FR 2021-04007

The Federal Energy Regulatory Commission (FERC) has issued a notice inviting public comment on proposed changes to reporting and recordkeeping requirements under certain cybersecurity standards. These changes pertain specifically to reliability standards that address supply chain risk management, electronic security perimeters, configuration change management, and vulnerability assessments.

General Summary

The document outlines FERC's intention to update existing cybersecurity standards to ensure better protection of critical infrastructure. These updates are expected to affect how businesses and institutions manage their cybersecurity strategies, particularly concerning their supply chain risks and electronic security measures. The document emphasizes the need for public feedback on these changes, which must be submitted by April 27, 2021.

Significant Issues and Concerns

One notable issue with the document is its technical language, which might be difficult for a general audience to grasp without a solid understanding of energy regulations and cybersecurity terms. Additionally, the document lacks a clear financial impact analysis of the proposed changes. This absence of a cost-benefit examination raises concerns about transparency, as stakeholders may find it challenging to gauge the potential financial burdens these changes might impose.

Moreover, the document does not provide practical examples or case studies demonstrating how entities should implement these new standards. Clarity in this area would help stakeholders better understand the real-world application and implications of the proposed changes. Furthermore, it lacks a detailed explanation of how the feedback from the public will influence the final decisions, raising questions about the effectiveness of the consultation process.

Impact on the Public

Broadly, the document represents FERC's efforts to strengthen cybersecurity protocols protecting critical infrastructure, which could enhance the overall security reliability of energy systems. While this goal is beneficial for public safety, it could also lead to increased administrative and compliance costs for businesses, which might indirectly affect consumers if those costs are passed on.

Impact on Specific Stakeholders

Businesses and organizations required to comply with these standards will likely face increased administrative responsibilities due to the expanded reporting and recordkeeping requirements. This expanded scope could necessitate additional resources or a reallocation of current resources to comply with the new standards. For non-profit institutions, these new requirements might strain limited resources further.

Overall, while the heightened cybersecurity standards aim to safeguard critical infrastructure better, the associated administrative burdens and lack of clarity in practical implementation raise concerns. The imbalance between the potential benefits of stronger protections and the tangible costs to affected entities underscores the need for a careful review and a more inclusive dialogue with all stakeholders involved.

The Federal Energy Regulatory Commission (FERC) document discusses proposed revisions to reporting and recordkeeping requirements under certain cyber security reliability standards. This commentary will focus on how financial aspects are referenced and their connection to some of the issues identified in the document.

Financial References and Allocations

The document provides detailed estimates of the hourly costs for various occupational roles related to reporting requirements. Specifically, it outlines that 2% of the time is spent by Electrical Engineers with a rate of $70.19 per hour, 15% by Legal professionals at $142.65 per hour, 31.5% by Information Security Analysts at $71.47 per hour, 10% by Computer and Information Systems Managers at $101.58 per hour, 10% by Management at $97.15 per hour, and 31.5% by Management Analysts at $66.23 per hour. These percentages culminate in a weighted hourly cost for reporting requirements set at $86.05. For recordkeeping, the cost is $41.03 per hour for the role of Information and Record Clerks.

Relation to Identified Issues

1. Complex Regulatory Language: The elaborate breakdown of costs and roles can be overwhelming and difficult to digest, especially for those not well-versed in regulatory or financial analysis. This intricacy aligns with the document's broader issue of complex language, which may not be accessible to the general public.

2. Lack of Financial Transparency: While the document provides specific hourly rates for different roles, it does not explain how these percentages of time spent by each role were determined. This lack of clarity may contribute to perceptions of insufficient transparency. Additionally, there's no detailed financial impact analysis, which could leave stakeholders unsure about the overall financial burden these regulations might impose.

3. Lack of Cost-Benefit Analysis: The absence of an explicit cost-benefit analysis raises questions about whether the financial burdens justify the expected benefits. This omission ties into concerns about whether the requirements are indeed necessary for the effective functioning of the Commission's duties.

4. Need for Clear Justification of Costs: Without explaining the necessity or rationale behind expanding the types of assets covered by reporting and recordkeeping requirements, stakeholders might question the economic justification. This can lead to concerns about whether the allocated resources, represented by the listed wages and roles, are being used efficiently.

Conclusion

The document's financial references offer a detailed framework of hourly costs associated with implementing the proposed reliability standards. However, the lack of explanation regarding the cost determinations and the broader financial implications leaves room for improvement in transparency. Addressing these areas could enhance stakeholder understanding and potentially increase support for the proposed changes.