Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · REGISTER · 2008-02-07 · DEPARTMENT OF LABOR · Notices

Notices. Notice of petitions for modification of existing mandatory safety standards

142,867 words·~649 min read·/register/2008/02/07/08-595

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

BILLING CODE 4410-36-M DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,404] Motor Wheel Commercial Vehicle Systems, Full Cast/Assembly Area, Berea, KY; Notice of Affirmative Determination Regarding Application for Reconsideration On January 8, 2008, the Department of Labor (Department) received a request for administrative reconsideration of the Department's Notice of Negative Determination regarding workers' eligibility to apply for Alternative Trade Adjustment Assistance
(ATAA)applicable to workers and former workers of the subject firm. The determination was issued on November 30, 2007. The Department's Notice of Determination Regarding ATAA was published in the **Federal Register** on December 11, 2007 (72 FR 70346). The negative determination was based on the Department's findings that the workers in the workers' firm possess skills that are easily transferable. In the request for reconsideration, a worker alleged that “salaries at other factories in similar jobs are much lower” than wages paid by the subject firm. The Department has carefully reviewed the request for reconsideration and has determined that the Department will conduct further investigation. Conclusion After careful review of the application, I conclude that the claim is of sufficient weight to justify reconsideration of the U.S. Department of Labor's prior decision. The application is, therefore, granted. Signed at Washington, DC, this 30th day of January 2008. Elliott S. Kushner, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2240 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-57,802; TA-W-57,802F] Sara Lee Branded Apparel Division Office, Division of Sara Lee Corporation, Formerly Known as National Textiles, LLC, Currently Known as Hanesbrands, Inc. Winston-Salem, NC; Including an Employee of Sara Lee Branded Apparel, Division Office, Division of Sara Lee Corporation, Formerly Known as National Textiles, LLC, Currently Known as Hanesbrands, Inc., Winston-Salem, NC Located in Covington, GA; Amended Certification Regarding Eligibility To Apply for Worker Adjustment Assistance and Negative Determination Regarding Eligibility To Apply for Alternative Trade Adjustment Assistance In accordance with Section 223 of the Trade Act of 1974 (19 U.S.C. 2273), and Section 246 of the Trade Act of 1974 (26 U.S.C. 2813), as amended, the Department of Labor issued a Certification Regarding Eligibility to Apply for Worker Adjustment Assistance and a Negative Determination Regarding Eligibility to Apply for Alternative Trade Adjustment Assistance on September 28, 2005, applicable to workers of Sara Lee Branded Apparel, Division Office, Winston-Salem, North Carolina. The notice was published in the **Federal Register** on October 31, 2005 (70 FR 62347). At the request of a petitioner and the State agency, the Department reviewed the certification for workers of the subject firm. New information shows that a worker separation occurred involving an employee of the Division Office, Winston-Salem, North Carolina facility of the Sara Lee Branded Apparel located in Covington, Georgia. Ms. Charlene Gautier provided sales and merchandizing support function services for the activities related to the production of underwear (shorts and T-shirts) produced by the subject company. Based on these findings, the Department is amending this certification to include an employee of the Division Office, Winston-Salem, North Carolina facility of the Sara Lee Branded Apparel located in Covington, Georgia. The intent of the Department's certification is to include all workers of Sara Lee Branded Apparel, Division Office, Winston-Salem, North Carolina who was adversely affected by increased imports. The amended notice applicable to TA-W-57,802 is hereby issued as follows: All workers of Sara Lee Branded Apparel, Division Office, Division of the Sara Lee Corporation, formerly known as National Textiles, LLC, currently known as Hanesbrands, Inc., Winston-Salem, North Carolina (TA-W-57,802), and including an employee of Sara Lee Branded Apparel, Division Office, Division of Sara Lee Corporation, currently known as Hanesbrands, Inc., Winston Salem, North Carolina, located in Covington, Georgia (TA-W-57,802F), who became totally or partially separated from employment on or after July 29, 2004, through September 28, 2007, are eligible to apply for adjustment assistance under Section 223 of the Trade Act of 1974. I further determine that all workers of Sara Lee Branded Apparel, Division of the Sara Lee Corporation, formerly known as National Textiles, LLC, currently known as Hanesbrands, Inc., Winston-Salem, North Carolina (TA-W-57,802), and including an employee of Sara Lee Branded Apparel, Division Office, Division of Sara Lee Corporation, formerly known as National Textiles, LLC, currently known as Hanesbrands, Inc., Winston Salem, North Carolina, located in Covington, Georgia (TA-W-57,802F) are denied eligibility to apply for alternative trade adjustment assistance under Section 246 of the Trade Act of 1974. Signed at Washington, DC, this 29th day of January 2008. Elliott S. Kushner, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2235 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration Notice of Determinations Regarding Eligibility To Apply for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance In accordance with section 223 of the Trade Act of 1974, as amended (19 U.S.C. 2273) the Department of Labor herein presents summaries of determinations regarding eligibility to apply for trade adjustment assistance for workers (TA-W) number and alternative trade adjustment assistance
