Agency Information Collection Activities; Proposals, Submissions, and Approvals: Errata

Commission Information Collection Activities (Ferc-725b). Comment Request; Errata Notice

DATES:

Comments on the collection of information are due July 27, 2026.

SUPPLEMENTARY INFORMATION:

Title: FERC-725B (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP)).

OMB Control No.: 1902-0248.

Type of Request: Three-year extension of the FERC-725B information collection requirements and implement changes due to updates to the CIP-002-8.

Abstract: On August 8, 2005, Congress enacted the Energy Policy Act of 2005. ⁽¹⁾ The Energy Policy Act of 2005 added a new section 215 to the FPA, ⁽²⁾ which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards, ⁽³⁾ including requirements for cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the Commission can independently enforce Reliability Standards.

On February 3, 2006, the Commission issued Order No. 672, ⁽⁴⁾ implementing FPA section 215. The Commission subsequently certified NERC as the Electric Reliability Organization. The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard. ⁽⁵⁾ The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are result-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply.

On January 18, 2008, the Commission issued Order No. 706, ⁽⁶⁾ approving the initial eight CIP Reliability Standards, CIP version 1 Standards, submitted by NERC. Subsequently, the Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No. 791, ⁽⁷⁾ approving CIP version 5 Standards, the last major revision to the CIP Reliability Standards. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the Bulk Electric System (BES)  ⁽⁸⁾ if compromised. High impact systems include large control centers. Medium impact systems include smaller control centers, ultra-high voltage transmission, and large substations and generating facilities. The remainder of the BES Cyber Systems  ⁽⁹⁾ are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems; however, a technical controls requirement in Reliability standard CIP-003, described below, applies only to low impact systems. Since 2013, the Commission has approved new and modified CIP Reliability Standards that address specific issues such as supply chain risk management, cyber incident reporting, communications between control centers, and the physical security of critical transmission facilities. ⁽¹⁰⁾

On March 19, 2026, the order within RD25-8 approved Reliability Standard CIP-002-8 related to the identification and categorization of BES cyber systems and their associated BES cyber assets. The Commission approved the proposed Reliability Standard CIP-002-8 pursuant to section 215(d)(2) of the FPA because the Standard would advance reliability by revising the threshold for applicable transmission owners and transmission operators to categorize their BES cyber systems based on the impact to their associated facilities, systems, and equipment, which, if destroyed, degraded, misused, or otherwise rendered unavailable would affect the reliability of the BES. Also, to revise the definition of the term control center in the NERC Glossary to alleviate confusion from a lack of common understanding of the term "control" as opposed to "authority".

The CIP Reliability Standards currently consist of 14 standards specifying a set of requirements that entities must follow to ensure the cyber and physical security of the Bulk-Power System. There is also one physical security standard.

• CIP-002-8 (formerly CIP-002-7) a Bulk Electric System Cyber System Categorization: requires entities to identify and categorize BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.
• CIP-003-10 Security Management Controls: requires entities to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.
• CIP-004-8 Personnel and Training: requires entities to minimize the risk against compromise that could lead to mis-operation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.

• CIP-005-8 Electronic Security Perimeter(s): requires entities to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.

• CIP-006-7.1 Physical Security of Bulk Electric System Cyber Systems: requires entities to manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.

☐ CIP-007-7.1 System Security Management: requires entities to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.

☐ CIP-008-7.1 Incident Reporting and Response Planning: requires entities to mitigate the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements.

☐ CIP-009-7.1 Recovery Plans for Bulk Electric System Cyber Systems: requires entities to recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.

☐ CIP-010-5 Configuration Change Management and Vulnerability Assessments: requires entities to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to mis-operation or instability in the BES.

☐ CIP-011-4.1 Information Protection: requires entities to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.

☐ CIP-012-2 Communications between Control Centers: requires entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.

☐ CIP-013-3 Supply Chain Risk Management: requires entities to mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.

☐ CIP-014-3 Physical Security: Set out to identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.

☐ CIP-015-1 Internal Network Security Monitoring: purpose is to improve the probability of detecting anomalous or unauthorized network activity in order to facilitate improved response and recovery from an attack.

The CIP Reliability Standards, viewed as a whole, implement a defense-in-depth approach to protecting the security of BES Cyber Systems at all impact levels. ⁽¹¹⁾ The CIP Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems. ⁽¹²⁾

RD25-8 (Changes):

The Commission bases its paperwork burden estimates on the additional paperwork burden presented by the proposed revisions to Reliability Standard CIP-002-8. Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems. The NERC Compliance Registry, as of June 2025, identifies approximately 1,673  ⁽¹⁵⁾ U.S. entities that are subject to mandatory compliance with Reliability Standards.

Of this total, we estimate that 1,573 entities will face a minor increase in paperwork burden of two hours each for a total burden hours increase of 3,146 at $97  ⁽¹⁶⁾ per hour for $194 per entity and a total $305,162 burden for the first year and ongoing burdens in addition to the burden already accounted for in the OMB control number for CIP Reliability Standards.

