Department of Energy, Federal Energy Regulatory Commission; Version 5 Critical Infrastructure Protection Reliability Standards

GAO-14-241R: Dec 18, 2013

Contact:

Shirley A. Jones
(202) 512-8156
jonessa@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Department of Energy, Federal Energy Regulatory Commission's (FERC) new rule on Version 5 Critical Infrastructure Protection Reliability Standards. GAO found that (1) FERC approves the Version 5 Critical Infrastructure Protection Reliability Standards, CIP-002-5 through CIP-011-1, submitted by the North American Electric Reliability Corporation (NERC). NERC is the Commission-certified Electric Reliability Organization. The CIP Version 5 Standards address the cyber security of the bulk electric system by applying new cyber security controls and extending the scope of the systems that are protected by the CIP Reliability Standards. This rule also approves 19 new or revised definitions associated with the CIP Version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards. In addition, this rule directs NERC to develop modifications to the CIP Version 5 Standards and submit informational filings; and the (2) FERC complied with applicable requirements in promulgating the rule.

B-325364

December 18, 2013

The Honorable Ron Wyden
Chairman
The Honorable Lisa Murkowski
Ranking Member
Committee on Energy and Natural Resources
United States Senate

The Honorable Fred Upton
Chairman
The Honorable Henry A. Waxman
Ranking Member
Committee on Energy and Commerce
House of Representatives

Subject: Department of Energy, Federal Energy Regulatory Commission; Version 5 Critical Infrastructure Protection Reliability Standards

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Energy, Federal Energy Regulatory Commission, (FERC or Commission) entitled “Version 5 Critical Infrastructure Protection Reliability Standards” (Docket No. RM13-5-000). We received the rule on November 25, 2013. It was published in the Federal Register as a final rule on December 3, 2013, with a stated effective date of February 3, 2104. 78 Fed. Reg. 72,756.

With this rule, FERC approves the Version 5 Critical Infrastructure Protection Reliability Standards, CIP–002–5 through CIP–011–1, submitted by the North American Electric Reliability Corporation (NERC). NERC is the Commission-certified Electric Reliability Organization. The CIP Version 5 Standards address the cyber security of the bulk electric system by applying new cyber security controls and extending the scope of the systems that are protected by the CIP Reliability Standards. This rule also approves 19 new or revised definitions associated with the CIP Version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards. In addition, this rule directs NERC to develop modifications to the CIP Version 5 Standards and submit informational filings.

Enclosed is our assessment of FERC’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. According to its submission to us, FERC did not prepare an analysis of the costs and benefits with respect to this final rule. Our review of the other procedural steps taken indicates that FERC complied with the applicable requirements.

If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Shirley A. Jones, Assistant General Counsel, at (202) 512-8156.

signed

Robert J. Cramer
Managing Associate General Counsel

Enclosure

cc: Dave Morenoff
Acting General Counsel, FERC
Department of Energy


ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF ENERGY
FEDERAL ENERGY REGULATORY COMMISSION
ENTITLED
"Version 5 Critical Infrastructure Protection
Reliability Standards”
(Docket No. RM13-5-000)

(i) Cost-benefit analysis

According to its submission to us, the Federal Energy Regulatory Commission (FERC) did not prepare an analysis of the costs and benefits with respect to this final rule.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603-605, 607, and 609

FERC certified that this rule will not have a significant impact on a substantial number of small entities.

(iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532-1535

As an independent regulatory agency, FERC is not subject to the Act.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On April 18, 2013, FERC published a proposed rule. 78 Fed. Reg. 24,107. FERC received comments from 62 entities. FERC listed the entities from which it received comments and discussed the issues raised in the final rule.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501-3520

FERC determined that this final rule contains an information collection requirement under the Order. The requirement is entitled “Mandatory Reliability Standards, Critical Infrastructure Protection” and has been assigned Office of Management and Budget (OMB) Control Number 1902–0248. FERC estimated the total burden to be 418,048 hours in the first year of applicability; 1,162,788 hours in the second year; and 757,948 hours in the third year.

Statutory authorization for the rule

FERC promulgated this final rule under the authority of section 215 of the Federal Power Act. 16 U.S.C. § 824o.

Executive Order No. 12,866 (Regulatory Planning and Review)

As an independent regulatory agency, FERC is not subject to the Order.

Executive Order No. 13,132 (Federalism)

As an independent regulatory agency, FERC is not subject to the Order.

Jul 24, 2014

Jul 18, 2014

Jul 17, 2014

Jul 16, 2014

Looking for more? Browse all our products here