework 
addresses the same topics. The NOPR provided examples of differences 
between the CIP version 5 Standards and the NIST Risk Management 
Framework. Such differences include (1) the absence of certain security 
controls contained in NIST Special Publication 800-53's Security 
Control Catalog and associated guidance documents from the CIP version 
5 Standards, (2) the failure to address the monitoring of information 
systems for new threats and vulnerabilities, and (3) comprehensive 
asset categorization. The Commission sought comment on ``whether, and 
in

[[Page 72781]]

what way, adoption of certain aspects of the NIST Risk Management 
Framework could improve the security controls proposed in the CIP 
version 5 Standards.'' \254\
---------------------------------------------------------------------------

    \254\ Id. P 117.
---------------------------------------------------------------------------

Comments
    221. NERC states that the proposed CIP version 5 Standards 
generally cover the same subject areas as the NIST Risk Management 
Framework.\255\ NERC adds that the question of whether or how to 
incorporate additional elements of the NIST Risk Management Framework 
in the CIP Reliability Standards is a discussion for a technical forum 
inclusive of industry, NERC, and Commission staff.
---------------------------------------------------------------------------

    \255\ NERC Comments at 55. See also Idaho Power at 9; NAGF at 9-
10.
---------------------------------------------------------------------------

    222. Several commenters discuss the distinctions between the 
underlying missions of the CIP Reliability Standards and the NIST Risk 
Management Framework. For example, Waterfall states that the NIST Risk 
Management Framework, by and large, focuses on securing the 
confidentiality of data and protecting information systems, not the 
industrial control systems underlying the reliability of the bulk 
electric system. Arkansas comments that the CIP Standards have an 
advantage over the NIST Risk Management Framework in that they focus on 
a relatively small number of reliability services that need to be 
protected as opposed to the NIST mission of establishing general 
standards for many organizations (all U.S. Federal Agencies) with 
vastly different missions.
    223. Commenters also address differences in the enforcement of the 
CIP Reliability Standards versus the NIST Risk Management Framework. 
EEI, ISO-NE., MidAmerican, and Gist state that the NIST Risk Management 
Framework is a voluntary guidance document that includes control 
selection, tailoring and scoping of controls to the individual 
situation, as well as the acceptance of residual risk that FERC has 
ruled cannot be a part of a mandatory and enforceable Standard. 
MidAmerican notes further that the CIP version 5 Standards do not allow 
responsible entities to exercise broad discretion in tailoring their 
compliance programs and additionally argues that they are generally 
very prescriptive.
Commission Determination
    224. Based on the comments received in response to the NOPR 
questions, we recognize the broad scope of opinions on the issues of 
communications security, remote access, and differences between the CIP 
version 5 Standards and the NIST Risk Management Framework. The NOPR 
comments indicate a range of views on whether the CIP version 5 
Standards adequately address the technical issues discussed in the 
NOPR, as well as whether and how to address such matters in a future 
version of the CIP Reliability Standards. Further, we agree with EEI 
regarding the need to address matters such as remote access, 
communications security and requiring additional controls in a 
comprehensive, as opposed to piecemeal, fashion.
    225. Accordingly, we decline to direct any modifications to the CIP 
Reliability Standards at this time to address the NOPR concerns 
regarding communications security, remote access, and the NIST Risk 
Management Framework. Rather, we agree with NERC and a number of 
commenters that suggest a technical conference discussing these issues 
as an appropriate next step. Accordingly, the Commission directs its 
staff to convene a staff-led technical conference, within 180 days from 
the date of this Final Rule, to examine the technical issues identified 
in the NOPR concerning communications security, remote access, and the 
NIST Risk Management Framework. While staff should develop a detailed 
agenda, the conference should address such matters as the adequacy of 
current coverage in the CIP Standards with regard to the technical 
issues identified, risks, feasibility, alternative approaches, and a 
comprehensive approach to addressing defense-in-depth and grid 
vulnerabilities.

III. Information Collection Statement

    226. The FERC-725B information collection requirements contained in 
this Final Rule are subject to review by the Office of Management and 
Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 
1995.\256\ OMB regulations require approval of certain information 
collection requirements imposed by agency rules.\257\ Upon approval of 
a collection of information, OMB will assign an OMB control number and 
expiration date. Respondents subject to the filing requirement of this 
rule will not be penalized for failing to respond to these collections 
of information unless the collections of information display a valid 
OMB control number.
---------------------------------------------------------------------------

    \256\ 44 U.S.C. 3507(d) (2012).
    \257\ 5 CFR 1320.11 (2012).
---------------------------------------------------------------------------

