2016-14761. Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information
-
Start Preamble
Start Printed Page 43557
AGENCY:
Federal Energy Regulatory Commission.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Federal Energy Regulatory Commission (Commission) proposes to amend the Commission's regulations to implement provisions of the Fixing America's Surface Transportation Act that pertain to the designation, protection and sharing of Critical Electric Infrastructure Information. Separately, the Commission proposes to amend its regulations that pertain to Critical Energy Infrastructure Information.
DATES:
Comments are due August 19, 2016.
ADDRESSES:
Comments, identified by docket number, may be filed in the following ways:
- Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format.
- Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.
Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Nneka Frye, Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6029, Nneka.frye@ferc.gov.
Marcos Araus, Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8472, marcos.araus@ferc.gov.
Mark Hershfield, Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8597, mark.hershfield@ferc.gov.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Introduction
1. On December 4, 2015, the President signed into law the Fixing America's Surface Transportation (FAST) Act.[1] The FAST Act, inter alia, added section 215A to the Federal Power Act (FPA) to improve the security and resilience of energy infrastructure in the face of emergencies.[2] The FAST Act directs the Commission to issue regulations aimed at securing and sharing sensitive infrastructure information. Specifically, FPA section 215A(d)(2) (Designation and Sharing of Critical Electric Infrastructure Information) requires the Commission to “promulgate such regulations as necessary to”:
(A) establish criteria and procedures to designate information as critical electric infrastructure information;
(B) prohibit the unauthorized disclosure of critical electric infrastructure information;
(C) ensure there are appropriate sanctions in place for Commissioners, officers, employees, or agents of the Commission or the Department of Energy [DOE] who knowingly and willfully disclose critical electric infrastructure information in a manner that is not authorized under this section; and
(D) taking into account standards of the Electric Reliability Organization, facilitate voluntary sharing of critical electric infrastructure information with, between, and by—(i) Federal, State, political subdivision, and tribal authorities; (ii) the Electric Reliability Organization; (iii) regional entities; (iv) information sharing and analysis centers established pursuant to Presidential Decision Directive 63; (v) owners, operators, and users of critical electric infrastructure in the United States; and (vi) other entities determined appropriate by the Commission.
2. The Commission proposes to revise 18 CFR 375.313, 388.112, and 388.113 of the Commission's regulations to implement the requirements identified in section 215A(d)(2) of the FPA, as well as other provisions included in the FAST Act. The Commission also proposes modifications to its existing Critical Energy Infrastructure Information process, in part, to comply with the FAST Act. The amended process will be referred to as the Critical Energy/Electric Infrastructure Information (CEII) process. Thus, these changes are intended to comply with the FAST Act as well as improve the overall efficiency of the CEII process for information that is submitted to or is generated by the Commission.
II. Background
3. Shortly after the terrorist attacks on September 11, 2001, the Commission took steps to protect information that it considered Critical Energy Infrastructure Information.[3] As a preliminary step, the Commission removed from its public files and eLibrary document retrieval system documents that were likely to contain detailed specifications of facilities, and directed the public to use the Freedom of Information Act (FOIA) request process to obtain such information.[4] In 2003, the Commission established its Critical Energy Infrastructure Information procedures for entities outside of the Commission to obtain access to Critical Energy Infrastructure Information, stating that such information would typically be exempt from disclosure pursuant to FOIA.[5] In particular, the Commission determined that it was important to have a process for individuals with a valid or legitimate need to access certain sensitive energy infrastructure information.
4. The Commission last revised its Critical Energy Infrastructure Information rules over eight years ago.[6] However, the Commission indicated that it will revise the Critical Energy Infrastructure Information rules based on a continuing review of its application and effectiveness.[7]
5. Over 7,000 documents are submitted to the Commission's eLibrary Start Printed Page 43558system as Critical Energy Infrastructure Information each year. The vast majority of submissions and Commission-generated information relates to hydroelectric projects but also includes information regarding natural gas pipeline and electric infrastructure.
6. The Commission receives approximately 200 requests for Critical Energy Infrastructure Information a year. Requests are typically submitted by public utilities, gas pipelines, Liquefied Natural Gas (LNG) facilities, hydroelectric developers, academics, landowners, public interest groups, researchers, renewable energy organizations, consultants, and Federal agencies.
7. The Commission's current Critical Energy Infrastructure Information rules provide a means for entities to obtain Critical Energy Infrastructure Information while ensuring that it is handled in an appropriate and secure manner. The new requirements in section 215A(d) also ensure that Critical Electric Infrastructure Information, which as described below includes Critical Energy Infrastructure Information, can be appropriately shared while also being adequately protected. Thus, the Commission proposes to augment its existing Critical Energy Infrastructure Information process to comply with section 215A(d)(2) and to make other changes described in this NOPR. The Commission proposes to have a single process that would address submitting, designating, handling, sharing, and disseminating CEII that is submitted to or generated by the Commission. The proposed regulations will govern how the Commission and its employees implement the provisions of the FAST Act.
III. Revisions To Implement the FAST Act
A. Relocating References to CEII From Section 388.112 to Section 388.113
8. The Commission proposes to transfer provisions contained in section 388.112 that are applicable to Critical Energy Infrastructure Information to amended section 388.113. This transfer would include notice and filing requirements. As a result of this change, amended section 388.112 would apply only to information designated as privileged and all of the Commission's CEII procedures will be in section 388.113.
B. Scope, Purpose, and Definitions
9. The Commission's current Critical Energy Infrastructure Information process is designed to limit the distribution of sensitive infrastructure information to those individuals with a need to know in order to avoid having sensitive information fall into the hands of those who may use it to attack the nation's infrastructure. Section 388.113(c) of the Commission's regulations defines Critical Energy Infrastructure Information as:
specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that:
(i) Relates details about the production, generation, transportation, transmission, or distribution of energy;
(ii) Could be useful to a person in planning an attack on critical infrastructure;
(iii) Is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552; and
(iv) Does not simply give the general location of the critical infrastructure.
10. To augment the current Critical Energy Infrastructure Information process to comply with FPA section 215A(d), the Commission proposes that the scope and purpose of its regulations be changed to reflect the requirements of the FAST Act. Specifically, the Commission proposes to amend section 388.113(a) to indicate that the section governs the procedures for submitting, designating, handling, sharing, and disseminating CEII submitted to or generated by the Commission. Moreover, the Commission proposes to amend section 388.113(b) to indicate that the purpose of section 388.113 is to provide an overview of the Commission's CEII procedures.
11. Section 215A(a)(3) of the FPA introduces the new term “Critical Electric Infrastructure Information:”
information related to critical electric infrastructure, or proposed critical electrical infrastructure, generated by or provided to the Commission or other Federal agency, other than classified national security information . . . Such term includes information that qualifies as critical energy infrastructure information under the Commission's regulations.
As indicated above, the Commission's current procedures for Critical Energy Infrastructure Information apply to information “about the production, generation, transportation, transmission, or distribution of energy.” Thus, the FAST Act defines “Critical Electric Infrastructure Information” to include not only information regarding the Bulk-Power System but also information regarding other energy infrastructure (i.e., gas pipelines, LNG, oil, and hydroelectric infrastructure) to the extent such information qualifies as Critical Energy Infrastructure Information under the Commission's current regulations.
