Voglio sapere a riguardo di…

8318

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
this rule.67 We propose to consider applications for other cybersecurity incentives on a case-by-case basis to determine if they are just and reasonable and not unduly discriminatory or preferential under FPA section 205.
D. Application Process 48. Proposed 35.48e of the Commissions regulations would require a public utilitys request for one or more incentive based-rate treatments to be made in a filing pursuant to FPA section 205. As proposed, such a request must include a detailed explanation of how the public utility plans to implement one or both of the proposed incentive approaches and the requested rate treatment. We propose that applicants provide detail on the investments or expenses for which they seek incentives, as described in more detail below. An applicant would make a filing showing how its projects meet the eligibility requirements described below. In proposing what showing an applicant must make, we balance the need for sufficient information to determine if an applicant is eligible for the incentive against the risk of the applicant providing potentially sensitive information on cybersecurity vulnerabilities in its application. We discuss confidentiality concerns further in section IV.E.3 Confidentiality Considerations.
49. Finally, under 35.48e of the proposed regulations, a public utility seeking one or more incentive basedrate treatments proposed in the NOPR
must make a filing for Commission approval pursuant to FPA section 205
and receive such approval prior to implementing the proposed incentives in its Commission-jurisdictional rates.
In order to effectuate the incentives in rates, public utilities would need to propose in their FPA section 205 filing conforming revisions to their formula rates, as appropriate, to reflect incentive rate treatment granted pursuant to these proposed regulations.68

jbell on DSKJLSW7X2PROD with PROPOSALS

1. NERC CIP Incentives Approach 50. To implement proposed 35.48b of the Commissions regulations, for 67 We note that the Commission adopted similar flexibility and language to consider other proposals in 35.35dviii of the Commissions rules and regulations in Order No. 679. See 18 CFR
35.35d1viii; Promoting Transmission Investment through Pricing Reform, Order No. 679, 71 FR 43293 Jul. 31, 2006, 116 FERC 61,057
2006, order on rehg, Order No. 679A, 72 FR 1152
Jan. 10, 2007, 117 FERC 61,345 2006, order on rehg 119 FERC 61,062 2007.
68 Public utilities with stated rates may file under FPA section 205 to seek incentives as part of a larger rate case or make a request for single issue ratemaking, which the Commission will evaluate on a case-by-case basis.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

capital investments, we propose that an applicant describe the proposed investments as well as their anticipated cost, completion date and geographic location. An applicant would also describe how the proposed investment meets the description of the Med/High Incentive and/or the Hub-Spoke Incentive.
51. We propose that applicants describe the implementation and method of continuing adherence to the actions required to obtain and maintain the incentive, as described in 35.48e1 of the proposed regulations. The applicant would include in its application, at a minimum, an identification of the scope of assets for which the public utility is requesting the incentive, and the associated BES Cyber Systems that will be protected. Specifically, an applicant would include a list of BES assets for which the public utility is requesting the incentive, the geographical location of the BES assets, the function they support, the incentive method the public utility is requesting for each of the BES assets, the current impact ratings of the BES assets and the impact levels that the assets now meet as a result of the investment, and a list of BES Cyber Systems associated with each of the BES assets including details on their use.
52. Unlike conventional transmission investments, which entail completion of a physical transmission project, investments under the NERC CIP
Incentives Approach seek to bring BES
assets otherwise not required to be subject to certain cybersecurity requirements to a higher cybersecurity level, and that higher level must be maintained for it to continue to provide ratepayer benefits. Consequently, the Commission proposes that, if an investment that receives a Med/High Incentive or Hub-Spoke Incentive ceases to meet the requirements of that incentive, the public utility would be required to update its cost-of-service rates to reflect this change. In addition, the Commission or third parties may initiate FPA section 206 proceedings to revoke such incentives.
53. In Order No. 791, the Commission recognized that categorizing BES Cyber Systems based on their low, medium, or high impact on the reliable operation of the BES, with all BES Cyber Systems being categorized as at least low impact, offers more comprehensive protection of the BES than the prior CIP Reliability Standards.69 The Commission also acknowledged that CIP version 5
Standards offer new cybersecurity 69 Order
PO 00000

No. 791, 145 FERC 61,160 at P 41.

Frm 00010

Fmt 4702

Sfmt 4702

controls that will improve the overall security posture of responsible entities.70 Given the Commissions experience with the CIP Reliability Standards, we propose that an asset-byasset showing of benefits is unnecessary because, though the benefits of upgrades may vary by system, we believe that all upgrades based on the NERC CIP
Incentives Approach materially enhance the cybersecurity posture of the BulkPower System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers, and warrant incentives.
Thus, we propose that a public utility seeking incentives under the NERC CIP
Incentives Approach and that provides the information required under this application process receive a rebuttable presumption that the cybersecurity investments materially enhance the cybersecurity of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards to merit an incentive.
2. NIST Framework Approach 54. In contrast to applications for incentives based on the NERC CIP
Incentives Approach, we propose that a public utility seeking incentives for cybersecurity investments under the NIST Framework Approach would not be entitled to a rebuttable presumption and instead must provide additional information showing that the proposed investment materially enhances the cybersecurity posture of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards. However, we request comments on what demonstration an applicant should be required to make to show that its NIST Framework Approach investments merit incentives under the FPA section 205 just and reasonable standard.
55. Depending on a public utilitys existing attributes; namely the hardware, system configuration, and operating practices that contribute to its overall cybersecurity posture, and the specific characteristics of the proposed cybersecurity investments, proposed cybersecurity investments may or may not materially enhance the cybersecurity posture of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards to warrant incentives. Under 35.48e2 of the Commissions regulations, we propose that an 70 Id.

E:FRFM05FEP1.SGM

05FEP1