NOPR

    227. In the NOPR, the Commission estimated a total average annual 
paperwork cost burden for the change in requirements contained in the 
CIP version 5 Standards of approximately $56 million. The Commission 
based its paperwork burden estimate on the difference between the 
latest Commission-approved version of the CIP Reliability Standards, 
CIP version 4, and the estimated paperwork burden resulting from CIP 
version 5 because ``the Commission has already imposed the burden of 
implementing the CIP version 4 Standards'' and addressed the 
incremental burden costs from CIP version 3 to CIP version 4 in the 
analysis outlined in Order No. 761.\258\
---------------------------------------------------------------------------

    \258\ NOPR, 143 FERC ] 61,055 at P 119.
---------------------------------------------------------------------------

    228. In the NOPR, the Commission observed that the change in 
compliance tasks and paperwork burden between the CIP version 4 
Standards and the CIP version 5 Standards varies among entities, 
depending upon the extent to which an entity was subject to compliance 
with CIP version 4. Therefore, the Commission delineated three 
groupings of registered entities for purposes of discussing and 
refining the burden estimate, and provided separate analysis for each 
group. To estimate the change in paperwork burden between the CIP 
version 4 Standards and the CIP version 5 Standards, the Commission 
identified paperwork-related tasks that all responsible entities will 
undertake, at least to some extent.\259\
---------------------------------------------------------------------------

    \259\ Specifically, the Commission determined that responsible 
entities would be required to, at a minimum: (1) Create or modify 
documentation of processes used to identify and classify the cyber 
assets to be protected under the CIP Reliability Standards; (2) 
create or modify policy, process and compliance documentation; and 
(3) continue documentation of compliance data collection.
---------------------------------------------------------------------------

    229. In addition, the Commission provided an average annual cost 
burden for each of the three groups of entities. Referencing Bureau of 
Labor statistics for the estimated hourly rates and average benefits 
data, the Commission estimated a total average annual paperwork burden 
for the change in requirements of $56,112,000.

Comments

    230. A number of commenters take issue with the Commission's choice 
to evaluate the paperwork burden imposed in this Final Rule on an 
incremental basis from the CIP version 4 Standards to the CIP version 5 
Standards, rather than estimate the paperwork burden based on a 
transition from the CIP version 3 Standards. In addition, various 
commenters assert that the Commission underestimates the

[[Page 72782]]

paperwork and cost burdens imposed by the CIP Version 5 Standards.
    231. EEI argues that comparing CIP version 5 to CIP version 4 
``vastly understates the burden and biases any realistic evaluation,'' 
and ``strongly disagrees'' with this basic assumption of the estimated 
paperwork burden. EEI contends that a more realistic and practical 
analysis would compare CIP version 3 and CIP version 5, but admits that 
such a comparison would be problematic because the design of the two 
versions are so different. Therefore, EEI urges the Commission to 
evaluate the CIP version 5 Standards on their own merits.\260\ 
According to MidAmerican, the Commission's comparison of the two 
versions, and identification of the burden on responsible entities 
based on the classes of facilities each group of entities owns, 
``misses the mark'' and, therefore, the Commission grossly 
underestimated the burden to successfully implement the CIP version 5 
Standards.\261\ Similarly, NRECA is unclear why the Commission chose to 
assess the paperwork burden by comparing CIP version 4 and CIP version 
5, noting the differences between the two versions and the fact that 
CIP version 4 will not be implemented. NRECA submits that an 
appropriate analysis of burden should be based on the full cost of 
implementing CIP version 5.\262\
---------------------------------------------------------------------------

    \260\ EEI Comments at 24.
    \261\ MidAmerican Comments at 24-25.
    \262\ NRECA Comments at 11-12.
---------------------------------------------------------------------------

    232. Tampa states that the level of effort under the CIP version 5 
Standards is considerably higher than described in the NOPR due to the 
volume of new entities and new facilities coming into scope. Tampa 
points out that entities newly subject to the CIP Reliability Standards 
``will have a steep learning curve and will need to purchase and 
install automated workflow and document management systems, which will 
require time and funding.'' \263\
---------------------------------------------------------------------------

    \263\ Tampa Comments at 14-15.
---------------------------------------------------------------------------

    233. LADWP states that it expects the impacts of implementing and 
complying with the CIP version 5 Standards will be substantial, largely 
resulting from two changes: (1) The elimination of the current blanket 
exemption for non-routable protocols, and (2) the new requirements in 
CIP-005-5 that require the expanded use of electronic security 
perimeters.\264\ LADWP estimates that it will make an initial 
investment of almost $33 million for equipment, materials, and labor. 
LADWP also estimates that it will spend $3 million annually for 
software licenses and staff to monitor and implement the CIP version 5 
Standards.
---------------------------------------------------------------------------

    \264\ LADWP at 18.
---------------------------------------------------------------------------

