FERC Publishes Official Cybersecurity Reporting Rule

Earlier this week the Federal Energy Regulatory Commission (FERC) published their final rule on revisions to the cybersecurity reporting requirements in the Federal Register (83 FR 36727-36741). This is the formal publication of their order from two weeks ago. Publication in the Federal Register sets the effective date for the order as October 1^st, 2018.

There is nothing new here that was not included in the original order. There are some administrative portions of this order that I did not comment on earlier that deserve some mention in passing. These items all reflect the odd relationship between FERC and the electric grid community and the North American Electric Reliability Corporation (NERC).

Information Collection Request

 

Whenever a federal rule requires the collection of information from a private entity there is a requirement for the OMB’s Office of Information and Regulatory Affairs (OIRA) to approve an Information Collection Request (ICR) before the agency can require the provision of the information. This rulemaking includes the obligatory request for comments on the ICR supporting this rulemaking. In this case it is an ICR revision request not a new ICR because OIRA has already approved a related ICR.

The ‘odd’ thing here is that the approved ICR has nothing to do with cybersecurity reporting requirements (which already do exist, this rule is just expanding the requirements). That is because the rule does not require any cybersecurity reporting. This rule directs NERC to modify existing reporting requirement. The existing ICR that is being revised deals with reporting requirements by NERC to FERC on the establishment of electric reliability standards (OMB Control No. 1902-0225).

When NERC rewrites CIP-008-5 and submits it to FERC for approval there will then be a requirement to submit an ICR revision request to reflect those changed reporting requirements.

Regulatory Flexibility Act

Another federal rule, the Regulatory Flexibility Act (5 USC 601-612), mandates a variety of analysis and reporting requirement for federal agencies to undertake when initiating/finalizing a rulemaking to specifically report on the effect of that rulemaking on small entities. This final rule includes that analysis.

Again, FERC reports that the only affected party under this rulemaking is NERC.  Because of the unusual relationship between FERC, NERC and the bulk power industry, FERC is able to certify that “this Final Rule will not have a significant economic impact on a substantial number of small entities”. When NERC proposes the changes to the Reliability Standards for Cyber Security Incident reporting required by this rulemaking, FERC will “make determinations pertaining to the Regulatory Flexibility Act based on the content of the Reliability Standards proposed by NERC”.