Today the DOE’s Federal Energy Regulatory Commission (FERC) published a final rule implementing changes to the Critical Energy Infrastructure Information (CEII) program mandated by §61003 (16 USC 824o–1) of the Fixing America's Surface Transportation (FAST) Act (PL 114-94). The notice of proposed rulemaking NPRM (FERC uses a different acronym – NOPR) was published in June of this year. This rule is unlikely to be overturned by the 115th Congress.
The FAST Act required FERC to:
• Establish criteria and procedures to designate information as critical electric infrastructure information;
• Prohibit the unauthorized disclosure of critical electric infrastructure information;
• Ensure there are appropriate sanctions in place for Commissioners, officers, employees, or agents of the Commission or the Department of Energy [DOE] who knowingly and willfully disclose critical electric infrastructure information in a manner that is not authorized by the statute; and
• Facilitate voluntary sharing of critical electric infrastructure information between, and by Federal, State, political subdivision, and tribal authorities; the Electric Reliability Organization; regional entities; information sharing and analysis centers; owners, operators, and users of critical electric infrastructure in the United States; and other entities determined appropriate by the Commission.
A number of commenters on the NPRM requested that the Commission provide more details on what constitutes CEII. The preamble to this rule notes that §824o-1(a)(2) provides a definition of CEII. As a result FERC does not see any need to provide additional guidance on what constitutes CEII. FERC reminds commenters that CEII protections only apply to information submitted to FERC and DOE so no other agencies (including the NRC) may designate information CEII. That does not, however, prohibit other agencies from providing protections to electric grid related information submitted to non-DOE agencies.
Protection of CEII and CUI
FERC declined to provide clarification of what constitutes ‘a secure place’ for storing CEII. The preamble to this rule failed to note that by not specifying regulatory requirements for storing CEII that the controlled unclassified information (CUI) regulations of the National Archives and Records Administration provide the controlling authority to define those requirements (including NIST SP 800-171 since CEII is a covered CUI listed in the CUI registry.
This rule will become effective on February 21st, 2017. As I noted earlier, this rule is unlikely to be considered for review by the 115th Congress. The rule implements requirements set by the Republican 114th Congress so there will be little impetus for essentially the same Congress to negate this rulemaking even though it fulfills many of the definitional requirements of a ‘midnight rule’.
The CEII program only protects information submitted to FERC and the DOE from disclosure by those agencies or personnel with whom those agencies share the information. It does not establish any requirements for protection of that information by submitting organizations. The only drawback that I see is that FERC/DOE are not required to make a determination that the information actually qualifies for CEII protections until the CEII Coordinator at FERC makes that determination in response to a request for the information.
FERC maintains in this rulemaking that the protect submitted information as if it were CEII until such determinations are made. I think that a good lawyer for a whistleblower could maintain that any disclosures of information by FERC/DOE employee prior to a determination being made by the CEII Coordinator. To my mind it would make more sense to declare all submitted material CEII upon receipt and then to remove that declaration when appropriate when the CEII Coordinator is asked to review the information for possible release.