Sunday, June 7, 2020

S 3688 – Energy Infrastructure Security – CEII Changes

This is the second post about the introduction of S 3688, the Energy Infrastructure Protection Act of 2020. In the initial post I talked about the organizational changes the bill proposes for the Federal Power Act and the definitional changes proposed. In this post I will look at the changes the bill would make in the Critical Electric Infrastructure Information (CEII) program.

CEII Designation

Section 3(c) of the bill would revise §215(d), “Protection and sharing of critical electric infrastructure information”, of the Federal Power Act {16 USC 824o-1(d)(2)} [after changing the designation of that subsection to §231(c)].

First, paragraph (2), “Designation and sharing of critical electric infrastructure information”, is re-written, removing reference to sanctions {existing (2)(C)} and the ‘standards of the Electric Reliability Organization’ {existing (2)(D)}.

Then, paragraph (3), “Authority to designate”, is greatly expanded. The existing language is essentially rewritten as subparagraph (A). Then two new subparagraphs were added:

(B) Submission of request for designation, and
(C) Conflicts between designations by the secretary and the commission

Subparagraph (B) would allow anyone to request that either the Secretary or FERC designate any information in the respective agency’s possession as CEII. Upon receipt of such a request the agency would be required to treat the requested information as CEII until it is actually designated as such or 21 days after the agency notifies the requestor that the information was not so designated.

Subparagraph (C) would require the Department and FERC to confer anytime that there was a conflicting decision made on whether a specific piece of information would be designated as CEII. Absent a mutual resolution of such conflicts, each agency would be allowed to rely on its own designation in the protection of the information.

Segregation of CEII

Changes would also be made to the existing §215(d)(8), “Disclosure of nonprotected information” [re-designated §231(c)(8)]. The poorly named paragraph currently requires DOE and FERC to “segregate critical electric infrastructure information or information that reasonably could be expected to lead to the disclosure” of CEII within documents or communications. The new language would ease that requirement somewhat by changing “shall segregate” to “shall reasonably attempt to segregate”.

A new subparagraph (B) was added to provide legal cover for that easing of the segregation requirement by specifically noting that any such failure to segregate CEII in a document “shall not result in an inference or finding that the information should not be entitled to protection as critical electric infrastructure information”.

Duration of Designation

Paragraph §215(d)(9), “Duration of designation” [re-designated §231(d)(9)], is completely rewritten. The reference to the ‘5 year’ limitation on CEII designation is removed. The replacing limitation in the new subparagraph (A) would be not “for a period longer than the information is related to energy infrastructure in service”. Even for that broader limit an exception is provided, allowing DOE or FERC to re-designate information as CEII “before, on, or after the date on which an earlier designation has expired”.

An even broader duration designation is provided in subparagraph (C) for information “about a vulnerability or threat to energy infrastructure, or the planning and construction of a system or asset that is intended to address a vulnerability or threat to energy infrastructure”. This subparagraph allows DOE or FERC to designate such information as CEII “for the period during which the vulnerability or threat exists” {new §231(d)(9)(C)(i)} and “for any additional period determined to be appropriate” {new §231(d)(9)(C)(ii)}.

Removal of Designation

The bill deletes the current language of §215(d)(10), “Removal of designation” and provides ‘substitute’ language for §231(c)(10), “Removal of designation”. That is somewhat misleading though as the only actual change to the existing language is the insertion of the term ‘energy infrastructure’ before the words “the bulk-power system, or distribution facilities” at the end of the paragraph. This was necessary because of the expansion of the definition of term ‘critical electric infrastructure’ used in the definition of CEII.

Two New Paragraphs Added

The bill also adds two new paragraphs to §231(c):

(12) No immediate obligation to designate, and
(13) Effect of prior determinations

The first specifically allows DOE or FERC to sit on a CEII designation request until a request for disclosure of the information is made under 5 USC 552 (Freedom of Information Act) or any other law “requiring public disclosure of information or records”. Since, as noted above, lacking a determination, information is required to be treated as CEII upon request, this has little legal effect on the duty of DOE or FERC to protect the information as CEII.

The second new paragraph specifically allows DOE or FERC to designate information as CEII even if a previous decision had been made not to make such a designation in the past.

This is another good stopping point even though there are CEII changes in subsequent portions of this bill.

No comments:

/* Use this with templates/template-twocol.html */