Je veux savoir à propos de…

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
8321

SUPPORTING DOCUMENTATION DEMONSTRATING INCENTIVE ADHERENCEContinued Topic
Standard
Documentation
Supply Chain Risk Management

CIP013

Supply chain security risk management plan, implementation, and testing procedures.

jbell on DSKJLSW7X2PROD with PROPOSALS

68. To demonstrate that a public utility has implemented the requirements for the Hub-Spoke incentive, we propose that the informational filing describe the reconfiguration and assets added to the communication paths to/from locations containing low impact BES Cyber Systems. For the first annual informational filing, we propose that the public utility provide documents demonstrating these changes. For any subsequent annual informational filing, the public utility would only need to provide an updated version of any supporting documentation if a change occurred for the previous informational filing, as well as information on any failure to maintain the communication paths, and any mitigating actions the public utility undertook to resolve the problem.
b. NIST Framework Approach 69. We propose that the reporting requirements to implement proposed 35.48f of its regulations for the NIST
Framework Approach differ from those under the NERC CIP Incentives Approach. The Commission would review the informational filings to determine if the proposed changes meet the requirements for incentives by focusing on four areas: Acquisition and installation, system connectivity, security application, and relevance to entity monitoring/response actions. For each subsequent annual informational filing, the public utility would only need to provide an updated version of the supporting documentation showing any changes from the prior informational filing, as well as information on any period of time during the reported year where the public utility ceased to continuously implement specific requirements consistent with the Commissions order approving the application.
70. Step 1 of the review process addresses the acquisition and installation of required network components i.e., high-fidelity sensors that meet the proposed security enhancements subject to incentives. The Commission would require a public utility to confirm that funds have been expended on the necessary equipment through documentation such as purchase orders, receipts, licensing agreements, and installation
VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

documentation with specified time periods.
71. Step 2 of the review process addresses the attainment of necessary training and personnel for the implementation of the incentivized action. Training and additional personnel must be necessary and limited to the implementation of the cybersecurity equipment within the affected networks. The Commission would require a public utility to verify training and personnel actions through documentation such as third-party contractor agreements, training program curricula, and official job descriptions.
72. Step 3 of the review process addresses network and sensor node recognition optimization of system deployment, and strategic configuration.
This step describes how the sensors are connected to a network and how they substantively improve the visibility and security of the affected networks. The public utility could demonstrate this network and sensor node recognition through such items as configuration files, system logs, configuration settings, and a description of its location on the affected network.
73. Step 4 of the review process addresses the incorporation of sensor nodes in the enterprise level incident monitoring and response plan. This step verifies that the incentivized action is being incorporated into monitoring and response actions to impact overall network security. The utility would need to attest that the information would be included in operational activities such as incident response plans, playbooks, and Standard Operating Procedures.
3. Confidentiality Considerations 74. We recognize that the Commissions cybersecurity incentives policy must balance the need to maintain the confidentiality of cybersecurity systems and protocols with the need for transparency in rates when awarding incentive rates to public utilities for cybersecurity investments.
The Commission balances these considerations through its confidential 79 and Critical Energy/
79 Section 388.112 of the Commissions regulations specifies that any person submitting a document to the Commission may request privileged treatment for some or all of the information contained in a particular document that
PO 00000

Frm 00013

Fmt 4702

Sfmt 4702

Electric Infrastructure Information CEII
filing regulations.80 These regulations recognize that intervenors in a Commission proceeding, such as a proceeding establishing incentive rates, may need access to information that the applicant believes should be withheld from disclosure to the general public, in order to participate effectively in the proceeding. Therefore, the Commissions regulations provide for any person who is a participant in a proceeding or has filed a motion to intervene or notice of intervention to make a written request to the filer for a copy of the complete, non-public version of the document.
75. Accordingly, we propose that, if a public utility applying for incentive rate treatment under this rule is concerned that the information contained in an application for incentives could lead to the disclosure of confidential information or CEII related to its cybersecurity systems, the public utility could request protection of its information pursuant to these procedures. The Commissions practice, however, is not to allow for the filing of an FPA section 205 rate application under seal. Under this proposal, to the extent an applicant seeks confidential treatment, we expect that the applicants request for such treatment will be specific and limited. If an applicant requests portions of the application be protected, we expect that the public portion of an application should contain sufficient information for ratepayers to judge the rate impact and scope of the proposed incentives, including the general approach adopted. The Commission will address such requests it claims is exempt from the mandatory public disclosure requirements of the Freedom of Information Act and that should be withheld from public disclosure. In particular, 388.112b2 sets forth procedures for filing and obtaining access to material that is filed as privileged in any proceeding to which a right to intervention exists and specifies that if a person files material as privileged in such proceeding, that person must include a proposed form of protective agreement with the filing, or identify a protective agreement that has already been filed in the proceeding that applies to the filed material. 18 CFR 388.112.
80 Section 388.113 governs the procedures for submitting, designating, handling, sharing, and disseminating CEII submitted to or generated by the Commission. Section 388.113d1iii provides for the person filing material as CEII in a proceeding to which a right to intervention exists to include a proposed form of protective agreement. 18 CFR
388.113.

E:FRFM05FEP1.SGM

05FEP1