12. Accordingly, the Commission proposes to revise section 388.113(c) (Definitions) of the Commission's regulations to add the new statutory term Critical Electric Infrastructure Information, as referenced above. The Commission also proposes to add to the regulations the term Critical Electric Infrastructure, which is defined in FPA section 215A(a)(3) as “a system or asset of the bulk-power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.”
13. The Commission proposes to refer to the information under the new regulations as Critical Energy/Electric Infrastructure Information, and to use the abbreviation “CEII” for this term.[8] By referring to the information only as Critical Electric Infrastructure Information, the public, especially those that do not interact with the Commission on a regular basis, may assume that the revised CEII regulations only cover information regarding electric infrastructure and not also information about other energy infrastructure. By using the term Critical Energy/Electric Infrastructure Information, the Commission clearly conveys to the public that the Commission's revised CEII procedures cover more than just electric infrastructure.
14. The Commission complies with section 215A(d) by incorporating the term Critical Electric Infrastructure Information into its regulations as set forth in the statute and treating it as Congress intended. In addition, subsuming Critical Energy Infrastructure Information into the term Critical Electric Infrastructure Information will allow the Commission to have a unitary process for handling CEII and, thereby, avoid any confusion that could result from multiple processes for different types of critical infrastructure information. Avoiding such confusion should better facilitate sharing of CEII as well as help prevent unauthorized disclosures of CEII, which we see as the principal goals of section 215A(d).
15. Section 215A(d)(1)(A) of the FPA states that Critical Electric Infrastructure Information “shall be exempt from disclosure under [(FOIA)] section 552(b)(3).” [9] Accordingly, the Commission proposes to amend its regulations to specify that CEII is Start Printed Page 43559exempt from disclosure under FOIA pursuant to section 215A(d)(1)(A).[10]
C. Criteria and Procedures for Determining What Constitutes CEII
16. Section 215A(d)(2)(A) requires the Commission to “establish criteria and procedures to designate information as critical electric infrastructure information.” [11] The proposed processes and procedures are intended to apply to the manner in which the Commission handles CEII that is submitted to or generated by the Commission.[12]
17. Accordingly, the Commission proposes to amend section 388.113(d) of its regulations to provide that information submitted to or generated by the Commission is CEII if it meets the definition, and the criteria provided below.[13] The Commission therefore proposes to merge its existing criteria with the statutory directives in the FAST Act. The Commission further proposes to amend its procedures, as explained below.
1. Designation of Submissions to the Commission
18. Existing section 388.112(b) requires that a submitter of Critical Energy Infrastructure Information clearly mark the information as CEII and provide a justification for the designation. The Commission will maintain these requirements in section 388.113(d) for CEII. However, in addition to this information, the Commission proposes to include in section 388.113(d) a requirement that each submitter include on the information submitted a clear statement of the date the information was submitted to the Commission, and how long the submitter believes the CEII designation should apply to the information.[14] The referenced justification that the submitter submits must include an explanation for the period proposed. Such information will assist the Commission in making a determination as to the length of time the information should be designated as CEII. Failure to follow these submission requirements, including failure to provide an adequate justification, could result in denial of the designation and public release of the information.
19. Under its current practice, the Commission deems the designation on a submission accepted as submitted, unless the submitter is otherwise notified by the Commission.[15] The Commission intends to follow that same practice under the new CEII regulations. However, the Commission maintains the discretion to check a submission at the time of submission to ensure that it includes adequate designation information and is properly designated. In sum, the burden will be on the submitting entity to ensure that the information it submits is properly labeled and contains adequate designation information. Although unmarked information may be eligible for CEII treatment, the Commission intends to treat information as CEII only if it is properly designated as CEII pursuant to our regulations.
20. To ensure that all the requirements concerning CEII are in a single section of the Commission's regulations, the Commission proposes to move the requirements in current section 388.112(b) regarding CEII to section 388.113(d). The Commission believes that it will better protect CEII from unauthorized disclosure as well as facilitate the voluntary sharing of CEII to have a single process to address CEII and for that process to be located in a single section of our regulations. Locating our CEII regulations in the same section of the Commission's regulations will relieve the public from having to review multiple sections of our regulations to find our rules addressing CEII, which may cause confusion.
2. Designation of Commission-Generated Information
21. The Commission proposes to revise section 388.113(d) to specify that, for Commission-generated information, the Office Director for the Commission office in which the Commission-generated information was created, or the Office Director's designee, must consult with the Coordinator to determine whether the information meets the definition of CEII, how long the designation of CEII should last and, as appropriate, any re-designation. The Coordinator will then make the designation determination.[16] Any CEII that the Commission generates must also be clearly marked as CEII and indicate the date that the information was designated as CEII. This coordination will help ensure that Commission-generated information is handled in an appropriate and consistent manner.
3. Segregable Information
22. In many cases, information submitted to the Commission may contain information that is CEII along with information that is not CEII. Section 215A(d)(8) requires the Commission to:
segregate critical electric infrastructure information or information that reasonably could be expected to lead to the disclosure of the critical electric infrastructure information within documents and electronic communications, wherever feasible, to facilitate disclosure of information that is not designated as critical electric infrastructure information.
Accordingly, the Commission proposes to add a provision to section 388.113(d) that would require the submitter to segregate CEII (or information that reasonably could be expected to lead to the disclosure of the CEII) from non-CEII at the time of submission wherever feasible. The burden would be on the submitter to clearly mark in the submission what is CEII and what is not CEII. The requirement also would apply to Commission-generated CEII.[17]
4. Duration of Designation
23. Section 215A(d)(9) of the FPA states that information “may not be Start Printed Page 43560designated as critical electric infrastructure information for longer than 5 years, unless specifically re-designated by the Commission or the Secretary, as appropriate.” The Commission proposes to add this statement to proposed section 388.113(e).
24. The Commission plans to use the following process to implement the duration of designation provision. At the present time there are almost 200,000 documents labeled as Critical Energy Infrastructure Information in the Commission's eLibrary system. The Commission does not plan to move designated information from its non-public files to its public files after the designation period has passed (i.e., up to five years from date of designation), unless the Commission determines in a particular instance that it is appropriate to do so. The passing of the CEII designation period would not necessarily render designated information suitable for inclusion in the Commission's public files. The Commission plans to determine whether information should be re-designated or alternatively placed in the Commission's public files when an entity requests the information, when staff determines a need to remove the designation, or when a submitter requests that information no longer be treated as CEII.[18]
25. The proposed approach is consistent with the FAST Act. Section 215A(d)(9) of the FPA does not require automatic public disclosure of CEII at the end of the initial CEII designation period. Indeed, the FAST Act contemplates that there may be information that warrants continued protection after the initial designation period. Given the volume of CEII in the Commission's files and the expectation that the Commission will continue to receive a substantial amount of CEII each year, this proposed approach strikes a reasonable balance in meeting the designation requirements of the FAST Act.
26. Consistent with the above practice, the Commission proposes that the non-disclosure agreement (NDA) will require any recipient of CEII from the Commission to continue to protect the information past the expiration of the CEII designation marked on the information. Further, the recipient must receive prior authorization from the Commission before making any disclosure of such information. These requirements will enable the Commission to comply with section 215A(d)(10) and determine whether information must be “specifically re-designated” as CEII.
