Today the DOE’s Federal Energy Regulatory Commission (FERC) published
a final rule implementing changes to the Critical Energy Infrastructure
Information (CEII) program mandated by §61003
(16
USC 824o–1) of the Fixing America's Surface Transportation (FAST) Act (PL 114-94).
The notice of proposed rulemaking NPRM (FERC uses a different acronym – NOPR)
was published in June of this year. This rule is unlikely to be overturned by
the 115th Congress.
Congressional Mandate
The FAST Act required FERC to:
• Establish criteria and procedures
to designate information as critical electric infrastructure information;
• Prohibit the unauthorized
disclosure of critical electric infrastructure information;
• Ensure there are appropriate
sanctions in place for Commissioners, officers, employees, or agents of the
Commission or the Department of Energy [DOE] who knowingly and willfully
disclose critical electric infrastructure information in a manner that is not
authorized by the statute; and
• Facilitate voluntary sharing of critical electric
infrastructure information between, and
by Federal, State, political subdivision, and tribal authorities; the Electric
Reliability Organization; regional entities; information sharing and analysis
centers; owners, operators, and users of critical electric infrastructure in the
United States; and other entities determined appropriate by the Commission.
CEII
A number of commenters on the NPRM requested that the
Commission provide more details on what constitutes CEII. The preamble to this
rule notes that §824o-1(a)(2)
provides a definition of CEII. As a result FERC does not see any need to
provide additional guidance on what constitutes CEII. FERC reminds commenters
that CEII protections only apply to information submitted to FERC and DOE so no
other agencies (including the NRC) may designate information CEII. That does
not, however, prohibit other agencies from providing protections to electric
grid related information submitted to non-DOE agencies.
Protection of CEII and CUI
FERC declined to provide clarification of what constitutes ‘a
secure place’ for storing CEII. The preamble to this rule failed to note that
by not specifying regulatory requirements for storing CEII that the controlled
unclassified information (CUI) regulations of the National Archives and Records
Administration provide the controlling authority to define those requirements
(including NIST
SP 800-171 for
electronic storage and transmission) since CEII is a covered
CUI listed in the CUI registry.
Effective Date
This rule will become effective on February 21st,
2017. As I noted earlier, this rule is unlikely to be considered for review by
the 115th Congress. The rule implements requirements set by the
Republican 114th Congress so there will be little impetus for
essentially the same Congress to negate this rulemaking even though it fulfills
many of the definitional requirements of a ‘midnight rule’.
Commentary
The CEII program only protects information submitted to FERC
and the DOE from disclosure by those agencies or personnel with whom those agencies
share the information. It does not establish any requirements for protection of
that information by submitting organizations. The only drawback that I see is
that FERC/DOE are not required to make a determination that the information
actually qualifies for CEII protections until the CEII Coordinator at FERC
makes that determination in response to a request for the information.
FERC maintains in this rulemaking that the protect submitted
information as if it were CEII until such determinations are made. I think that
a good lawyer for a whistleblower could maintain that any disclosures of
information by FERC/DOE employee prior to a determination being made by the
CEII Coordinator. To my mind it would make more sense to declare all submitted
material CEII upon receipt and then to remove that declaration when appropriate
when the CEII Coordinator is asked to review the information for possible
release.
Posts
No comments:
Post a Comment