Commission Determination

    234. For the reasons discussed below, the Commission adopts the 
Information Collection Statement outlined in the Docket No. RM13-5-000 
NOPR.
    235. The Paperwork Reduction Act only applies to the paperwork 
burden imposed by a rule, it does not apply to the substantive 
requirements imposed by that rule.\265\ Commenters generally argue that 
the Commission underestimates the economic burden of the CIP version 5. 
However, no commenter provides an analysis regarding the paperwork 
burden resulting from the approval of the CIP version 5 Standards, as 
opposed to the anticipated costs of full implementation. For example, 
NRECA states that its data suggests that the costs associated with the 
CIP version 5 Standards are an order of magnitude greater than the NOPR 
estimates. Likewise, LADWP provides a cost estimate for full 
implantation including equipment, materials and labor, but does not 
segregate out the paperwork burden relevant to the immediate analysis. 
Because the Paperwork Reduction Act requires that the Commission 
estimate the total average annual paperwork cost burden, not the total 
estimated cost burden of the rule, arguing that the cost of full 
compliance with CIP version higher than the estimated paperwork burden 
does not negate the Commission's Paperwork Reduction Act estimate.
---------------------------------------------------------------------------

    \265\ See 44 U.S.C. 3506(c)(1) (2012) (outlining the process for 
the evaluation of a collection of information under a proposed 
agency rule).
---------------------------------------------------------------------------

    236. With regard to MidAmerican's and Tampa's comments regarding 
the costs associated with the expanded scope of the CIP version 5 
Standards, we recognize that the CIP version 5 Standards offer a more 
comprehensive protection of the bulk electric system, particularly due 
to the coverage of Low Impact assets. Statements regarding the expanded 
scope of the CIP Reliability Standards alone, without additional data, 
do not undermine the Commission's approach to estimating the paperwork 
burden associated with the CIP version 5 Standards or the resulting 
paperwork burden estimate. The Commission included the cost of 
developing and modifying the documentation for the required policies, 
plans, programs and procedures in the paperwork burden estimate, but 
did not include the cost of substantive compliance with the CIP 
Reliability Standards. Absent specific comments on the paperwork burden 
associated with the CIP version 5 Standards, the Commission has no 
basis to amend the NOPR estimate.
    237. In addition, multiple commenters argue that the Commission 
erred by relying on a burden estimate based on a comparison of the CIP 
version 5 Standards to the CIP version 4 Standards since the CIP 
version 4 Standards will not take effect. We reiterate that, in 
considering and approving the CIP version 4 Standards, the Commission 
already compared and accounted for the incremental cost burden 
resulting from the change from the CIP version 3 Standards to the CIP 
version 4 Standards. Therefore, any incremental change in paperwork 
burden associated with the approval of the CIP version 5 Standards will 
be relative to the burden imposed by the approval of the CIP version 4 
Standards, whether that change be positive or negative.\266\
---------------------------------------------------------------------------

    \266\ As discussed in the NOPR, we accounted for the provision 
that CIP version 4 would not go into effect by adjusting the 
paperwork burden estimate for blackstart facilities--the only 
facilities captured by the CIP-002-4 bright line criteria for full 
protection, but no longer subject to such protections under the CIP 
version 5 Standards. See NOPR, 143 FERC ] 61,055 at PP 123-124.
---------------------------------------------------------------------------

    238. In reply to concerns regarding potential cost increases 
associated with changes we direct in this Final Rule, we clarify that 
any differences in cost will be evaluated at such time as NERC files 
the directed changes with the Commission.\267\
---------------------------------------------------------------------------

    \267\ See Order No. 706, 122 FERC ] 61,040 at P 800.
---------------------------------------------------------------------------

    239. After consideration of comments, the Commission adopts the 
NOPR proposal for the information collection burden and cost, 
summarized as follows:

----------------------------------------------------------------------------------------------------------------
                                   Classes of
                                    entity's
                                   facilities        Number of    Total hours in  Total hours in  Total hours in
 Groups of registered entities    requiring CIP      entities         year 1          year 2          year 3
                                    Version 5                         (hours)         (hours)         (hours)
                                   protections
----------------------------------------------------------------------------------------------------------------
Group A.......................  Low.............              61               0           3,804           3,804
Group B.......................  Low.............           1,089               0         570,636         570,636

[[Page 72783]]

 
Group B.......................  Medium..........             260         128,960         128,960          64,896
Group C.......................  Low.............             325               0         170,300         170,300
Group C.......................  Medium (New)....              78           1,248           1,248          19,136
Group C.......................  Low (Blackstart)             283          22,640          22,640        -206,024
Group C.......................  Medium or High..             325         265,200         265,200         135,200
                                                 ---------------------------------------------------------------
    Totals....................  ................  ..............         418,048       1,162,788         757,948
----------------------------------------------------------------------------------------------------------------