Additionally, we estimate that another 100 entities will have a burden of four hours each for a total burden hour increase of 400 at $97 per hour for a total burden of $38,800 for the first year and no ongoing burdens in addition to the burden already accounted for in the OMB control number for CIP Reliability Standards.

The responses and burden hours for Years 1-3 will total respectively as follows:

• Year 1-3 each: for proposed Reliability Standard CIP-002-8 will be 557.67 responses; 1,182 hours;
• The annual cost burden for each Year 1-3 is $101,803 for proposed Reliability Standard CIP-002-8.

Comments: Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.

⁽¹⁾ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et seq., 119 Stat. 594 (2005).

⁽²⁾ 16 U.S.C. 824o.

⁽³⁾ FPA section 215 defines Reliability Standard as a requirement, approved by the Commission, to provide for reliable operation of existing bulk-power system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity. Id. at 824o(a)(3).

⁽⁴⁾ Rules Concerning Certification of the Elec. Reliability Org.; and Procedures for the Establishment, Approval, and Enf't of Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh'g, Order No. 672-A, 71 FR 19814 (Apr. 28, 2006), 114 FERC ¶ 61,328 (2006).

⁽⁵⁾ NERC uses the term "registered entity" to identify users, owners, and operators of the Bulk-Power System responsible for performing specified reliability functions with respect to NERC Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139 FERC ¶ 61,058, at P 46, order denying clarification and reh'g, 140 FERC ¶ 61,109 (2012). Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as "entities."

⁽⁶⁾ Order No. 706, 122 FERC ¶ 61,040 at P 1.

⁽⁷⁾ Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ¶ 61,160 (2013), order on reh'g, Order No. 791-A, 146 FERC ¶ 61,188 (2014).

⁽⁸⁾ In general, NERC defines BES to include all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. See NERC, Bulk Electric System Definition Reference Document, Version 3, at page iii (August 2018). In Order No. 693, the Commission found that NERC's definition of BES is narrower than the statutory definition of Bulk-Power System. The Commission decided to rely on the NERC definition of BES to provide certainty regarding the applicability of Reliability Standards to specific entities. See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ¶ 61,218, at PP 75, 79, 491, order on reh'g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 120 FERC ¶ 61,053 (2007).

⁽⁹⁾ NERC defines BES Cyber System as "[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity." NERC, Glossary of Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf (NERC Glossary of Terms). NERC defines BES Cyber Asset as

A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.

Id. at 4.

⁽¹⁰⁾ See, e.g., Order No. 791, 78 FR 72755; Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 81 FR 4177 (Jan. 26, 2016), 154 FERC ¶ 61,037, reh'g denied, Order No. 822-A, 156 FERC ¶ 61,052 (2016); Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls, Order No. 843, 163 FERC ¶ 61,032 (2018).

⁽¹¹⁾ Order No. 822, 154 FERC ¶ 61,037 at 32.

⁽¹²⁾ Order No. 706, 122 FERC ¶ 61,040 at 72.

⁽¹³⁾  The number of respondents is based on the NERC Compliance Registry as of June 22, 2025. Currently there are 1,508 unique NERC Registered, subtracting 16 Canadians Entities yields 1492 U.S. entities.

⁽¹⁴⁾  The estimates for cost per hour are $77.30/hour (averaged based on the following occupations):

• Manager (Occupational Code: 11-0000): $83.41/hour; and
• Electrical Engineer (Occupational Code 17-2071): $71.19/hour. The estimated hourly cost (salary plus benefits) is a combination of the following categories from the Bureau of Labor Statistics (BLS) website, May 2025 http://www.bls.gov/oes/current/naics2_22.htm.

⁽¹⁵⁾  The "Number of Entity" data is compiled from the June 2025 edition of the NERC Compliance Registry.

⁽¹⁶⁾  The hourly cost for wages is based in part on the average of the occupational categories from the Bureau of Labor Statistics website ( http://www.bls.gov/oes/current/naics2_22.htm ) plus benefits: Legal (Occupation Code: 23-0000): $162.66; Electrical Engineer (Occupation Code: 17-2071): $79.31; Office and Administrative Support (Occupation Code: 43-0000): $48.59 ($162.66 + $79.31 + $48.59) ÷ 3 = $96.85. The figure is rounded to $97.00 for use in calculating wage figures in this Order.

⁽¹⁷⁾  The number of respondents is based on the NERC Compliance Registry as of June 22, 2025. Currently there are 1,508 unique NERC Registered, subtracting 16 Canadians Entities yields 1492 U.S. entities.

⁽¹⁸⁾  The estimates for cost per hour are $77.30/hour (averaged based on the following occupations):

• Manager (Occupational Code: 11-0000): $83.41/hour; and
• Electrical Engineer (Occupational Code 17-2071): $71.19/hour. The estimated hourly cost (salary plus benefits) is a combination of the following categories from the Bureau of Labor Statistics (BLS) website, May 2025 http://www.bls.gov/oes/current/naics2_22.htm.