Quiero saber acerca de...

8312

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
jbell on DSKJLSW7X2PROD with PROPOSALS

prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.24
11. As noted above, NIST implements the Cybersecurity Act through its NIST
Framework,25 which provides a common organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are currently working effectively in industry.26 The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible.27 The NIST Framework consists of three parts: Framework Core;
Implementation Tiers; and Framework Profiles.28 The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Framework Core provide detailed guidance for developing individual Framework Profiles.29 Through use of Framework Profiles, the NIST
Framework is designed to help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. The Implementation Tiers provide a mechanism for an organization to view and understand the characteristics of its approach to managing cybersecurity risk, which is designed to help in prioritizing and achieving cybersecurity objectives.30 The Framework Core consists of five concurrent and continuous FunctionsIdentify, Protect, Detect, Respond, and Recover.
When considered together, these Functions provide a high-level, strategic 24 15 U.S.C. 272 e1Aiii. Security Controls is defined as follows: The management, operational, and technical controls i.e., safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. NIST, Computer Security Resource Center Glossary, https csrc.nist.gov/glossary/term/security_
controls.
25 Version 1.0 of the NIST Framework was released in 2014, and subsequently replaced with version 1.1 in 2018.
26 NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, at v Apr.
16, 2018, https nvlpubs.nist.gov/nistpubs/CSWP/
NIST.CSWP.04162018.pdf.
27 See Executive Order No. 13636, Improving Critical Infrastructure Cybersecurity, 78 FR 11737
Feb. 19, 2013.
28 NIST Framework at v.
29 Id.
30 Id.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

view of the lifecycle of an organizations management of cybersecurity risk.31
C. Transmission Incentives Notice of Inquiry and Rulemaking 12. On March 21, 2019, the Commission issued a Notice of Inquiry seeking comment on the scope and implementation of its electric transmission incentives policy 32 to ensure that the policy continues to satisfy its obligations under FPA section 219.33 The Notice of Inquiry included numerous questions regarding the Commissions approach to, and the objectives of, its transmission incentives policy; the mechanics and implementation of a transmission incentives policy; and metrics for evaluating the effectiveness of transmission incentives. As related to this proceeding, the Commission requested comment on whether it should incent physical and cybersecurity enhancements at transmission facilities and, if so, what types of security investments should qualify for transmission incentives.34
13. On March 20, 2020, the Commission issued a Notice of Proposed Rulemaking on several topics considered in the 2019 Notice of Inquiry.35 In the Transmission Incentives NOPR, the Commission acknowledged that, although reliability is clearly delineated as a benefit to be promoted by transmission incentives, there are differing mandates for promoting reliability under FPA
sections 215 and 219. Further, the Commission stated that cybersecurity is an important part of reliability and indicated that it would address cybersecurity incentives independently in a separate, future proceeding.36
D. Cybersecurity Incentives Policy White Paper 14. On June 18, 2020, Commission staff issued a white paper to explore a new framework for providing transmission incentives to public utilities for cybersecurity investments that produce significant cybersecurity benefits for actions taken that exceed the requirements of the CIP Reliability 31 Id.

at 3.

32 Inquiry
Regarding the Commissions Electric Transmission Incentives Policy, 166 FERC 61,208
2019 2019 Notice of Inquiry.
33 16 U.S.C. 824s.
34 2019 Notice of Inquiry, 166 FERC 61,208 at P 27.
35 Electric Transmission Incentives Policy Under Section 219 of the Federal Power Act, 85 FR 18784
Apr. 2, 2020, 170 FERC 61,204, errata notice, 171 FERC 61,072 2020 Transmission Incentives NOPR.
36 2019 Notice of Inquiry, 166 FERC 61,208 at P 5.

PO 00000

Frm 00004

Fmt 4702

Sfmt 4702

Standards.37 In the White Paper, Commission staff discussed augmenting the current CIP Reliability Standards under FPA section 215 with an incentive-based framework under FPA
section 219 that encourages public utilities to undertake cybersecurity investments on a voluntary basis.
Commission staff reasoned that this framework would incent a public utility to adopt best practices to protect its own transmission system as well as improve the security of the BES. Further, Commission staff stated that the framework could allow the electric industry to be more agile in monitoring and responding to new and evolving cybersecurity threats, to identify and respond to a wider range of threats, and to address threats with comprehensive and more effective solutions.
Commission staff reasoned that an incentive-based framework would allow a public utility to tailor its request for incentives to the potential challenges it faces and take responsive action.
Commission staff explained that, in the future, these voluntary actions taken by public utilities, if proven beneficial, could be the basis of future CIP
Reliability Standards that would be mandatory.38
15. Commission staff stated that providing transmission incentives for cybersecurity investments would require a new framework for the Commission to evaluate requests from public utilities for transmission incentives. Commission staff opined that a first necessary step would be to establish approaches that examine the effectiveness of cybersecurity investments in enabling the public utility to achieve a level of protection that exceeds the CIP Reliability Standards and also enhances the security of its transmission system.
Commission staff stated that a public utility would then be able to identify the cybersecurity investments for which it seeks transmission incentives with the Commission evaluating such transmission incentive requests.
16. In the White Paper, Commission staff provided two potential approaches for identifying cybersecurity investments eligible for transmission incentives. The first approach was based on a public utility voluntarily applying certain CIP Reliability Standard requirements to transmission facilities that are not subject to those requirements, e.g., applying all requirements applicable to medium or 37 Cybersecurity Incentives Policy White Paper, Notice of White Paper, Docket No. AD2019000
issued June 18, 2020 White Paper.
38 Id. at 1213.

E:FRFM05FEP1.SGM

05FEP1