    240. The following shows the average annual cost burden for each 
group, based on the burden hours in the table above:
     Group A: 61 unique entities * 41.5 hrs/entity * $72/hour = 
$182,000
     Group B: 1,089 unique entities * 448 hrs/entity * $72/hour 
= $35,127,000
     Group C: 325 unique entities * 889 hrs/entity * $72/hour = 
$20,803,000
    241. Total average annual paperwork cost for the change in 
requirements contained in the final rule in RM13-5 = $56,112,000. 
(i.e., $182,000 + $35,127,000 + $20,803,000).
    242. The estimated hourly rate of $72 is the average loaded cost 
(wage plus benefits) of legal services ($128.00 per hour), technical 
employees ($58.86 per hour) and administrative support ($30.18 per 
hour), based on hourly rates and average benefits data from the Bureau 
of Labor Statistics.\268\
---------------------------------------------------------------------------

    \268\ See http://bls.gov/oes/current/naics2_22.htm and http://www.bls.gov/news.release/ecec.nr0.htm.
---------------------------------------------------------------------------

    Title: Mandatory Reliability Standards, Critical Infrastructure 
Protection.
    Action: Proposed Collection FERC-725B.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This final rule approves the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. The approved Reliability Standards help 
ensure the reliable operation of the Bulk-Power System by providing a 
cyber security framework for the identification and protection of 
Critical Assets and associated Critical Cyber Assets. As discussed 
above, the Commission approves NERC's proposed Version 5 CIP Standards 
pursuant to section 215(d)(2) of the FPA because they represent an 
improvement to the currently-approved CIP Reliability Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standards and made a determination that its action is 
necessary to implement section 215 of the FPA.
    243. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE., Washington, DC 20426 [Attention: 
Ellen Brown, Office of the Executive Director, email: 
DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873].
    244. Comments on the requirements of this rule may be sent to the 
Office of Management and Budget, Office of Information and Regulatory 
Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal 
Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-
7285]. For security reasons, comments to OMB should be submitted by 
email to: oira_submission@omb.eop.gov. Comments submitted to OMB 
should include Docket Number RM13-5-000 and OMB Control Number 1902-
0248.

IV. Regulatory Flexibility Act Certification

    245. The Regulatory Flexibility Act of 1980 (RFA) \269\ generally 
requires a description and analysis of final rules that will have 
significant economic impact on a substantial number of small entities. 
The RFA mandates consideration of regulatory alternatives that 
accomplish the stated objectives of a proposed rule and that minimize 
any significant economic impact on a substantial number of small 
entities. The Small Business Administration's (SBA) Office of Size 
Standards develops the numerical definition of a small business.\270\ 
The SBA has established a size standard for electric utilities, stating 
that a firm is small if, including its affiliates, it is primarily 
engaged in the transmission, generation and/or distribution of electric 
energy for sale and its total electric output for the preceding twelve 
months did not exceed four million megawatt hours.\271\
---------------------------------------------------------------------------

    \269\ 5 U.S.C. 601-612.
    \270\ 13 CFR 121.101 (2012).
    \271\ 13 CFR 121.201, Sector 22, Utilities & n.1.
---------------------------------------------------------------------------

NOPR

    246. In the NOPR, the Commission sought comment on the estimated 
economic impact of implementing and complying with the CIP version 5 
Standards. The Commission specifically requested detailed and supported 
information to better estimate the potential cost burden that small 
businesses could face under the CIP version 5 Standards.
    247. In the NOPR, the Commission estimated that the proposed CIP 
version 5 Standards, as filed, will impact 536 small entities.\272\ The 
Commission based its estimate of the potential economic impact to small 
entities according to functional registration and the CIP-002-5 impact 
rating of assets an entity likely owns by function. Of the 536 total, 
the Commission estimated that only 14 small entities may, on average, 
experience a significant economic impact of $116,000 per entity in the 
first year, $145,000 in the second year, and $88,000 in the third year, 
for a total of $349,000 per entity over the first three years.\273\ The 
Commission explained that the significant costs in early years are 
primarily due to initial implementation and, thereafter, the Commission 
expected the average annual cost per each of the 14 entities to be less 
than $64,000. The Commission determined that, as 2.6 percent of the 
affected small entities, these 14 entities do not represent a 
``substantial number'' in terms of the total number of regulated small 
entities subject to the Final Rule.
---------------------------------------------------------------------------

    \272\ See NOPR at P 132 & n.132.
    \273\ See NOPR, 143 FERC ] 61,055 at P 132 (explaining the 
calculation as based on an estimated 4,600 hours of total work per 
entity over three years at $59/hour and $15,000 of non-labor costs. 
(Math correction: $72/hour and $18,000)).
---------------------------------------------------------------------------

    248. In addition, the Commission estimated that 222 out of the 536 
small entities \274\ will each experience an average economic impact of 
$29,000 per

