Je veux savoir à propos de…

8310

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
I. Introduction 1. In this Notice of Proposed Rulemaking NOPR, the Federal Energy Regulatory Commission Commission proposes under sections 205 and 206 of the Federal Power Act FPA 1 to establish rules for incentive-based rate treatments for voluntary cybersecurity investments 2 by a public utility.3 These rules would provide cybersecurity incentives to public utilities that make certain cybersecurity investments that go above and beyond the requirements of the CIP Reliability Standards,4 and materially enhance the cybersecurity posture of the Bulk-Power System 5 by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.
2. First, we propose to allow public utilities making certain cybersecurity investments to request an increase in the rate of return on equity ROE
applicable to those capital investments.
Such cybersecurity investments would include investments following specific CIP Reliability Standards and/or standards and guidelines from the National Institute of Standards and Technology NIST 6 Framework.
3. Second, we propose to allow a public utility to seek deferred cost recovery for certain cybersecurity investments. We propose that only 1 16

U.S.C. 824d, 824e.
cybersecurity investments refer to cybersecurity investments not required to meet mandatory North American Electric Reliability Corporation NERC Critical Infrastructure Protection Reliability Standards CIP Reliability Standards.
3 The proposed incentive-based treatments for cybersecurity investments would also be available to non-public utilities to the extent that they have Commission-jurisdictional rates.
4 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 73 FR
7367 Feb. 7, 2008,122 FERC 61,040, at P 1, order on rehg and clarification, Order No. 706A, 123
FERC 61,174 2008, order on clarification, Order No. 706B, 74 FR 12544 Mar. 25, 2009, 126 FERC
61,229, order denying clarification, Order No.
706C, 74 FR 30067 June 24, 2009, 127 FERC
61,273 2009.
5 Bulk-Power System is defined by FPA section 215 as facilities and control systems necessary for operating an interconnected electric energy transmission network or any portion thereof, and electric energy from generation facilities needed to maintain transmission system reliability. The term does not include facilities used in the local distribution of electric energy. 16 U.S.C. 825oa.
6 NIST is a part of the U.S. Department of Commerce that advances measurement science, standards, and technology. It has developed the voluntary Framework for Improving Critical Infrastructure Cybersecurity NIST Framework to address and manage cybersecurity risk in a costeffective way based on business and organizational needs without placing additional regulatory requirements on businesses. NIST, Framework for Improving Critical Infrastructure Cybersecurity, at v Apr. 16, 2018, https nvlpubs.nist.gov/nistpubs/
CSWP/NIST.CSWP.04162018.pdf.

jbell on DSKJLSW7X2PROD with PROPOSALS

2 Voluntary
VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

expenses for activities that go above and beyond actions required to comply with the CIP Reliability Standards be eligible for these incentives. Therefore, expenses incurred to comply with mandatory CIP
Reliability Standards that a public utility incurs on a regular or ongoing basis, or that are incurred prior to the incentive request, would not be eligible for such regulatory asset treatment. We propose to allow deferred cost recovery for three categories of expenses: 1
Expenses associated with third-party provision of hardware, software, and computing networking services; 2
expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and 3 other implementation expenses, such as risk assessments 7 by third parties or internal system reviews and initial responses to findings of such assessments. In all such cases, eligible costs would be limited to costs associated with implementing cybersecurity upgrades and would not include ongoing costs including system maintenance, surveillance, and other labor costs, either in the form of employee salaries or third-party service contracts. Furthermore, we propose that the deferred regulatory assets whose costs are typically expensed should be amortized over a five-year period.
4. Finally, under the proposed regulations, a public utility seeking one or more incentive based-rate treatments proposed in the NOPR must make a filing for Commission approval pursuant to FPA section 205 and receive such approval prior to implementing the proposed incentives in its Commissionjurisdictional rates.
II. Background A. Critical Infrastructure Protection Reliability Standards 5. On August 8, 2005, Congress enacted the Energy Policy Act of 2005.8
The Energy Policy Act of 2005 added a new section 215 to the FPA,9 which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards,10 including requirements for 7 NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, at 26
Apr. 16, 2018, https nvlpubs.nist.gov/nistpubs/
CSWP/NIST.CSWP.04162018.pdf.
8 Energy Policy Act of 2005, Pub. L. 10958, secs.
1261 et seq., 119 Stat. 594 2005.
9 16 U.S.C. 824o.
10 FPA section 215 defines Reliability Standard as a requirement, approved by the Commission, to provide for reliable operation of existing bulkpower system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities
PO 00000

Frm 00002

Fmt 4702

Sfmt 4702

cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the Commission can independently enforce Reliability Standards.
6. On February 3, 2006, the Commission issued Order No. 672,11
implementing FPA section 215. The Commission subsequently certified NERC as the Electric Reliability Organization. The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard.12 The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply.
7. On January 18, 2008, the Commission issued Order No. 706,13
approving the initial eight CIP
Reliability Standards, CIP version 1
Standards, submitted by NERC.
Subsequently, the Commission has approved multiple versions of the CIP
Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No.
791,14 approving CIP version 5
Standards, the last major revision to the CIP Reliability Standards. The CIP
version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or or to construct new transmission capacity or generation capacity. Id. at 824oa3.
11 Rules Concerning Certification of the Elec.
Reliability Org.; and Procedures for the Establishment, Approval, and Enft of Elec.
Reliability Standards, Order No. 672, 71 FR 8661
Feb. 17, 2006, 114 FERC 61,104, order on rehg, Order No. 672A, 71 FR 19814 Apr. 28, 2006, 114
FERC 61,328 2006.
12 NERC uses the term registered entity to identify users, owners, and operators of the BulkPower System responsible for performing specified reliability functions with respect to NERC
Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 Apr. 25, 2012, 139
FERC 61,058, at P 46, order denying clarification and rehg, 140 FERC 61,109 2012. Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as entities.
13 Order No. 706, 122 FERC 61,040 at P 1.
14 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755
Dec. 13, 2013, 145 FERC 61,160 2013, order on clarification and rehg, Order No. 791A, 146 FERC
61,188 2014.

E:FRFM05FEP1.SGM

05FEP1