Daily Rules, Proposed Rules, and Notices of the Federal Government


Federal Energy Regulatory Commission

[Docket No. IC11-725B-001]

Commission Information Collection Activities (FERC-725B); Comment Request; Submitted for OMB Review

AGENCY: Federal Energy Regulatory Commission, DOE.
ACTION: Notice.
SUMMARY: In compliance with the requirements of section 3507 of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy Regulatory Commission (Commission or FERC) has submitted the information collection described below to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission issued a Notice in theFederal Register(75 FR 65618, 10/26/2010) requesting public comments. FERC received no comments on the FERC-725B and has made this notation in its submission to OMB. OMB only makes a decision after the 30-day comment period for this notice has expired.
DATES: Comments on the collection of information are due by May 9, 2011.
ADDRESSES: A copy of the comments should also be sent to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at and eSubscription are not available for Docket No. IC11-725B-001, due to a system issue.

All comments may be viewed, printed or downloaded remotely via the Internet through FERC's homepage using the "eLibrary" link. For user assistance, contactferconlinesupport@ferc.govor toll-free at (866) 208-3676, or for TTY, contact (202) 502-8659.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail, by telephone at (202) 502-8663, and by fax at (202) 273-0873.

The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval.1

1CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-007-1, CIP-008-1, and CIP-009-1.

The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets.2 These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks.3 The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures.4

2In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

3For a description of the CIP Reliability Standards,seethe Critical Infrastructure Protection Section on NERC's Web site at|20.

4The October notice issued in this docket contains more information on the reporting requirements and can be found at full text of the standards can be found on NERC's Web site at|20.

The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.

Action:The Commission is requesting a three-year extension of the existing collection with no changes to the requirements.

Burden Statement:The extent of the reporting burden is influenced by the number of identified critical assets and related critical cyber assets pursuant to CIP-002. An entity identifying one or more critical cyber assets, including assets located at remote locations, will likely require more resources to demonstrate compliance with the CIP Reliability Standards compared to an entity that identifies no critical assets. The Commission has developedestimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to asses the number of entities reporting Critical Cyber Assets.

Data collection Number of
  • respondents5
  • Average
  • number of
  • responses per respondent
  • Average
  • number of
  • burden hours per response6
  • Total annual hours
    (1) (2) (3) (1) x (2) x (3) FERC-725B: Estimate of U.S. Entities that have identified Critical Cyber Assets 345 1 320 110,400 Estimate of U.S. Entities that have not identified Critical Cyber Assets 1,156 1 8 9,248 New U.S. Entities that have to come into compliance with the CIP Standards7 *6 1 1,176 7,056 Totals 1,501 126,704 * not included in the 1,501 total because it is assumed that on average, six entities per year will no longer have to comply with the CIP standards.

    The totalestimated annual cost burden to respondents is:

    5The NERC Compliance Registry as of 9/28/2010 indicated that 2079 entities were registered for NERC's compliance program. Of these, 2057 were identified as being U.S. entities. Staff concluded that of the 2057 U.S. entities, only 1501 were registered for at least one CIP related function. According to an April 7, 2009 memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the 23% reporting to the 1501 figure to obtain an estimate. The 6 new entities listed here are assumed to match a similar set of 6 entities that would drop out in an existing year. Thus, the net estimate of respondents remains at 1501 per year.

    6This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every 3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be required to demonstrate compliance with CIP-002, which would require one individual approximately three days to execute.

    7This category of respondents (with the corresponding burden) was not included in the 60-day public notice due to an oversight by Commission staff.

    • Entities that have identified Critical Assets = 110,400 hours@$96 = $10,598,400.

    • Entities that have not identified Critical Assets = 9,248 hours@$96 = $887,808.

    • Storage Costs for Entities that have identified Critical Assets8 = 315 Entities@$15.25 = $4,804.

    8This cost category was not included in the 60-day public notice due to an oversight by Commission staff.

    The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.9 The $15.25 rate for storage costs for each entity is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP standards.10

    9Bureau of Labor Statistics figures were obtained from,and 2009 Billing Rates figure were obtained from services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel.

    10Based on the aggregate cost of an IBM advanced data protection server.

    The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting, or otherwise disclosing the information.

    Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimates of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology,e.g.permitting electronic submission of responses.

    Dated: March 31, 2011. Kimberly D. Bose, Secretary.