[[Page 72784]]

year during years two and three.\275\ Finally, the Commission estimated 
that the remaining 300 out of the 536 small entities will only 
experience a minimal economic impact.\276\ Therefore, the Commission 
proposed to certify that the proposed Reliability Standards will not 
have a significant economic impact on a substantial number of small 
entities, and, accordingly, stated that no initial RFA analysis is 
required.
---------------------------------------------------------------------------

    \274\ Id. P 133. The NOPR explained this figure as the number of 
small entities that own assets covered by CIP version 5, and not 
including the 14 significantly impacted entities.
    \275\ The NOPR explained this cost figure as based on an 
estimated 268 hours of total work per entity for each of years two 
and three combined at $72/hour, and $7,500 of non-labor costs for 
each of years two and three.
    \276\ The NOPR explained this number of small Distribution 
Providers as those assumed to not own assets covered by CIP version 
5.
---------------------------------------------------------------------------

Comments

    249. Several commenters raise concerns with the Commission's RFA 
analysis and proposed certification. APPA states that a Final Rule 
adopting NERC's proposed CIP version 5 Standards as filed will have a 
``significant economic impact'' on all small entities that are 
registered as transmission owners and transmission operators that own 
or operate transmission control centers.\277\ APPA cautions that it 
will not condone any Commission RFA certification that denies a 
``significant impact on a substantial number of small entities.'' \278\ 
Further, APPA asserts that if the Commission disregards APPA's analysis 
and adopts the changes proposed in the NOPR, it must conduct a full RFA 
analysis.\279\
---------------------------------------------------------------------------

    \277\ APPA Comments at 23.
    \278\ Id. at 23.
    \279\ Id. at 30-31.
---------------------------------------------------------------------------

    250. APPA contests a number of estimates in the NOPR. APPA states 
that 327 out of 2,000 not-for-profit publicly owned electric utilities 
in the United States are on the NERC compliance registry, and 
approximately 266 of these entities are designated as small entities 
under the relevant SBA definition.\280\ In addition to the 14 small 
entity transmission owners estimated in the NOPR, APPA identifies 31 
small public power transmission operators that it believes are likely 
to incur significant costs. APPA believes these entities should be 
added to the 14 identified by the Commission for a total of 45 entities 
facing a potential significant economic impact.\281\ APPA states that 
the compliance cost burden for High and Medium Impact Control Centers 
will pose particular challenges to small public power entities in 
economically distressed areas of the United States. On the basis that 
one of its surveyed members ``budgeted $500,000 for developing its CIP 
compliance program,'' APPA advocates revising the NOPR estimate upward 
from $334,000 to $500,000 across the first three years for all 45 
entities it believes should be designated as having significant 
costs.\282\
---------------------------------------------------------------------------

    \280\ Id. at 24.
    \281\ Id.
    \282\ Id. at 28.
---------------------------------------------------------------------------

    251. APPA also argues that the NOPR's estimated ongoing economic 
burden of $64,000 per year is not credible because it is ``clearly 
insufficient to operate and maintain cyber security controls for a bulk 
electric system-quality control center . . . and develop and implement 
an enterprise-wide cyber security program'' for Low Impact assets.\283\ 
Based on a range of estimates derived from its survey, APPA arrived at 
a median annual ongoing cost of $200,000 to maintain security and an 
additional $50,000 per entity to maintain and carry out the 
programmatic controls for Low Impact facilities.\284\
---------------------------------------------------------------------------

    \283\ Id.
    \284\ Id.
---------------------------------------------------------------------------

    252. APPA further identifies 35 discrete small transmission owners 
that sell less than 1 million megawatt hours a year, stating that 
``[a]ny increase in compliance costs will be a significant burden to 
these entities relative to their revenue.'' \285\ APPA states that 
compliance will force rate increases for these entities that could lead 
to the loss of key industrial and commercial customers. For each of 
these entities, and for the remaining entities without High or Medium 
Impact systems, APPA accepts the Commission estimate of $58,000 for 
years 1-3, but revises the ongoing cost burden to $50,000.\286\
---------------------------------------------------------------------------

    \285\ Id. at 27.
    \286\ Id. at 29.
---------------------------------------------------------------------------

    253. APPA concludes that the total economic burden resulting from 
the CIP version 5 Standards on all small entities will be 
$56,349,000.\287\ APPA requests that the Commission correct its RFA 
calculations in the Final Rule and provide more detail on how it 
arrived at the estimates in the RFA analysis. APPA explains that it 
requested, but that NERC declined to send out an information request to 
gather data from small entities on the standard's regulatory impact. 
APPA requests that, to the extent the Final Rule modifies the CIP 
version 5 Standards, the Commission direct NERC to provide detailed and 
supported information regarding the impacts on small entities.\288\
---------------------------------------------------------------------------

    \287\ Id. at 28.
    \288\ Id. at 31.
---------------------------------------------------------------------------

