AGENCY:

Federal Energy Regulatory Commission, DOE.

ACTION:

Notice.

SUMMARY:

In compliance with the requirements of section 3507 of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy Regulatory Commission (Commission or FERC) has submitted the information collection described below to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission issued a Notice in the Federal Register (75 FR 65618, 10/26/2010) requesting public comments. FERC received no comments on the FERC-725B and has made this notation in its submission to OMB. OMB only makes a decision after the 30-day comment period for this notice has expired.

DATES:

Comments on the collection of information are due by May 9, 2011.

ADDRESSES:

Address comments on the collection of information to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. Comments to OMB should be filed electronically, c/o oira__submission@omb.eop.gov and include OMB Control Number 1902-0248 for reference. The Desk Officer may be reached by telephone at 202-395-4638.

A copy of the comments should also be sent to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at http://www.ferc.gov/​help/​submission-guide.asp. eFiling and eSubscription are not available for Docket No. IC11-725B-001, due to a system issue.

All comments may be viewed, printed or downloaded remotely via the Internet through FERC's homepage using the “eLibrary” link. For user assistance, contact ferconlinesupport@ferc.gov or toll-free at (866) 208-3676, or for TTY, contact (202) 502-8659.

FOR FURTHER INFORMATION CONTACT:

Ellen Brown may be reached by e-mail at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax at (202) 273-0873.

SUPPLEMENTARY INFORMATION:

The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval.^[1]

The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets.^[2] These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks.^[3] The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures.^[4]

The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.

Action: The Commission is requesting a three-year extension of the existing collection with no changes to the requirements.

Burden Statement: The extent of the reporting burden is influenced by the number of identified critical assets and related critical cyber assets pursuant to CIP-002. An entity identifying one or more critical cyber assets, including assets located at remote locations, will likely require more resources to demonstrate compliance with the CIP Reliability Standards compared to an entity that identifies no critical assets. The Commission has developed Start Printed Page 19334estimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to asses the number of entities reporting Critical Cyber Assets.

The total estimated annual cost burden to respondents is:

• Entities that have identified Critical Assets = 110,400 hours@$96 = $10,598,400.
• Entities that have not identified Critical Assets = 9,248 hours@$96 = $887,808.
• Storage Costs for Entities that have identified Critical Assets ^[8] = 315 Entities@$15.25 = $4,804.

The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.^[9] The $15.25 rate for storage costs for each entity is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP standards.^[10]

The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting, or otherwise disclosing the information.

Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimates of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses.

Footnotes