27. Section 215A(d)(10) of the FPA provides that when “the Commission or the [DOE] Secretary, as appropriate, determines that the unauthorized disclosure of such information could no longer be used to impair the security or reliability of the bulk-power system or distribution facilities” the designation shall be removed. The Commission proposes to revise section 388.113(e) of the Commission's regulations to provide for removal of the CEII designation when it no longer could impair the security or reliability of not only the Bulk-Power System and distribution facilities but also other forms of energy infrastructure. The Commission will provide notice to the submitter in the instance where the Commission takes the affirmative step to rescind the designation.
5. Judicial Review of Designation
28. Section 215A(d)(11) of the FPA provides that:
any determination by the Commission or the [DOE] Secretary concerning the designation of critical electric infrastructure information . . . shall be subject to review . . . in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in the District of Columbia.
The Commission proposes to incorporate this provision into proposed section 388.113(e) of its regulations. In addition, the Commission proposes to require an entity or individual that intends to challenge a Commission designation determination in federal district court to first appeal the decision to the Commission's General Counsel. We believe that requiring an administrative appeal prior to seeking judicial review is appropriate because it would ensure consistency in how the Commission addresses CEII determinations, and is consistent with the current practice for responding to CEII and FOIA requests.[19]
D. Duty To Protect CEII
29. Whether CEII is created by Commission staff or submitted to the Commission by an outside party or a member of the public, section 215A(d)(2)(B) of the FPA requires the Commission to “prohibit the unauthorized disclosure of critical electric infrastructure information.” This requirement applies to Commission employees as well as to all individuals to whom the Commission provides CEII. Thus, the Commission proposes to make the following changes to its regulations in proposed section 388.113(h) to ensure CEII is adequately protected.
1. Internal Controls for Commission Employees
30. To ensure that Commission employees appropriately handle CEII, Commission staff is developing an information governance policy and guidelines, which is intended to address how sensitive information, including CEII, should be handled, marked, and kept secure.[20] Consistent with these guidelines, the Commission proposes to add a provision in proposed section 388.113(h) that would require the Commissioners, Commission staff, and Commission contractors to comply with the Commission's internal controls. The internal controls will address how the Commission and its personnel, including contractors and agents, handle CEII.
2. Controls for Recipients of CEII
31. Currently, section 388.113(d) requires external recipients of Critical Energy Infrastructure Information to sign an NDA, which imposes conditions on how the information may be used.[21] The current regulation does not specify the minimum required content of an NDA.
32. The Commission proposes to strengthen the NDA requirements for all the different forms of NDAs the Commission uses to share CEII.[22] Including these provisions in each type of NDA form that the Commission uses will better protect CEII from unauthorized disclosure. Specifically, the Commission proposes revising its regulations to state in section 388.113(h)(2) that an NDA must minimally require that CEII: (1) Will only be used for the purpose it was requested; (2) may only be discussed with authorized recipients; (3) must be kept in a secure place in a manner that would prevent unauthorized access; (4) Start Printed Page 43561must be destroyed or returned to the Commission upon request; and (5) that the Commission may audit compliance with the NDA. These changes would codify and strengthen current NDA terms consistent with FPA section 215A(d).
33. Moreover, another means to prevent unauthorized disclosure of CEII is to ensure that the CEII is only shared with those who need it. The Commission, therefore, proposes to amend section 388.113(g)(5) to require a person seeking CEII to demonstrate a legitimate need for the information. Thus, the Commission proposes to require a requestor to demonstrate: (1) The extent to which a particular function is dependent upon access to the information; (2) why the function cannot be achieved or performed without access to the information; (3) whether other information is available to the requester that could facilitate the same objective; (4) how long the information will be needed; (5) whether or not the information is needed to participate in a specific proceeding (with that proceeding identified); and (6) whether the information is needed expeditiously. This information will assist the Commission's CEII Coordinator in “balance[ing] the requestor's need for the information against the sensitivity of the information.” [23] A conclusory statement will not satisfy this requirement.
34. Finally, to ensure that CEII is only disclosed to appropriate individuals, the Commission proposes to amend section 388.113(g)(5)(i)(D) to require the requestor to include a signed statement attesting to the accuracy of the information provided in any request for CEII submitted to the Commission.
E. Sanctions
35. Section 215A(d)(2)(C) of the FPA requires the Commission to “ensure there are appropriate sanctions in place for Commissioners, officers, employees, or agents of the Commission or the Department of Energy who knowingly and willfully disclose critical electric infrastructure information in a manner that is not authorized under this section.” The Commission proposes to add proposed section 388.113(i) to implement this requirement.
36. The Commission proposes that it take responsibility for addressing unauthorized disclosures of CEII in the Commission's possession by Commission personnel.[24] The Commission may initiate an adverse personnel action, such as a suspension or a removal action, against a Commission employee who makes an unauthorized disclosure of CEII or any other non-public information.[25] While the Commission may not sanction the Chairman or Commissioners,[26] it can refer any misconduct by the Chairman or Commissioners to the DOE Inspector General.
F. Voluntary Sharing of CEII
37. Section 215A(d)(2)(D) of the FPA requires that the Commission:
taking into account standards of the Electric Reliability Organization, facilitate voluntary sharing of critical electric infrastructure information with, between, and by—(i) Federal, State, political subdivision, and tribal authorities; (ii) the Electric Reliability Organization; (iii) regional entities; (iv) information sharing and analysis centers established pursuant to Presidential Decision Directive 63; (v) owners, operators, and users of critical electric infrastructure in the United States; and (vi) other entities determined appropriate by the Commission.
Under this provision, the Commission has authority to share CEII with individuals and organizations that the Commission has determined need the information to ensure that energy infrastructure is protected.[27] Voluntary sharing applies to both Commission-generated CEII and CEII submitted to the Commission.
38. Under this provision, the Commission may share CEII without first receiving a request for the CEII. Section 388.112(c)(i) already provides the Commission with “the discretion to release information as necessary to carry out its jurisdictional responsibilities.” The Commission proposes to move this language to section 388.113(f)(2) in the regulations and also note that the Commission retains the discretion to release information as necessary for other federal agencies to carry out their jurisdictional responsibilities.
39. The Commission also proposes to add section 388.113(f)(1) to its regulations to require an Office Director or his designee to consult with the Coordinator prior to the Office Director or his designee making a determination to voluntarily share CEII. The Coordinator will determine whether the information has been appropriately designated as CEII and whether appropriate protective measures are in place to secure its transfer and treatment by the recipient.
40. When the Commission voluntarily shares information, the CEII will be shared subject to an appropriate NDA or Acknowledgement and Agreement.[28] Thus, the Commission proposes to add language to its regulations in proposed section 388.113(f) to make clear that, after a determination by the Coordinator, the Office Director will provide the proposed recipients of the CEII with the appropriate NDA or Agency Acknowledgement and Agreement for execution and return. The Commission proposes to amend its regulations to require a signed copy of each agreement be maintained by the Office Director with a copy to the Coordinator.
41. The Commission proposes to add to section 388.113(f) of its regulations a statement indicating that the Commission may impose additional restrictions on how the CEII the Commission voluntarily shares may be used and maintained. Given that the Commission anticipates that it will voluntarily share CEII when the Commission believes that the recipients need the information to protect critical infrastructure, the recipients may otherwise have no other legitimate need for the information but to address that event. Thus, it is appropriate to impose additional conditions on use and handling of CEII that the Commission voluntarily shares.
