Voglio sapere a riguardo di…

8324

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
Subpart KCybersecurity Investment Provisions
jbell on DSKJLSW7X2PROD with PROPOSALS

35.48

Cybersecurity investment.

a Purpose. This section establishes rules for incentive-based rate treatments for voluntarily making cybersecurity investments by a public utility as described in this subpart.
b Incentive-based rate treatments for cybersecurity investment. The Commission will authorize incentivebased rate treatments for a public utility that makes cybersecurity investments under this subpart that materially enhance the cybersecurity posture of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by Critical Infrastructure Protection Reliability Standards, provided that the proposed incentive is just and reasonable and not unduly discriminatory or preferential. A public utility may request one or both of the following incentive approaches for those eligible cybersecurity investments:
1 Critical Infrastructure Protection Incentive Approach. A public utility may receive incentive rate treatment for voluntarily applying Critical Infrastructure Protection Reliability Standards to bulk electric system facilities that are not currently subject to those requirements. A public utility will receive a rebuttable presumption that the investments made pursuant to this Critical Infrastructure Protection Incentive Approach materially enhance the cybersecurity posture of the BulkPower System to merit an incentive for such cybersecurity investments. A
public utility may receive incentive rate treatment for the investments as follows:
i Increasing the Critical Infrastructure Protection Reliability Standard security controls for facilities identified as low or medium impact bulk electric system Cyber Systems by applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems; or ii Ensuring all external routable connectivity to and from the low impact system connect to a high or medium impact bulk electric system Cyber System and the cyber communication security controls required for the medium or high impact bulk electric system Cyber System must be implemented on the low impact system.
2 National Institute of Standards and Technology Framework Approach.
A public utility may receive incentive rate treatment for implementing certain security controls, identified from time to time through a Commission issuance,
VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

that are included in the National Institute of Standards and Technology Framework.
c Types of incentive-based rate treatments for cybersecurity investment.
For purposes of paragraph b of this section, incentive-based rate treatment shall be for those eligible cybersecurity investments and means any of the following:
1 An increase in rate of return on equity of 200 basis points;
2 Deferred cost recovery; or 3 Any other incentives approved by the Commission, pursuant to the requirements of this section that are deemed to be just and reasonable and not unduly discriminatory or preferential.
d Incentive duration.
1 A return on equity incentive rate treatment approved pursuant to this section may last the earlier of:
i The depreciation life of the underlying asset;
ii 10 years from when the cybersecurity improvements enter service;
iii when the investments or activities that serve as the basis of that incentive become mandatory pursuant to a Reliability Standard approved by the Commission;
iv or when the public utility no longer meets the requirements for receiving the incentive.
2 A deferred regulatory asset whose costs are typically expensed should be amortized over a five-year period.
e Incentive Applications. For the purpose of paragraphs b and c of this section, a public utilitys request for one or more incentive based-rate treatments, to be made in a filing pursuant to section 205 of the Federal Power Act, must include a detailed explanation of the proposed rate treatment and include the following information:
1 For applications under the Critical Infrastructure Protection Incentive Approach:
i The Bulk Electric System assets for which the public utility is requesting the incentive;
ii The geographical location of the Bulk Electric System assets;
iii The function the Bulk Electric System assets support;
iv The incentive method the public utility is requesting for each of the Bulk Electric System assets;
v The current and new impact ratings of the Bulk Electric System assets if they change because of the incentive; and vi A list of the Bulk Electric System Cyber Systems associated with each of the Bulk Electric System assets including details on their use.

PO 00000

Frm 00016

Fmt 4702

Sfmt 4702

2 For applications under the National Institute of Standards and Technology Framework Approach:
i A description of the public utilitys current cybersecurity posture;
ii A description of the public utilitys desired cybersecurity posture;
iii A description of the quantified risk factors being addressed through the proposed incentive actions.
3 For applications requesting an increase in rate of return on equity of 200 basis points:
i The anticipated cost of the capital investment; and ii The identity of the Commission jurisdictional rate schedules under which it will recover the increased return on equity.
4 For applications requesting deferred cost recovery:
i A description of any expenses, including whether the expenses are:
A Expenses associated with thirdparty provision of hardware, software, and computing networking services;
B Expenses for training to implement new cybersecurity enhancements; or C Other transition expenses, such as risk assessments by third parties or internal system reviews, and initial responses to findings of such assessments.
ii Estimates of the cost of such expenses;
iii When the costs are expected to be incurred;
iv A narrative explanation of how the expenses meet the requested Critical Infrastructure Protection Incentive Approach or National Institute of Standards and Technology Framework Approach.
f Reporting requirements. A public utility that has received cybersecurity incentives under this section must, within 120 days of completion of upgrades for which it receives incentives, make an informational filing and must make subsequent informational filings annually thereafter detailing the specific investments that were made pursuant to the Commissions approval and the corresponding FERC account used. An incentive recipient must describe the parts of its network that it upgraded in addition to the nature and cost of the various capital investments. For incentives where the Commission allows deferral of expenses, annual informational filings should describe such expenses in sufficient detail to demonstrate that such expenses are specifically related to the cybersecurity investment granted incentives and not for ongoing services including system
E:FRFM05FEP1.SGM

05FEP1