AGENCY:

Federal Energy Regulatory Commission.

ACTION:

Order denying request for clarification.

SUMMARY:

On March 19, 2009, the Commission issued Order No. 706-B which clarified the scope of Critical Infrastructure Protection Reliability Standards which were approved in Commission Order No. 706. The Commission is denying a request for clarification of Order No. 706-B filed by the Edison Electric Institute.

DATES:

Effective Date: This rule will become effective June 24, 2009.

FOR FURTHER INFORMATION CONTACT:

Jonathan First (Legal Information), Office of General Counsel, 888 First Street, NE., Washington, DC 20426, (202) 502-8529.

Regis Binder (Technical Information), Office of Electric Reliability, 888 First Street, NE., Washington, DC 20426, (301) 665-1601.

SUPPLEMENTARY INFORMATION:

Before Commissioners: Jon Wellinghoff, Chairman; Suedeen G. Kelly, Marc Spitzer, and Philip D. Moeller.

Order Denying Request for Clarification

1. In this order, the Commission denies the Edison Electric Institute's Start Printed Page 30068(EEI's) request for clarification of Order No. 706-B.^[1] Specifically, the Commission denies EEI's request that the Commission clarify its views with regard to the need and the time frame for the Commission's developing a memorandum of understanding or other means of coordinating cyber-security related activities with the U.S. Nuclear Regulatory Commission (NRC). Likewise, the Commission denies EEI's request that the Commission clarify that the North American Electric Reliability Corporation (NERC) must seek stakeholder input in developing and implementing an “exception process” as discussed in Order No. 706-B.

I. Background

2. In Order No. 706, the Commission approved the Critical Infrastructure Protection (CIP) Reliability Standards that require certain users, owners and operators of the Bulk-Power System, including generator owners and operators, to comply with specific requirements to safeguard critical cyber assets. In addition, pursuant to section 215(d)(5) of the Federal Power Act (FPA),^[2] the Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

3. In Order No. 706-B, the Commission clarified the scope of the CIP Reliability Standards approved in Order No. 706 to assure that no “gap” occurs in the applicability of these Standards. In particular, each of the CIP Reliability Standards provides that facilities regulated by the NRC are exempt from the Standard. The Commission explained that NRC staff had raised a concern at a joint public meeting of the NRC and the Commission that NRC regulations do not extend to all equipment within a nuclear power plant. Thus, to assure that there is no “gap” in the regulatory process, the Commission clarified that the “balance of plant” equipment within a nuclear power plant in the United States that is not subject to NRC cyber security regulations,^[3] is subject to compliance with the CIP Reliability Standards approved in Order No. 706. The Commission explained that:

a nuclear power plant licensee may seek an exception from the ERO to the extent that the licensee believes that specific equipment within the balance of plant is subject to NRC cyber security regulations. If the ERO grants the exception, that equipment within the balance of plant would not be subject to compliance with the CIP Reliability Standards. We would expect that the ERO would make such determinations with the consultation of NRC and oversight of Commission staff. Thus, to further the development of this ERO process, the ERO should consider the appropriateness of developing a memorandum of understanding with the NRC, or revising existing agreements, to address such matters as NRC staff consultation in the exception application process and sharing of Safeguard[s] Information.^[4]

4. In response to comments suggesting that the NRC and the Commission develop a memorandum of understanding, the Commission agreed that it is advisable for the two commissions to coordinate their respective cyber security-related activities with regard to nuclear power plants.^[5] However, the Commission declined to resolve for purposes of the proceeding the need for a new memorandum of understanding between the two commissions.

II. EEI Request for Clarification

5. EEI requests that the Commission clarify its views with respect to the need and the time frame for the Commission's developing a memorandum of understanding or other means of coordinating cyber security-related activities with the NRC. EEI suggests that, given the volume of work on cyber security matters and recent regulatory changes such as the NRC's issuance of its cyber security regulations, it is vital that the Commission and the NRC commit to develop a memorandum of understanding on an expeditious schedule. EEI expresses concern that the Commission's deferral of a decision on the need for a memorandum of understanding may lead to confusion and regulatory uncertainty.

6. EEI also requests that the Commission clarify that NERC should seek stakeholder input in developing and implementing both the “exception process” and any process for sharing Safeguards Information. EEI posits that stakeholder input and industry technical expertise will be critical to implementing both processes.

III. Discussion

7. The Commission denies EEI's request for clarification. The Commission and the NRC entered into a memorandum of agreement in September 2004.^[6] The Commission views the decision of whether to develop a new or revised memorandum of agreement with the NRC, and the timing of that decision, as an intra-governmental matter between the two commissions. Accordingly, the Commission will not make commitments to EEI or others in this proceeding regarding the scope or timing of any coordinated activities between the Commission and the NRC.

8. As for EEI's request that the Commission clarify that NERC should seek stakeholder input in developing and implementing an exception process and process for sharing Safeguard Information, we note that NERC sought stakeholder input in a “Town Hall Meeting” on “Auditing of U.S. Nuclear Plants for CIP Standards Compliance” held on June 11, 2009. We expect that NERC will allow for further stakeholder input regarding these processes. Thus, we see no need to address EEI's request.

The Commission orders:

Edison Electric Institute's request for clarification is hereby denied, as discussed in the body of this order.

Footnotes