42. Where practicable, when the Commission is considering voluntarily sharing CEII, the Commission will provide notice to the submitter of that information. However, it may not be practicable for the Commission to provide notice to the submitter in instances where voluntary sharing is necessary to maintain infrastructure security, to address a potential threat, or in other exigent circumstances. In such instances, a requirement to give notice to the submitter may be detrimental to the ability of the Commission to timely share CEII with entities that may urgently need the information and could compromise law enforcement Start Printed Page 43562operations.[29] Thus, under these limited circumstances, the Commission will not give the submitter notice of sharing the CEII with others. However, to be clear, any CEII that the Commission voluntarily shares under these circumstances will be handled as CEII subject to an NDA or an Acknowledgement and Agreement and, as explained above, may be subject to additional controls as appropriate.
IV. Other Proposed Revisions
A. Request for Access to CEII
1. Owner-Operator Requests
43. Existing sections 388.113(d)(1) and (2) permit Critical Energy Infrastructure Information to be released directly to owner/operators outside of the Critical Energy Infrastructure Information process. The DOE IG Report raised concerns that the Commission might not be aware of information released outside of the Critical Energy Infrastructure Information process.[30] The Commission proposes to maintain this practice but proposes to amend existing sections 388.113(d)(1) and (2), re-designated as proposed sections 388.113(g)(1) and (2), to require Commission staff to inform the Coordinator of such requests prior to the release of any information.
44. Additionally, the Commission proposes to amend existing section 388.113(d)(1), which allows an owner or operator of a facility to obtain certain CEII concerning its facilities without signing an NDA, to exclude Commission-generated information except inspection reports/operation reports and any information directed to the owner-operators. Thus, the owners and operators of a facility will be able to obtain inspection reports/operation reports and any information directed to the owner-operators concerning their facilities without going through the CEII process.
45. In Order No. 630, the Commission relieved owners/operators from signing an NDA for Critical Energy Infrastructure Information regarding their own facilities on the basis that “they have at least as great an incentive to protect this information as the Commission has.” [31] We believe that owners/operators will have the same incentive to protect inspection reports/operation reports and any information regarding their own facilities that may contain Commission-generated CEII.
2. Federal Agency Requests
46. Existing section 388.113(d)(2) allows any employee of a Federal agency acting within the scope of his or her federal employment to obtain Critical Energy Infrastructure Information without going through the process outlined in existing section 388.113(d)(5), as long as the request is approved by a Commission Division Director or higher.
47. The Commission's practice has been for an employee of another agency to sign an Acknowledgement and Agreement, which states that the agency will protect the Critical Energy Infrastructure Information in the same manner as the Commission and will refer any requests for the information to the Commission. The Commission proposes to maintain and codify this practice in the revised CEII regulations in section 388.113(g)(2).
3. Intervenor Requests
48. Individuals in a complaint proceeding or other proceeding to which a right to intervention exists may need CEII to participate in the proceeding. Where a submitter has provided CEII or other non-public information with its filing, existing section 388.112(b)(2)(i) requires a submitter in the context of a proceeding before the Commission to “include a proposed form of a protective agreement with the filing” to facilitate an intervenor's access to information without going through the Critical Energy Infrastructure Information process. Under this provision four categories of information need not be provided subject to such a protective agreement: (1) Landowner lists; (2) privileged information filed under section 380.12(f) or section 380.16(f), which pertain to cultural resources; (3) privileged information filed under section 380.12(m), which pertains to reliability and safety information that must be filed by liquefied natural gas (LNG) facilities; and (4) privileged information filed under section 380.12(o), which pertains to engineering and design material information that must be filed by LNG facilities.
49. However, in Dominion Cove Point LNG, LP,[32] the Commission directed a party to release pursuant to a protective agreement LNG safety and engineering information not otherwise available under section 388.112(b)(2)(i). Consistent with that decision, the Commission proposes to amend its regulations to eliminate the current exemptions for LNG information identified under section 388.112(b)(2)(i). This change would leave in place the right of any filer or any person to oppose the disclosure. The Commission proposes to move these requirements to section 388.113(g)(4).
B. Other Considerations for Access to CEII
1. Organizational Requests
50. Existing section 388.113(d)(4)(vi) permits an organization to request CEII for its employees who sign an NDA. With notice to the Commission, the regulation allows the organization to give additional employees access to this CEII, subject to their signing an NDA. The Commission proposes to place a one-year time limit on an organization's ability to add additional employees. After one year from the date of its original request, an organization would have to submit a new CEII request and NDAs pursuant to proposed section 388.113(g)(5)(ii).
2. Timing Requirement
51. An earlier version of the Commission's regulations stated that Critical Energy Infrastructure Information requests would be processed, if possible, within the statutory timeframe for FOIA. The Commission proposes to amend section 388.113(g)(vii) of its regulations to reestablish this requirement for CEII, as the Commission never intended to remove it from the regulations.[33]
3. CEII Combined With Other Protected Information
52. If CEII and proprietary or other protected information are inextricably intertwined, the Commission has historically withheld from disclosure Start Printed Page 43563the intertwined information under FOIA. Consistent with this practice, the Commission proposes to add section 388.113(g)(5)(ix) to clarify that the Commission's CEII regulations should not be construed to require the release of proprietary information, personal information, cultural resource information and other comparable data protected by statute or regulation, or any privileged or otherwise non-public information, including information protected by the deliberative process.
4. CEII Coordinator
53. Under section 375.313, the Commission has delegated to the Coordinator certain authority to address CEII matters. The Commission proposes to amend subsection 375.313(b) to make clear that the Coordinator has designation authority consistent with the FAST Act, and to add a subsection to make clear that the Coordinator has the authority to designate and release information to the public. Moreover, the Commission proposes to change all references in section 375.313 from Critical Energy Infrastructure Information to the acronym CEII.
V. Information Collection Statement
54. The Paperwork Reduction Act and Office of Management and Budget's (OMB) implementing regulations require OMB to review and approve certain information collection requirements imposed by agency rule.[34] This Notice of Proposed Rulemaking does not impose any additional information collection requirements.[35] Therefore, the information collection regulations do not apply to this Notice of Proposed Rulemaking.
VI. Environmental Analysis
55. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.[36]
56. The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural, or that do not substantially change the effect of the regulations being amended.[37] The actions here fall within this categorical exclusion in the Commission's regulations.
VII. Regulatory Flexibility Act Certification
57. The Regulatory Flexibility Act of 1980 (RFA) requires rulemakings to contain either a description and analysis of the effect that the rule will have on small entities or a certification that the rule will not have a significant economic impact on a substantial number of small entities.[38] Rules that are exempt from the notice and comment requirements of section 553(b) of the Administrative Procedure Act are exempt from the RFA requirements. This Notice of Proposed Rulemaking concerns rules of agency procedure and, therefore, an analysis under the RFA is not required.[39]
VIII. Public Comments
58. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due August 19, 2016. Comments must refer to Docket No. RM16-15-000, and must include the commenter's name, the organization they represent, if applicable, and their address in their comments.
59. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Information created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing.
60. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.
61. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters.
IX. Document Availability
62. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426.