    254. NRECA questions the Commission's RFA estimates and requests 
further explanation of specific assumptions in a manner that would 
facilitate further comment and analysis. NRECA states that it received 
estimates from several of its members and concludes that the CIP 
version 5 Standards, as filed, for entities with only Low Impact assets 
will cost approximately $100,000 for implementation and then $50,000 
annually thereafter.\289\ NRECA states that the Commission provides too 
little information to support its action of not performing a full 
regulatory flexibility act analysis.
---------------------------------------------------------------------------

    \289\ NRECA Comments at 13.
---------------------------------------------------------------------------

    255. PUCO states that compliance with the CIP version 5 Standards 
could place heavy financial burdens on smaller utilities, 
municipalities, and coops. PUCO states further that these entities may 
not have the same cost-benefit relationship as larger utilities, and 
that this cost difference should be accounted for in the proposed 
standards. In addition, PUCO states that investment must be made in a 
cost effective manner for each utility in a way that protects their 
high risk vulnerabilities.\290\
---------------------------------------------------------------------------

    \290\ PUCO Comments at 2-3.
---------------------------------------------------------------------------

Commission Determination

    256. Upon consideration of the NOPR comments, we revise our 
estimate of the number of potentially impacted small entities upwards, 
from 14 to 45, to reflect the 31 small transmission operators 
identified by APPA.\291\ This number reflects 8.4 percent of the total 
536 small entities subject to the CIP version 5 Standards. Further, for 
the purpose of RFA certification, we will also adopt APPA's cost 
estimates for the 31 entities added to our analysis, but will maintain 
our cost estimates for the 14 small entities discussed in the NOPR. 
Nonetheless, even assuming APPA's cost estimates are correct, we adopt 
the NOPR proposal and maintain that a full regulatory flexibility 
analysis is not required.
---------------------------------------------------------------------------

    \291\ While we question whether available data supports APPA's 
proposed addition of the 31 small transmission operators discussed 
above, we will nevertheless adopt APPA's number for the sake of our 
analysis.
---------------------------------------------------------------------------

    257. In the NOPR, the Commission estimated that 1.5 percent of the 
total 305 small entities registered as distribution providers would own 
underfrequency or undervoltage load shedding systems that were 
previously not subject to the CIP Reliability Standards, and that 10 
percent of the 94 total small entities registered as transmission 
owners would own

[[Page 72785]]

Medium Impact assets newly subject to CIP version 5, comprising a total 
of 14 potentially impacted small entities. The Commission considered 
the time and expertise needed for an entity to document its asset 
evaluation process, policy and compliance information, and policy 
implementation information, as well as install hardware and software, 
and collect data, to arrive at our estimate of 4,600 hours of total 
work per entity over three years at an averaged $72 per hour rate for a 
total $331,000 of labor costs and $18,000 of non-labor costs per 
entity.
    258. In the NOPR, the Commission did not count the small 
transmission operators identified by APPA because the Commission's 
analysis assumed that entities had secured the control centers under 
the CIP version 3 Standards. As noted in Order No. 706, the Commission 
finds it ``difficult to envision a scenario in which a reliability 
coordinator, transmission operator or transmission owner control center 
or backup control center would not properly be identified as a critical 
asset.'' \292\ We, therefore, accept APPA's request to include small 
entity transmission operators having control centers in our total of 
small entities significantly affected. We also adopt APPA's suggested 
figures for costs to secure small transmission operators with control 
centers, even though APPA provides no detail or support for this 
figure, as we requested, other than one of its members' planned 
budgeting for these amounts.
---------------------------------------------------------------------------

    \292\ Order No. 706, 122 FERC ] 61,040 at P 280.
---------------------------------------------------------------------------

    259. We reject APPA's position that 35 small entity transmission 
owners that sell less than 1 million megawatt hours per year should 
change our analysis. We understand APPA's argument to rest on the 
concept that the extra small size of these entities means that they 
experience the agreed upon compliance cost figure in a proportionately 
higher manner. Upon evaluating the EIA 2011 data concerning the total 
revenues for each of the 35 entities listed by APPA, we find that the 
highest single year cost of $29,000 approaches 0.6 percent of total 
revenues for only one entity, and is less than 0.3 percent for nearly 
all of these entities.\293\ Viewed across the three-year implementation 
period, the yearly implementation cost as a percent of total revenues 
amounts to 0.1 percent when averaged across all 35 entities. Even if 
these expenses force such an organization into a rate increase, a base 
of only 2,000 ratepayers would distribute the increase at less than one 
dollar per month per customer for the three-year period including one 
year of on-going costs. For these reasons, APPA has not persuaded us 
that the 35 extra-small entities will experience proportionately 
significant costs in the view of the RFA.
---------------------------------------------------------------------------

