Department of Energy, Federal Energy Regulatory Commission; Version 5 Critical Infrastructure Protection Reliability Standards
Highlights
GAO reviewed the Department of Energy, Federal Energy Regulatory Commission's (FERC) new rule on Version 5 Critical Infrastructure Protection Reliability Standards. GAO found that (1) FERC approves the Version 5 Critical Infrastructure Protection Reliability Standards, CIP-002-5 through CIP-011-1, submitted by the North American Electric Reliability Corporation (NERC). NERC is the Commission-certified Electric Reliability Organization. The CIP Version 5 Standards address the cyber security of the bulk electric system by applying new cyber security controls and extending the scope of the systems that are protected by the CIP Reliability Standards. This rule also approves 19 new or revised definitions associated with the CIP Version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards. In addition, this rule directs NERC to develop modifications to the CIP Version 5 Standards and submit informational filings; and the (2) FERC complied with applicable requirements in promulgating the rule.
B-325364
December 18, 2013
The Honorable Ron Wyden
Chairman
The Honorable Lisa Murkowski
Ranking Member
Committee on Energy and Natural Resources
United States Senate
The Honorable Fred Upton
Chairman
The Honorable Henry A. Waxman
Ranking Member
Committee on Energy and Commerce
House of Representatives
Subject: Department of Energy, Federal Energy Regulatory Commission; Version 5 Critical Infrastructure Protection Reliability Standards
Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Energy, Federal Energy Regulatory Commission, (FERC or Commission) entitled Version 5 Critical Infrastructure Protection Reliability Standards (Docket No. RM13-5-000). We received the rule on November 25, 2013. It was published in the Federal Register as a final rule on December 3, 2013, with a stated effective date of February 3, 2104. 78 Fed. Reg. 72,756.
With this rule, FERC approves the Version 5 Critical Infrastructure Protection Reliability Standards, CIP0025 through CIP0111, submitted by the North American Electric Reliability Corporation (NERC). NERC is the Commission-certified Electric Reliability Organization. The CIP Version 5 Standards address the cyber security of the bulk electric system by applying new cyber security controls and extending the scope of the systems that are protected by the CIP Reliability Standards. This rule also approves 19 new or revised definitions associated with the CIP Version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards. In addition, this rule directs NERC to develop modifications to the CIP Version 5 Standards and submit informational filings.
Enclosed is our assessment of FERCs compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. According to its submission to us, FERC did not prepare an analysis of the costs and benefits with respect to this final rule. Our review of the other procedural steps taken indicates that FERC complied with the applicable requirements.
If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Shirley A. Jones, Assistant General Counsel, at (202) 512-8156.
signed
Robert J. Cramer
Managing Associate General Counsel
Enclosure
cc: Dave Morenoff
Acting General Counsel, FERC
Department of Energy
ENCLOSURE
REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF ENERGY
FEDERAL ENERGY REGULATORY COMMISSION
ENTITLED
"Version 5 Critical Infrastructure Protection
Reliability Standards
(Docket No. RM13-5-000)
(i) Cost-benefit analysis
According to its submission to us, the Federal Energy Regulatory Commission (FERC) did not prepare an analysis of the costs and benefits with respect to this final rule.
(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603-605, 607, and 609
FERC certified that this rule will not have a significant impact on a substantial number of small entities.
(iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532-1535
As an independent regulatory agency, FERC is not subject to the Act.
(iv) Other relevant information or requirements under acts and executive orders
Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.
On April 18, 2013, FERC published a proposed rule. 78 Fed. Reg. 24,107. FERC received comments from 62 entities. FERC listed the entities from which it received comments and discussed the issues raised in the final rule.
Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501-3520
FERC determined that this final rule contains an information collection requirement under the Order. The requirement is entitled Mandatory Reliability Standards, Critical Infrastructure Protection and has been assigned Office of Management and Budget (OMB) Control Number 19020248. FERC estimated the total burden to be 418,048 hours in the first year of applicability; 1,162,788 hours in the second year; and 757,948 hours in the third year.
Statutory authorization for the rule
FERC promulgated this final rule under the authority of section 215 of the Federal Power Act. 16 U.S.C. § 824o.
Executive Order No. 12,866 (Regulatory Planning and Review)
As an independent regulatory agency, FERC is not subject to the Order.
Executive Order No. 13,132 (Federalism)
As an independent regulatory agency, FERC is not subject to the Order.