63. From the Commission's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field.
64. User assistance is available for eLibrary and the Commission's Web site during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov.
Start List of SubjectsList of Subjects
18 CFR Part 375
- Authority delegations (Government agencies); Seals and insignia; Sunshine Act
18 CFR Part 388
- Confidential business information; Freedom of information
By direction of the Commission.
Dated: June 16, 2016.
Kimberly D. Bose,
Secretary.
In consideration of the foregoing, the Commission proposes to amend Parts 375 and 388, Chapter I, Title 18, Code of Federal Regulations, as follows:
Start PartPART 375—THE COMMISSION
End Part Start Amendment Part1. The authority citation for part 375 continues to read as follows:
End Amendment Part Start Amendment Part2. Amend § 375.313 by:
End Amendment Part Start Amendment Parta. Revising the section heading and paragraphs (a) and (b);
End Amendment Part Start Amendment Partb. Redesignating paragraphs (c) through (e) as paragraphs (d) through (f) and revising newly redesignated paragraphs (d) through (f); and
End Amendment Part Start Amendment Partc. Adding a new paragraph (c). Start Printed Page 43564
End Amendment PartThe revisions and addition read as follows:
Delegations to the Critical Energy/Electric Infrastructure Information (CEII) Coordinator.* * * * *(a) Receive and review all requests for CEII as defined in § 388.113(c) of this chapter.
(b) Make determinations as to whether particular information fits within the definition of CEII found at § 388.113(c) of this chapter, including designating information, as appropriate.
(c) Make a determination that information designated as CEII should no longer be so designated when the unauthorized disclosure of the information could no longer be used to impair the security or reliability of the bulk-power system or distribution facilities or any other infrastructure.
(d) Make determinations as to whether a particular requester's need for and ability and willingness to protect CEII warrants limited disclosure of the information to the requester.
(e) Establish reasonable conditions on the release of CEII.
(f) Release CEII to requesters who satisfy the requirements in paragraph (d) of this section and agree in writing to abide by any conditions set forth by the Coordinator pursuant to paragraph (e) of this section.
PART 388—INFORMATION AND REQUESTS
End Part Start Amendment Part3. The authority citation for part 388 is changed to read as follows:
End Amendment Part Start Amendment Part4. Amend § 388.112 by revising the section heading and paragraphs (a), (b)(1), (b)(2)(i), (b)(2)(vi), (c)(1), and (d)-(e) to read as follows:
End Amendment PartRequests for privileged treatment for documents submitted to the Commission.(a) Scope. By following the procedures specified in this section, any person submitting a document to the Commission may request privileged treatment for some or all of the information contained in a particular document that it claims is exempt from the mandatory public disclosure requirements of the Freedom of Information Act, 5 U.S.C. 552 (FOIA), and should be withheld from public disclosure. For the purposes of the Commission's filing requirements, non-CEII subject to an outstanding claim of exemption from disclosure under FOIA will be referred to as privileged material. The rules governing CEII are contained in 18 CFR 388.113.
(b) Procedures for filing and obtaining privileged material. (1) General Procedures. A person requesting that material be treated as privileged information must include in its filing a justification for such treatment in accordance with the filing procedures posted on the Commission's Web site at http://www.ferc.gov. A person requesting that a document filed with the Commission be treated as privileged in whole or in part must designate the document as privileged in making an electronic filing or clearly indicate a request for such treatment on a paper filing. The cover page and pages or portions of the document containing material for which privileged treatment is claimed should be clearly labeled in bold, capital lettering, indicating that it contains privileged or confidential information, as appropriate, and marked “DO NOT RELEASE.” The filer also must submit to the Commission a public version with the information that is claimed to be privileged material redacted, to the extent practicable.
(2) Procedures for Proceedings with a Right to Intervene. * * *
(i) If a person files material as privileged material in a complaint proceeding or other proceeding to which a right to intervention exists, that person must include a proposed form of protective agreement with the filing, or identify a protective agreement that has already been filed in the proceeding that applies to the filed material. This requirement does not apply to material submitted in hearing or settlement proceedings, or if the only material for which privileged treatment is claimed consists of landowner lists or privileged information filed under sections 380.12(f) and 380.16(f) of this chapter.
* * * * *(vi) For landowner lists, information filed as privileged under sections 380.12(f) and 380.16(f), forms filed with the Commission, and other documents not covered above, access to this material can be sought pursuant to a FOIA request under section 388.108 of this chapter. Applicants are not required under paragraph (b)(2)(iv) of this section to provide intervenors with landowner lists and the other materials identified in the previous sentence.
(c) Effect of privilege claim. (1) For documents filed with the Commission:
(i) The documents for which privileged treatment is claimed will be maintained in the Commission's document repositories as non-public until such time as the Commission may determine that the document is not entitled to the treatment sought and is subject to disclosure consistent with section 388.108 of this chapter. By treating the documents as nonpublic, the Commission is not making a determination on any claim of privilege status. The Commission retains the right to make determinations with regard to any claim of privilege status, and the discretion to release information as necessary to carry out its jurisdictional responsibilities.
(ii) The request for privileged treatment and the public version of the document will be made available while the request is pending.
* * * * *(d) Notification of request and opportunity to comment. When a FOIA requester seeks a document for which privilege status has been claimed, or when the Commission itself is considering release of such information, the Commission official who will decide whether to release the information or any other appropriate Commission official will notify the person who submitted the document and give the person an opportunity (at least five calendar days) in which to comment in writing on the request. A copy of this notice will be sent to the requester.
(e) Notification before release. Notice of a decision by the Commission, the Chairman of the Commission, the Director, Office of External Affairs, the General Counsel or General Counsel's designee, a presiding officer in a proceeding under part 385 of this chapter, or any other appropriate official to deny a claim of privilege, in whole or in part, will be given to any person claiming that the information is privileged no less than 5 calendar days before disclosure. The notice will briefly explain why the person's objections to disclosure are not sustained by the Commission. A copy of this notice will be sent to the FOIA requester.
* * * * *5. Revise § 388.113 to read as follows:
End Amendment PartCritical Energy/Electric Infrastructure Information (CEII)(a) Scope. This section governs the procedures for submitting, designating, handling, sharing, and disseminating Critical Energy/Electric Infrastructure Information (CEII) submitted to or generated by the Commission. The Commission reserves the right to restrict access to previously filed information as well as Commission-generated information containing CEII.
(b) Purpose. The procedures in this section implement section 215A of the Federal Power Act, and provide a comprehensive overview of the manner Start Printed Page 43565in which the Commission will implement the CEII program.
(c) Definitions. For purposes of this section: (1) Critical electric infrastructure information means information related to critical electric infrastructure, or proposed critical electrical infrastructure, generated by or provided to the Commission or other Federal agency other than classified national security information, that is designated as critical electric infrastructure information by the Commission or the Secretary of the Department of Energy pursuant to section 215A(d) of the Federal Power Act. Such term includes information that qualifies as critical energy infrastructure information under the Commission's regulations. Critical Electric Infrastructure Information is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552, pursuant to section 215A(d)(1)(A) of the Federal Power Act.
(2) Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that:
(i) Relates details about the production, generation, transportation, transmission, or distribution of energy;
(ii) Could be useful to a person in planning an attack on critical infrastructure;
(iii) Is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552, pursuant to section 215A(d)(1)(A) of the Federal Power Act; and
(iv) Does not simply give the general location of the critical infrastructure.
