Review - FERC Publishes Cybersecurity Incentives NPRM Redux

Today the DOE’s Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM; yes, FERC uses the DOE ‘NOPR’ but for internal consistency, I will continue to use the more common NPRM) in the Federal Register (87 FR 60567-60580) for “Incentives for Advanced Cybersecurity Investment”. This rulemaking is mandated by §40123 of the Infrastructure and Jobs Act  (PL 117-58, 135 STAT 951). This proposed rulemaking supersedes the NPRM published in January 2021.

In this NPRM FERC proposes to:

• Establish a regulatory framwork on how a utility could qualify for incentives for eligible cybersecurity expenditures,

• Evaluate cybersecurity investments using a list of pre-qualified expenditures that are eligible for incentives determined by the Commission and publicly maintained on the Commission's website (PQ List),

• Establish two options for the type of incentive a utility could receive for an eligible cybersecurity expenditure,

• Provide that any approved incentive(s) will remain in effect for five years from the date on which the cybersecurity investment(s) enters service or expenses are incurred, and

• Require that a utility that has received a cybersecurity incentive under this section must make an annual informational filing.

Public Comments

FERC is soliciting public comments on this rulemaking. FERC does not use the Federal eRulemaking Portal. Comments may be submitted via the FERC eFiling site (Docket No. RM22-19-000). Comments should be submitted by November 7^th, 2022; return comments by November 21^st.

Commentary

FERC has come up with an interesting way around a problem that has plagued cybersecurity regulatory efforts, keeping the regulations at least close to current threat and technology trends. Instead of trying to codify the ‘qualified’ expenditures in the regulations (which take long periods of time to update for new technologies and threats), the preamble to the rule lists six federal cybersecurity programs that would be expected to provide more timely information about cybersecurity controls and technology. Two of those programs do use a public comment and response process to update, but the remaining four have a history of responding in months to changes in the threat landscape instead of the years that regulatory changes take. FERC can get away with this since they are not mandating the implementation of these controls, just providing rate incentives to organizations that do implement them.

 

For more details about the proposed rulemaking, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ferc-publishes-cybersecurity-incentives - subscription required.