Today the DOE’s Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM; yes, FERC uses the DOE ‘NOPR’ but for internal consistency, I will continue to use the more common NPRM) in the Federal Register (87 FR 60567-60580) for “Incentives for Advanced Cybersecurity Investment”. This rulemaking is mandated by §40123 of the Infrastructure and Jobs Act (PL 117-58, 135 STAT 951). This proposed rulemaking supersedes the NPRM published in January 2021.
In this NPRM FERC proposes to:
• Establish a regulatory framwork on how a utility could qualify for incentives for eligible cybersecurity expenditures,
• Evaluate cybersecurity investments using a list of pre-qualified expenditures that are eligible for incentives determined by the Commission and publicly maintained on the Commission's website (PQ List),
• Establish two options for the type of incentive a utility could receive for an eligible cybersecurity expenditure,
• Provide that any approved incentive(s) will remain in effect for five years from the date on which the cybersecurity investment(s) enters service or expenses are incurred, and
• Require that a utility that has received a cybersecurity incentive under this section must make an annual informational filing.
Public Comments
FERC is soliciting public comments on this rulemaking. FERC does not use the Federal eRulemaking Portal. Comments may be submitted via the FERC eFiling site (Docket No. RM22-19-000). Comments should be submitted by November 7th, 2022; return comments by November 21st.
Commentary
FERC has come up with an interesting way around a problem
that has plagued cybersecurity regulatory efforts, keeping the regulations at
least close to current threat and technology trends. Instead of trying to
codify the ‘qualified’ expenditures in the regulations (which take long periods
of time to update for new technologies and threats), the preamble to the rule
lists six federal cybersecurity programs that would be expected to provide more
timely information about cybersecurity controls and technology. Two of those
programs do use a public comment and response process to update, but the
remaining four have a history of responding in months to changes in the threat
landscape instead of the years that regulatory changes take. FERC can get away
with this since they are not mandating the implementation of these controls,
just providing rate incentives to organizations that do implement them.
For more details about the proposed rulemaking, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ferc-publishes-cybersecurity-incentives
- subscription required.
Posts
No comments:
Post a Comment