(3) Critical electric infrastructure means a system or asset of the bulk-power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.
(4) Critical infrastructure means existing and proposed systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect security, economic security, public health or safety, or any combination of those matters.
(d) Criteria and Procedures for determining what constitutes CEII. The following criteria and procedures apply to information labeled as CEII:
(1) For information submitted to the Commission:
(i) A person requesting that information submitted to the Commission be treated as CEII must include with its submission a justification for such treatment in accordance with the filing procedures posted on the Commission's Web site at http://www.ferc.gov. The justification must provide how the information, or any portion of the information, qualifies as CEII, as the terms are defined in paragraphs (c)(1) and (2) of this section. The submission must also include a clear statement of the date the information was submitted to the Commission, how long the CEII designation should apply to the information and support for the period proposed. Failure to provide the justification or other required information could result in denial of the designation and release of the information to the public.
(ii) In addition to the justification required by paragraph (d)(1)(i) of this section, a person requesting that information submitted to the Commission be treated as CEII must clearly label the cover page and pages or portions of the information for which CEII treatment is claimed in bold, capital lettering, indicating that it contains CEII, as appropriate, and marked “DO NOT RELEASE.” The submitter must also segregate those portions of the information that contain CEII (or information that reasonably could be expected to lead to the disclosure of the CEII) wherever feasible. The submitter must also submit to the Commission a public version with the information where CEII is redacted, to the extent practicable.
(iii) If a person files material as CEII in a complaint proceeding or other proceeding to which a right to intervention exists, that person must include a proposed form of protective agreement with the filing, or identify a protective agreement that has already been filed in the proceeding that applies to the filed material.
(iv) The information for which CEII treatment is claimed will be maintained in the Commission's files as non-public until such time as the Commission may determine that the information is not entitled to the treatment sought. By treating the information as non-public, the Commission is not making a determination on any claim of CEII status. The Commission retains the right to make determinations with regard to any claim of CEII status, and the discretion to release information as necessary to carry out its jurisdictional responsibilities. Although unmarked information may be eligible for CEII treatment, the Commission intends to treat information as CEII only if it is properly designated as CEII pursuant to Commission regulations.
(v) The Commission will evaluate whether the submitted information or portions of the information are covered by the definitions in paragraphs (c)(1) and (2) of this section prior to making a designation as CEII.
(vi) Subject to the exceptions set forth in section 388.113(f)(5), when a CEII requester seeks information for which CEII status has been claimed, or when the Commission itself is considering release of such information, the Commission official who will decide whether to release the information or any other appropriate Commission official will notify the person who submitted the information and give the person an opportunity (at least five calendar days) in which to comment in writing on the request. A copy of this notice will be sent to the requester. Notice of a decision by the Commission, or the CEII Coordinator to make a limited release of CEII, will be given to any person claiming that the information is CEII no less than five calendar days before disclosure. The notice will briefly explain why the submitter's objections to disclosure are not sustained by the Commission. Where applicable, a copy of this notice will be sent to the CEII requester.
(2) For Commission-generated information, after consultation with the Office Director for the office that created the information, or the Office Director's designee, the Coordinator will designate the material as CEII after determining that the information or portions of the information are covered by the definitions in paragraphs (c)(1) and (2) of this section. Commission-generated CEII shall include clear markings to indicate the information is CEII and the date of the designation.
(3) For Commission-generated information, the Commission will segregate non-CEII from CEII or information that reasonably could be expected to lead to the disclosure of CEII wherever feasible.
(e) Duration of the CEII designation. All CEII designations will be subject to the following conditions:
(1) A designation may last for up to a five-year period, unless re-designated. In making a determination as to whether the designation should be extended, the CEII Coordinator will take into account information provided in response to paragraph (d)(1)(i) of this section, and any other information, as appropriate.
(2) A designation may be removed at any time, in whole or in part, if the Commission determines that the unauthorized disclosure of CEII could no longer be used to impair the security or reliability of the bulk-power system Start Printed Page 43566or distribution facilities or any other form of energy infrastructure.
(3) If such a designation is removed, the submitter will receive notice and an opportunity to comment. The CEII Coordinator will notify the person who submitted the document and give the person an opportunity (at least five calendar days) in which to comment in writing prior to the removal of the designation. Notice of a removal decision will be given to any person claiming that the information is CEII no less than 5 calendar days before disclosure. The notice will briefly explain why the person's objections to the removal of the designation are not sustained by the Commission.
(4) Prior to seeking judicial review in district court pursuant to section 215A(d)(11) of the Federal Power Act, an administrative appeal of a determination shall be made to the Commission's General Counsel.
(f) Voluntary sharing of CEII. The Commission, taking into account standards of the Electric Reliability Organization, will facilitate voluntary sharing of CEII with, between, and by Federal, state, political subdivision, and tribal authorities; the Electric Reliability Organization; regional entities; information sharing and analysis centers established pursuant to Presidential Decision Directive 63; owners, operators, and users of critical electric infrastructure in the United States; and other entities determined appropriate by the Commission. The process will be as follows:
(1) The Director of any Office of the Commission or his designee that wishes to voluntarily share CEII shall consult with the CEII Coordinator prior to the Office Director or his designee making a determination on whether to voluntarily share the CEII.
(2) Consistent with section 388.113(d) of this Chapter, the Commission retains the discretion to release information as necessary to carry out its jurisdictional responsibilities in facilitating voluntary sharing or, in the case of information provided to other federal agencies, the Commission retains the discretion to release information as necessary for those agencies to carry out their jurisdictional responsibilities.
(3) All entities receiving CEII must execute either a non-disclosure agreement or an acknowledgement and agreement. A copy of each agreement will be maintained by the Office Director with a copy to the CEII Coordinator.
(4) When the Commission voluntarily shares CEII pursuant to this subsection, the Commission may impose additional restrictions on how the information may be used and maintained.
(5) Submitters of CEII shall receive notification of a limited release of CEII no less than 5 calendar days before disclosure, except in instances where voluntary sharing is necessary for law enforcement purposes, to maintain infrastructure security, to address potential threats, or when notice would not be practicable.
(g) Accessing CEII.
(1) An owner/operator of a facility, including employees and officers of the owner/operator, may obtain CEII relating to its own facility, excluding Commission-generated information except inspection reports/operation reports and any information directed to the owner-operators, directly from Commission staff without going through the procedures outlined in paragraph (g)(5) of this section. Non-employee agents of an owner/operator of such facility may obtain CEII relating to the owner/operator's facility in the same manner as owner/operators as long as they present written authorization from the owner/operator to obtain such information. Notice of such requests must be given to the CEII Coordinator, who shall track this information.
(2) An employee of a federal agency acting within the scope of his or her federal employment may obtain CEII directly from Commission staff without following the procedures outlined in paragraph (g)(5) of this section. Any Commission employee at or above the level of division director or its equivalent may rule on requests for access to CEII by a representative of a federal agency. To obtain access to CEII, an agency employee must sign an acknowledgement and agreement, which states that the agency will protect the CEII in the same manner as the Commission and will refer any requests for the information to the Commission. Notice of each such request also must be given to the CEII Coordinator, who shall track this information.