    \293\ See Energy Information Administration Form 861 (available 
at http://www.eia.gov/electricity/data/eia861/index.html). The 
highest year cost of $29,000, as estimated in the NOPR, divided by 
the total revenue listed in EIA data for a given entity. With the 
maximum total revenue of $5,021,000, the calculation for Sabine 
River Authority of TX/LA (Toledo Bend Project) results in 0.58 
percent.
---------------------------------------------------------------------------

    260. While APPA asserts that a full RFA analysis is required, we 
note that we have incorporated relevant portions of APPA's estimates, 
yet remain unconvinced that the Final Rule will have a significant 
economic impact on a substantial number of small entities necessitating 
a more extensive RFA analysis. In addition, we reject the argument that 
the Commission must revise the NOPR RFA analysis to the extent that the 
Commission directs modifications to an approved Reliability Standard. 
We reiterate the Commission's determination in Order No. 706 that until 
NERC files a revised Reliability Standard, the Commission cannot 
estimate the burden on any user, owner or operator of the Build-Power 
System, including small entities, and, therefore, it is not appropriate 
to speculate on the cost of compliance with any directed modifications 
at this time.\294\
---------------------------------------------------------------------------

    \294\ See Order No. 706, 122 FERC ] 61,040 at P 800.
---------------------------------------------------------------------------

    261. Finally, we reject APPA's request that the Commission direct 
NERC to provide detailed and supported information regarding the 
impacts on small entities resulting from any modifications to the CIP 
version 5 Standards directed in this Final Rule. To the extent that 
APPA has concerns regarding the cost resulting from a Commission 
directive, the proper place to raise that concern in the first instance 
is in the NERC standards development process. In addition, we note that 
the parties with the best information on the potential impact on small 
entities resulting from the CIP Reliability Standards are the small 
entities themselves, and we expect such entities to raise their 
concerns during the standards development process. To the extent that 
entities provide NERC with such information, we encourage NERC to 
submit the cost data along with the associated new or revised 
Reliability Standard requirements.
    262. In summary, the Commission estimates that the CIP version 5 
Standards will have an economic impact on 536 small entities. The 
Commission estimates that 14 small entities, registered as transmission 
owners or distribution providers, and owning a Medium Impact Assets, 
may experience a significant economic impact of, on average, $116,000 
per entity in the first year, $145,000 in the second year, and $88,000 
in the third year, for a total of $349,000 over the first three years. 
After the initial implementation the Commission expects the average 
annual cost per each of these 14 entities to be less than $64,000. For 
the sake of this analysis, the Commission expects an additional 31 
small entities, registered as transmission operators and operating a 
Medium Impact control center, to experience a significant economic 
impact of $518,000 over the first three years and $250,000 ongoing 
costs per year thereafter. Because we expect the bulk of the initial 
expense to occur in years two and three, we divide by two to estimate 
the highest annual cost experienced at $259,000.
    263. Together, these two classes of significantly impacted entities 
comprise 45, or 8.4 percent of the total 536 small entities. The 
Commission concludes that 8.4 percent of the affected small entities 
does not represent a substantial number in terms of the total number of 
regulated small entities, as defined by the RFA, that are subject to 
the Final Rule. The Commission estimates that 191 out of the 536 small 
entities will each experience an average economic impact of $29,000 per 
year during years two and three, and $13,000 annual ongoing costs 
thereafter. Finally, the Commission estimates that the remaining 300 
out of the 536 small entities will only experience a minimal economic 
impact. In conclusion, the Commission certifies that this rule will not 
have a significant economic impact on a substantial number of small 
entities. Accordingly, a full regulatory flexibility analysis is not 
required.

V. Environmental Analysis

    264. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\295\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the

[[Page 72786]]

regulations being amended.\296\ The actions proposed here fall within 
this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------

    \295\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. 
& Regs., Regulations Preambles 1986-1990 ] 30,783 (1987).
    \296\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

VI. Document Availability

    265. In addition to publishing the full text of this document in 
the Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, 
Washington, DC 20426.
    266. From the Commission's Home Page on the Internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    267. User assistance is available for eLibrary and the Commission's 
Web site during normal business hours from the Commission's Online 
Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

VII. Effective Date and Congressional Notification

    268. This Final Rule is effective February 3, 2014.
    269. The Commission has determined, with the concurrence of the 
Administrator of the Office of Information and Regulatory Affairs of 
OMB, that this rule is a ``major rule'' as defined in section 351 of 
the Small Business Regulatory Enforcement Fairness Act of 1996.\297\ 
The Commission will submit the Final Rule to both houses of Congress 
and to the General Accountability Office.
---------------------------------------------------------------------------

    \297\ See 5 U.S.C. 804(2) (2007).

    By the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

    Note:  The following Appendix will not appear in the Code of 
Federal Regulations.

