Quiero saber acerca de...

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules applicant must describe its current cybersecurity posture, desired cybersecurity posture, and the quantified risk factors being addressed through the proposed incentive actions.
An application must include full and detailed explanations of how proposed cybersecurity investments will materially enhance the cybersecurity of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers. In assessing whether an application meets the standard for granting incentives under this NOPR, we propose that the Commission would review the stated expenditures and level of risk mitigated in comparison to the public utilitys pre-incentivized network configuration. This judgement will be made on a case-by-case basis. The application would need to detail the specific components to be installed, network deployment, sensor configuration, and enterprise data incorporation as described in the fourstep review process, discussed below.
56. Consistent with incentive requests under the NERC CIP Incentives Approach, an applicant seeking incentives under the NIST Framework Approach would be required to provide detail on the investments or expenses for which it seeks incentives. For capital investments, applicants would describe:
1 The required network components;
2 how the sensors connect to the network; 3 how the sensors deployment recognizes the specific attributes of the network; 4 the costs of all investments; and 5 when the costs are expected to be incurred.
3. ROE Adder 57. Under 35.48e3 of the proposed regulations, applicants requesting an ROE adder of 200 basis points must include the anticipated cost of the capital investment and identify the Commission-jurisdictional rate schedules under which they will recover the ROE adder.

jbell on DSKJLSW7X2PROD with PROPOSALS

4. Regulatory Asset Incentive 58. For expenses that the applicant seeks to receive regulatory asset treatment associated with either ROE
incentive-eligible projects based on either the NERC CIP Incentives Approach or the NIST Framework Approach, under 35.48e4 of the proposed regulations, the applicant must describe and estimate the nature of such expenses, their costs, and when
VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

they are expected to be incurred.71
Applicants would be expected to provide a narrative explanation of how such expenses meet the description of the Med/High Incentive, the Hub-Spoke Incentive and/or the NIST Framework Approach. Applicants would then describe whether the expenses are: 1
Expenses associated with third-party provision of hardware, software, and computing networking services; 2
expenses for training to implement new cybersecurity enhancements; or 3
other transition expenses, such as risk assessments 72 by third parties or internal system reviews, and initial responses to findings of such assessments. An applicant would also be required to describe the cost, location, and timing of all eligible capital investments and the cost and timing of all deferred expenses.
E. Implementation 1. Incentive Duration 59. We propose to add 35.48d to the Commissions regulations to allow a public utility granted an incentive under this NOPR to receive that incentive for the lesser of: 1 The depreciation life of the underlying asset;
2 10 years from when the cybersecurity improvements enter service; 3 when the investments or activities that serve as the basis of that incentive become mandatory pursuant to a Reliability Standard approved by the Commission; or 4 when the public utility no longer meets the requirements for receiving the incentive.73 We are seeking to incentivize cybersecurity assets that primarily include equipment or system modifications that typically have short depreciation lives. The cybersecurity incentives identified in this NOPR are intended to apply to technology and systems investments and not to more long-lived assets like physical structures. Thus, we believe that most public utilities granted cybersecurity incentives under this NOPR should receive those incentives for the depreciation life of the asset.
However, for investments with useful lives exceeding 10 years, we propose that the incentive end at the conclusion of 10 years from when the cybersecurity incentives enter service. Although it is 71 We reiterate that applicants ongoing costs of operating a more cybersecure system are not eligible for such incentive treatment under this NOPR.
72 NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, at 26
Apr. 16, 2018, https nvlpubs.nist.gov/nistpubs/
CSWP/NIST.CSWP.04162018.pdf.
73 FPA section 205 filings revising cost of service rates to implement incentives must contain language limiting incentive duration to the lesser of these three eventualities.

PO 00000

Frm 00011

Fmt 4702

Sfmt 4702

8319

possible that specific components of cybersecurity investments may feature longer useful lives than 10 years, given the evolving nature of cybersecurity threats, we find that 10 years is a reasonable expectation of the principal benefits of the cybersecurity investments, which should correspond to the investment duration.
60. In addition, we propose that, where cybersecurity investments are mandatory, cybersecurity incentives are inappropriate and would only serve to increase ratepayer costs. However, where NERC publicly announces that it is considering making certain cybersecurity activities or investments mandatory, through issuing a standard authorization request, public utilities may receive incentives until the requirements become mandatory. For a public utility that requests regulatory asset treatment for costs normally recorded to expenses, if such expenditures become mandatory, we propose that the public utility must recover the unamortized portion of expenses through expenses in rates with no further earning of an incentive return on the regulatory asset.
2. Informational Filing and Verification 61. In order to ensure that a public utility receiving incentive rate treatment has implemented the requirements for the incentive and to ensure that it continues to adhere to these requirements, we propose to add 35.48f to the Commissions regulations to require public utilities to submit annual informational filings with the Commission.74 We propose specific reporting requirements for each of the NERC CIP Incentives Approach and the NIST Framework Approach below.
62. The Transmission Incentives NOPR proposes additional reporting requirements for recipients of transmission incentives under FPA
section 219.75 Such additional reporting is likewise appropriate for cybersecurity upgrades receiving incentives.
Accordingly, we propose to add 35.48f to require that, within 120
days of the completion of cybersecurity upgrades for which an applicant is granted incentives, an incentives recipient must make an informational filing and subsequent informational filings annually thereafter. The annual informational filings must detail the specific investments that were made 74 These reporting requirements also apply to non-public utilities that receive cybersecurity incentives through their Commission-jurisdictional rates.
75 Transmission Incentives NOPR, 166 FERC
61,208 at P 115.

E:FRFM05FEP1.SGM

05FEP1