(3) A landowner whose property is crossed by or in the vicinity of a project may receive detailed alignment sheets containing CEII directly from Commission staff without submitting a non-disclosure agreement as outlined in paragraph (g)(5) of this section. A landowner must provide Commission staff with proof of his or her property interest in the vicinity of a project.
(4) Any person who is a participant in a proceeding or has filed a motion to intervene or notice of intervention in a proceeding may make a written request to the filer for a copy of the complete CEII version of the document without following the procedures outlined in paragraph (g)(5) of this section. The request must include an executed copy of the applicable protective agreement and a statement of the person's right to party or participant status or a copy of the person's motion to intervene or notice of intervention. Any person may file an objection to the proposed form of protective agreement. A filer, or any other person, may file an objection to disclosure, generally or to a particular person or persons who have sought intervention.
(5) If any requester not described above in paragraph (g)(1)-(4) of this section has a particular need for information designated as CEII, the requester may request the information using the following procedures:
(i) File a signed, written request with the Commission's CEII Coordinator. The request must contain the following:
(A) Requester's name (including any other name(s) which the requester has used and the dates the requester used such name(s)), title, address, and telephone number; the name, address, and telephone number of the person or entity on whose behalf the information is requested;
(B) A detailed Statement of Need, which must state: The extent to which a particular function is dependent upon access to the information; why the function cannot be achieved or performed without access to the information; an explanation of whether other information is available to the requester that could facilitate the same objective; how long the information will be needed; whether or not the information is needed to participate in a specific proceeding (with that proceeding identified); and an explanation of whether the information is needed expeditiously.
(C) An executed non-disclosure agreement as described in paragraph (h)(2) of this section;
(D) A signed statement attesting to the accuracy of the information provided in the request; and
(E) A requester shall provide his or her date and place of birth upon request, if it is determined by the CEII Coordinator that this information is necessary to process the request.
(ii) A requester who seeks the information on behalf of all employees of an organization should clearly state that the information is sought for the organization, that the requester is authorized to seek the information on behalf of the organization, and that all individuals in the organization that have access to the CEII will agree to be bound by a non-disclosure agreement that must be executed.Start Printed Page 43567
(iii) After the request is received, the CEII Coordinator will determine if the information is CEII, and, if it is, whether to release the CEII to the requester. The CEII Coordinator will balance the requester's need for the information against the sensitivity of the information. If the requester is determined to be eligible to receive the information requested, the CEII Coordinator will determine what conditions, if any, to place on release of the information.
(iv) If the CEII Coordinator determines that the CEII requester has not demonstrated a valid or legitimate need for the CEII or that access to the CEII should be denied for other reasons, this determination may be appealed to the General Counsel pursuant to section 388.110 of this Chapter. The General Counsel will decide whether the information is properly classified as CEII, which by definition is exempt from release under FOIA, and whether the Commission should in its discretion make such CEII available to the CEII requester in view of the requester's asserted legitimacy and need.
(v) Once a CEII requester has been verified by Commission staff as a legitimate requester who does not pose a security risk, his or her verification will be valid for the remainder of that calendar year. Such a requester is not required to provide detailed information about himself or herself with subsequent requests during the calendar year. He or she is also not required to file a non-disclosure agreement with subsequent requests during the calendar year because the original non-disclosure agreement will apply to all subsequent releases of CEII.
(vi) An organization that is granted access to CEII pursuant to paragraph (g)(5)(ii) of this section may seek to add additional individuals to the non-disclosure agreement within one (1) year of the date of the initial CEII request. Such an organization must provide the names of the added individuals to the CEII Coordinator and certify that notice of each added individual has been given to the submitter. Any newly added individuals must execute a supplement to the original non-disclosure agreement indicating their acceptance of its terms. If there is no written opposition within five (5) days of notifying the CEII Coordinator and the submitter concerning the addition of any newly added individuals, the CEII Coordinator will issue a standard notice accepting the addition of these names to the non-disclosure agreement. If the submitter files a timely opposition with the CEII Coordinator, the CEII Coordinator will issue a formal determination addressing the merits of such opposition. If an organization that is granted access to CEII pursuant to paragraph (g)(5)(ii) of this section wants to add new individuals to its non-disclosure agreement more than one year after the date of its initial CEII request, the organization must submit a new CEII request pursuant to paragraph (g)(5)(ii) of this section and a new non-disclosure agreement for each new individual added.
(vii) The CEII Coordinator will attempt to respond to the requester under this section according to the timing required for responses under the FOIA in section 18 CFR 388.108(c).
(viii) Fees for processing CEII requests will be determined in accordance with section 18 CFR 388.109.
(ix) Nothing in this section should be construed as requiring the release of proprietary information, personally identifiable information, cultural resource information and other comparable data protected by statute or any privileged information, including information protected by the deliberative process.
(h) Duty to protect CEII. Unauthorized disclosure of CEII is prohibited.
(1) To ensure that the Commissioners, Commission employees, and Commission contractors protect CEII from unauthorized disclosure, internal controls will describe the handling, marking, and security controls for CEII.
(2) Any individual who requests information pursuant to paragraph (g)(5) of this section must sign and execute a non-disclosure agreement, which indicates the individual's willingness to adhere to limitations on the use and disclosure of the information requested. The non-disclosure agreement will, at a minimum, require the following: CEII will only be used for the purpose for which it was requested; CEII may only be discussed with authorized recipients; CEII must be kept in a secure place in a manner that would prevent unauthorized access; CEII must be destroyed or returned to the Commission upon request; and the Commission may audit the Recipient's compliance with the non-disclosure agreement.
(i) Sanctions. Any officers, employees, or agents of the Commission who knowingly and willfully disclose CEII in a manner that is not authorized under this section will be subject to appropriate sanctions, such as removal from the federal service, or possible referral for criminal prosecution. Commissioners who knowingly and willfully disclose CEII without authorization may be referred to the Department of Energy Inspector General. The Commission will take responsibility for investigating and, as necessary, imposing sanctions on its employees and agents.
Footnotes
1. See Fixing America's Surface Transportation, Public Law 114-94, 129 Stat. 1312 (2015) (to be codified at 16 U.S.C. 824 et seq.) (FAST Act).
Back to Citation2. Id. 61,003.
Back to Citation3. See Statement of Policy on Treatment of Previously Public Documents, 66 FR 52,917 (Oct. 18, 2001), 97 FERC ¶ 61,030 (2001). A large component of what is currently Critical Energy Infrastructure Information was previously publicly available prior to September 11, 2001.
Back to Citation4. The FOIA process is specified in 5 U.S.C. 552 and the Commission's regulations at 18 CFR 388.108.
Back to Citation5. Critical Energy Infrastructure Information, Order No. 630, 68 FR 9,857 (Mar. 3, 2003), FERC Stats. & Regs. ¶ 31,140 (2003), order on reh'g, Order No. 630-A, 68 FR 46,456 (Aug. 6, 2003), FERC Stats. & Regs. ¶ 31,147 (2003).
Back to Citation6. See Critical Energy Infrastructure Information, Order No. 702, 72 FR 63,980 (Nov. 14, 2007), FERC Stats. & Regs. ¶ 31,258 (2007).