Appendix

Commenters

------------------------------------------------------------------------
             Abbreviation                          Commenter
------------------------------------------------------------------------
AEP..................................  American Electric Power Service
                                        Corporation.
Alliant..............................  Alliant Energy Corporate
                                        Services.
Alrich...............................  Tom Alrich.
Ameren...............................  Ameren Service Company.
APPA.................................  American Public Power
                                        Association.
Arkansas.............................  Arkansas Electric Cooperative.
BPA..................................  Bonneville Power Administration.
CenterPoint..........................  CenterPoint Energy Houston
                                        Electric, LLC.
Consumers Energy.....................  Consumers Energy Company.
Dominion.............................  Dominion Resources Services, Inc.
EEI..................................  Edison Electric Institute.
Encari...............................  Encari, L.L.C.
EPSA.................................  Electric Power Supply
                                        Association.
Exelon...............................  Exelon Corporation.
FirstEnergy..........................  FirstEnergy Service Company.
G&T Cooperatives.....................  Associated Electric Cooperative,
                                        Inc., Basin Electric Power
                                        Cooperative, and Tri-State
                                        Generation and Transmission
                                        Association, Inc.
Gist.................................  Thomas Gist.
GSOC.................................  Georgia Systems Operations Corp.
Holland..............................  City of Holland, Michigan.
Idaho Power..........................  Idaho Power Company.
IRC..................................  ISO/RTO Council.
ISO New England......................  ISO New England Inc.
ITC..................................  ITC Companies.
KCP&L................................  Kansas City Power & Light Company
                                        and KCP&L Greater Missouri
                                        Operations Company.
LADWP................................  City of Los Angeles Department of
                                        Water and Power.
Luminant.............................  Luminant Generation Company, LLC.
MidAmerican..........................  MidAmerican Energy Holdings Co.
MISO.................................  Midcontinent Independent System
                                        Operator, Inc.
NAGF.................................  North American Generator Forum.
NARUC................................  National Association of
                                        Regulatory Utility
                                        Commissioners.
NASUCA...............................  National Association of State
                                        Utility Consumer Advocates.
National Grid........................  National Grid USA.
NERC.................................  North American Electric
                                        Reliability Corporation.
NextEra..............................  NextEra Energy, Inc.
NIPSCO...............................  Northern Indiana Public Service
                                        Co.
Northeast Utilities..................  Northeast Utilities Companies.
NorthWestern.........................  NorthWestern Energy.
NRECA................................  National Rural Electric
                                        Cooperative Association.
NRG..................................  NRG Companies.
OEVC.................................  Occidental Energy Ventures Corp.
Pepco................................  Pepco Holdings, Inc.
PG&E.................................  Pacific Gas and Electric Company.
Portland.............................  Portland General Electric
                                        Company.
PPL Companies........................  Louisville Gas and Electric
                                        Company; Kentucky Utilities
                                        Corporation; Lower Mount Bethel
                                        Energy, LLC; PPL Brunner Island,
                                        LLC; PPL Electric Utilities
                                        Corporation; PPL EnergyPlus,
                                        LLC; PPL Holtwood, LLC; PPL
                                        Ironwood, LLC; PPL Martins
                                        Creek, LLC; PPL Montana, LLC;
                                        PPL, Montour, LLC; and PPL
                                        Susquehanna, LLC.

[[Page 72787]]

 
PUCO.................................  Public Utilities Commission of
                                        Ohio.
Reclamation..........................  Department of Interior Bureau of
                                        Reclamation.
SCE..................................  Southern California Edison
                                        Company.
SCE&G................................  South Carolina Electric & Gas
                                        Company.
Southern Indiana.....................  Southern Indiana Gas and Electric
                                        Company.
Smart Grid...........................  Smart Grid Interoperability Panel
                                        Smart Grid Cybersecurity
                                        Committee.
SPP Parties..........................  Kansas City Board of Public
                                        Utilities, Oklahoma Municipal
                                        Power Authority, Rayburn Country
                                        Electric Cooperative, Southwest
                                        Power Pool, Inc., Westar Energy,
                                        Inc., and Western Farmers
                                        Electric Cooperative.
SPP RE...............................  Southwest Power Pool Regional
                                        Entity.
SWP..................................  California Department of Water
                                        Resources State Water Project.
Tacoma...............................  Tacoma Power.
Tampa................................  Tampa Electric Company.
TAPS.................................  Transmission Access Policy Study
                                        Group.
TVA..................................  Tennessee Valley Authority.
UI...................................  United Illuminating Company.
Venafi...............................  Venafi.
Waterfall............................  Waterfall Security Solutions,
                                        Ltd.
Wisconsin............................  Wisconsin Electric Power Company.
Xcel.................................  Xcel Energy Services, Inc.
------------------------------------------------------------------------

[FR Doc. 2013-28628 Filed 12-2-13; 8:45 am]
BILLING CODE 6717-01-P


