Department of Energy, Federal Energy Regulatory Commission: Revised Critical Infrastructure Protection Reliability Standards

GAO-16-428R: Feb 17, 2016

Additional Materials:

Contact:

Shirley A. Jones
(202) 512-8156
jonessa@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Department of Energy, Federal Energy Regulatory Commission's (Commission) new rule on revised critical infrastructure protection reliability standards. GAO found that (1) the final rule announces the Commission's approval of seven critical infrastructure protection (CIP) Reliability Standards: CIP-003-6 (Security Management Controls), CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-010-2 (Configuration Change Management and Vulnerability Assessments), and CIP-011-2 (Information Protection); and (2) Commission complied with applicable requirements in promulgating the rule.

B-327777

February 17, 2016

The Honorable Lisa Murkowski
Chairman
The Honorable Maria Cantwell
Ranking Member
Committee on Energy and Natural Resources
United States Senate

The Honorable Fred Upton
Chairman
The Honorable Frank Pallone, Jr.
Ranking Member
Committee on Energy and Commerce
House of Representatives

Subject: Department of Energy, Federal Energy Regulatory Commission: Revised Critical Infrastructure Protection Reliability Standards

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Energy, Federal Energy Regulatory Commission (Commission) entitled “Revised Critical Infrastructure Protection Reliability Standards”(Docket No. RM15-14-000).  We received the rule on February 3, 2016.  It was published in the Federal Register as a final rule on January 26, 2016.  81 Fed. Reg. 4177.

The final rule announces the Commission’s approval of seven critical infrastructure protection (CIP) Reliability Standards: CIP–003–6 (Security Management Controls), CIP–004–6 (Personnel and Training), CIP–006–6 (Physical Security of BES Cyber Systems), CIP–007–6 (Systems Security Management), CIP–009–6 (Recovery Plans for BES Cyber Systems), CIP–010–2 (Configuration Change Management and Vulnerability Assessments), and CIP–011–2 (Information Protection).  The Commission expects these Reliability Standards to address the cyber security of the bulk electric system and improve upon the current Commission-approved CIP Reliability Standards.  In addition, the Commission directs the North American Electric Reliability Corporation to develop certain modifications to improve the CIP Reliability Standards.

The Congressional Review Act (CRA) requires a 60-day delay in the effective date of a major rule from the date of publication in the Federal Register or receipt of the rule by Congress, whichever is later.  5 U.S.C. § 801(a)(3)(A).  This final rule has a stated effective date of March 31, 2016.  The rule was published in the Federal Register on January 26, 2016, but was received by GAO on February 3, 2016, and received by Congress on February 5, 2016.  162 Cong. Rec. H594 (Feb. 8, 2016).  Therefore, the final rule does not have the full required 60-day delay in its effective date.

Enclosed is our assessment of the Commission’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule.  According to its submission to us, the Commission did not prepare an analysis of the costs and benefits with respect to this final rule.  Our review of the other procedural steps taken indicates that the Commission complied with the applicable requirements.

If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Shirley A. Jones, Assistant General Counsel, at (202) 512-8156.

  signed

Robert J. Cramer
Managing Associate General Counsel

Enclosure

cc: Max Minzner
Federal Energy Regulatory Commission
Department of Energy

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF ENERGY,
FEDERAL ENERGY REGULATORY COMMISSION

ENTITLED
“REVISED CRITICAL INFRASTRUCTURE
PROTECTION RELIABILITY STANDARDS”

(DOCKET NO. RM15-14-000)

(i) Cost-benefit analysis

In its submission to us, the Federal Energy Regulatory Commission (Commission) indicated that it had not prepared an analysis of the costs and benefits of this final rule.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603-605, 607, and 609

The Commission determined that this final rule will not have a significant economic impact on a substantial number of small entities.

(iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532-1535

As an independent regulatory agency, the Commission is not subject to the Act.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On July 22, 2015, the Commission published in the Federal Register a notice of proposed rulemaking.  80 Fed. Reg. 43,354.  The Commission received comments from 41 entities and responded to the comments in the final rule. 

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501-3520

The Commission determined that this final rule contains information collection requirements under the Act.  The requirement is entitled “Mandatory Reliability Standards, Revised Critical Infrastructure Protection Standards” and has been assigned Office of Management and Budget (OMB) Control Number 1902-0248.  For medium and high impact assets, the Commission estimates the total reporting burden will be 75,120 hours in the first year and 130,208 hours in the second and third years with respective costs of $5,709,120 and $9,895,808.  For low impact assets, the Commission estimates the total reporting burden will be 163,580 hours in the first year and 283,504 hours in the second and third years with respective costs of $12,430,560 and $21,546,304.

Statutory authorization for the rule.

The Commission promulgated this final rule under the authority of section 215 of the Federal Power Act.  16 U.S.C. § 8240.

Executive Order No. 12,866 (Regulatory Planning and Review)

As an independent regulatory agency, the Commission is not subject to the Order.

Executive Order No. 13,132 (Federalism)

As an independent regulatory agency, the Commission is not subject to the Order.

Dec 11, 2017

Dec 8, 2017

Dec 7, 2017

Dec 6, 2017

Dec 5, 2017

Looking for more? Browse all our products here