Back to Citation7. For example, in 2014, the Department of Energy Inspector General initiated a review of the Commission's controls for protecting non-public information. In a report dated January 30, 2015, the DOE Inspector General recommended, among other things, that the Commission take steps to ensure that the Critical Energy Infrastructure Information processes to protect and control non-public information are current and that such policies are disseminated and properly implemented. DOE Inspector General, Inspection Report: Review of Controls for Protecting Nonpublic Information at the Federal Energy Regulatory Commission (Jan. 2015), http://energy.gov/sites/prod/files/2015/02/f19/DOE-IG-0933.pdf (DOE IG Report).
Back to Citation8. The abbreviation will be used except where appropriate to address any distinction between the Commission's current regulations and the terms of the FAST Act.
Back to Citation9. See 5 U.S.C. 552(b)(3) (protects information “specifically exempted from disclosure by statute”).
Back to Citation10. The Commission has relied upon FOIA Exemption 7(F) to protect this type of information from disclosure. See 5 U.S.C. 552(b)(7)(F) (protecting law enforcement information that could reasonably be expected to endanger the life or physical safety of any individual). The Commission will continue to rely on this exemption, as appropriate.
Back to Citation11. Section 215A(d)(3) gives the Commission and DOE the authority to designate Critical Electric Infrastructure Information.
Back to Citation12. Section 215A(d)(3) provides that information “may be designated” by the Commission or Secretary of Energy as “critical electric infrastructure information.” These proposed regulations would only apply to information submitted to or generated by the Commission. Nothing in the preamble or proposed regulations would limit DOE's ability to designate information as it deems appropriate under the FAST Act.
Back to Citation13. Information downloaded by Commission staff from private databases that are accessed pursuant to Commission order or regulation will be maintained as non-public information consistent with the Commission's internal controls. See, e.g., Availability of Certain North American Electric Reliability Corporation Databases to the Commission, 155 FERC ¶ 61,275 (2016). If the Commission receives a request for access to downloaded information, the Commission will evaluate whether the information meets the definition of CEII or is proprietary information or otherwise privileged or non-public and will provide the owner of the database or information (as appropriate) with an opportunity to comment on the request consistent with proposed section 388.113(d)(1)(vi) or sections 388.112(d) and (e).
Back to Citation14. The submitter must clearly indicate this information on the submission in a clear and durable manner. For example, in addition to an appropriate cover sheet, each page should be clearly labeled. The date of submission will start the period for CEII designation. Commission-generated information should also have clear markings.
Back to Citation15. Section 18 CFR 375.313 delegates authority to the Critical Energy Infrastructure Information Coordinator (Coordinator), who is the Director of the Office of External Affairs. As explained below, the Commission proposes to modify this section to reflect the new authority in the FAST Act.
Back to Citation16. Pursuant to section 375.313(d) of the Commission's regulations, the Coordinator is responsible for establishing “reasonable conditions” on the release of CEII.
Back to Citation17. See proposed 18 CFR 388.113(d)(2) and (3).
Back to Citation18. In the event the Commission re-designates information as CEII, the Commission will re-designate the information as CEII for another five years or a shorter time period, as appropriate.
Back to Citation19. Such a determination is subject to review by an applicable district court and would not be an order subject to rehearing and review under 16 U.S.C. 825l.
Back to Citation20. The DOE IG Report raised concerns with how Commission staff handled, labeled, and tracked Critical Energy Infrastructure Information. DOE IG Report at 2-5, 12.
Back to Citation21. See, e.g., General Non-Disclosure Agreement, http://www.ferc.gov/legal/ceii-foia/ceii/gen-nda.pdf.
Back to Citation22. Separate NDAs exist for general users, the media, state agencies, and consultants, and are available at http://www.ferc.gov/legal/ceii-foia/ceii.asp. Federal Agency requesters, as noted below, receive an Agency Acknowledgment and Agreement, which has different terms than the NDAs.
Back to Citation23. See 18 CFR 388.113(d)(4)(iii) and (iv).
Back to Citation24. The Commission anticipates that DOE will take responsibility for sanctions for unauthorized disclosures by its officers, employees, staff, and agents with regard to information in DOE's possession.
Back to Citation25. See, e.g., 5 U.S.C. Chapter 75 (Adverse Actions).
Back to Citation26. The Chairman and Commissioners are appointed by the President and may be removed by the President only for inefficiency, neglect of duty, or malfeasance in office. 42 U.S.C. 7171.
Back to Citation27. Section 215A(d)(6) of the FPA makes clear that nothing in the FAST Act “require[s] a person or entity in possession of critical electric infrastructure information to share such information” with other individuals and entities; see also Cybersecurity Information Sharing Act of 2015, Public Law 114-113, 129 Stat. 2936 (2015).
Back to Citation28. As noted below, to obtain CEII Federal Agencies execute an Acknowledgement and Agreement, as opposed to an NDA. See Federal Agency Acknowledgement and Agreement, http://www.ferc.gov/legal/ceii-foia/ceii/fed-agen-acknow-agree.pdf.
Back to Citation29. For example, FPA section 215A(e) requires the Commission to share “timely actionable information regarding grid security with appropriate key personnel of owners, operators, and users of the critical electric infrastructure.” This information may include classified information as well as CEII. Providing notice and seeking a response from a submitter prior to disclosure of this CEII may hinder the Commission's ability to share “timely actionable information.”
Back to Citation30. See DOE IG Report at 4-5.
Back to Citation31. Critical Energy Infrastructure Information, Order No. 630, 68 FR 9857 (Mar. 3, 2003), FERC Stats. & Regs. ¶ 31,140 (2003); order on reh'g, Order No. 630-A, 68 FR 46,456 (Aug. 6, 2003), FERC Stats. & Regs. ¶ 31,147, at P 57 (2003).
Back to Citation32. See Dominion Cove Point LNG, LP, 147 FERC ¶ 61,202 (2014) (concluding that the protective agreement outlined in section 388.112(b)(2)(i), as opposed to the Critical Energy Infrastructure Information process, was the appropriate mechanism to obtain fourteen identified LNG safety and engineering documents).
Back to Citation33. This language appears in the April 2007 edition of the Commission's regulations, but does not appear in the April 2008 edition. The preamble to the 2008 regulations does not provide an explanation for the elimination of this provision from the Commission's regulations. Thus, the Commission believes it appropriate to reinstate the requirement.
Back to Citation35. The current information collection requirements related to requesting access to CEII material are approved by OMB under FERC-603 (OMB Control No. 1902-0197).
Back to Citation36. Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ¶ 30,783 (1987).
Back to Citation38. 5 U.S.C. 603 (2012).
Back to Citation[FR Doc. 2016-14761 Filed 7-1-16; 8:45 am]
BILLING CODE 6717-01-P
Document Information
- Published:
- 07/05/2016
- Department:
- Federal Energy Regulatory Commission
- Entry Type:
- Proposed Rule
- Action:
- Notice of proposed rulemaking.
- Document Number:
- 2016-14761
- Dates:
- Comments are due August 19, 2016.
- Pages:
- 43557-43567 (11 pages)
- Docket Numbers:
- Docket No. RM16-15-000
- Topics:
- Authority delegations (Government agencies), Confidential business information, Freedom of information, Seals and insignia, Sunshine Act
- PDF File:
- 2016-14761.pdf
- CFR: (3)
- 18 CFR 375.313
- 18 CFR 388.112
- 18 CFR 388.113