(ATAA)by (TA-W) number issued during the period of *January 22 through January 25, 2008. * In order for an affirmative determination to be made for workers of a primary firm and a certification issued regarding eligibility to apply for worker adjustment assistance, each of the group eligibility requirements of Section 222(a) of the Act must be met. I. Section (a)(2)(A) all of the following must be satisfied: A. A significant number or proportion of the workers in such workers' firm, or an appropriate subdivision of the firm, have become totally or partially separated, or are threatened to become totally or partially separated; B. the sales or production, or both, of such firm or subdivision have decreased absolutely; and C. increased imports of articles like or directly competitive with articles produced by such firm or subdivision have contributed importantly to such workers' separation or threat of separation and to the decline in sales or production of such firm or subdivision; or II. Section (a)(2)(B) both of the following must be satisfied: A. A significant number or proportion of the workers in such workers' firm, or an appropriate subdivision of the firm, have become totally or partially separated, or are threatened to become totally or partially separated; B. there has been a shift in production by such workers' firm or subdivision to a foreign country of articles like or directly competitive with articles which are produced by such firm or subdivision; and C. One of the following must be satisfied: 1. The country to which the workers' firm has shifted production of the articles is a party to a free trade agreement with the United States; 2. the country to which the workers' firm has shifted production of the articles to a beneficiary country under the Andean Trade Preference Act, African Growth and Opportunity Act, or the Caribbean Basin Economic Recovery Act; or 3. there has been or is likely to be an increase in imports of articles that are like or directly competitive with articles which are or were produced by such firm or subdivision. Also, in order for an affirmative determination to be made for secondarily affected workers of a firm and a certification issued regarding eligibility to apply for worker adjustment assistance, each of the group eligibility requirements of section 222(b) of the Act must be met.
(1)A Significant number or proportion of the workers in the workers' firm or an appropriate subdivision of the firm have become totally or partially separated, or are threatened to become totally or partially separated;
(2)the workers' firm (or subdivision) is a supplier or downstream producer to a firm (or subdivision) that employed a group of workers who received a certification of eligibility to apply for trade adjustment assistance benefits and such supply or production is related to the article that was the basis for such certification; and
(3)either—
(A)the workers' firm is a supplier and the component parts it supplied for the firm (or subdivision) described in paragraph
(2)accounted for at least 20 percent of the production or sales of the workers' firm; or
(B)a loss or business by the workers' firm with the firm (or subdivision) described in paragraph
(2)contributed importantly to the workers' separation or threat of separation. In order for the Division of Trade Adjustment Assistance to issue a certification of eligibility to apply for Alternative Trade Adjustment Assistance
(ATAA)for older workers, the group eligibility requirements of section 246(a)(3)(A)(ii) of the Trade Act must be met. 1. Whether a significant number of workers in the workers' firm are 50 years of age or older. 2. Whether the workers in the workers' firm possess skills that are not easily transferable. 3. The competitive conditions within the workers' industry (i.e., conditions within the industry are adverse). Affirmative Determinations for Worker Adjustment Assistance The following certifications have been issued. The date following the company name and location of each determination references the impact date for all workers of such determination. The following certifications have been issued. The requirements of section 222(a)(2)(A) (increased imports) of the Trade Act have been met. *None. * The following certifications have been issued. The requirements of section 222(a)(2)(B) (shift in production) of the Trade Act have been met. *None. * The following certifications have been issued. The requirements of section 222(b) (supplier to a firm whose workers are certified eligible to apply for TAA) of the Trade Act have been met. *None. * The following certifications have been issued. The requirements of section 222(b) (downstream producer for a firm whose workers are certified eligible to apply for TAA based on increased imports from or a shift in production to Mexico or Canada) of the Trade Act have been met. *None. * Affirmative Determinations for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance The following certifications have been issued. The date following the company name and location of each determination references the impact date for all workers of such determination. The following certifications have been issued. The requirements of Section 222(a)(2)(A) (increased imports) and section 246(a)(3)(A)(ii) of the Trade Act have been met. *TA-W-62,388; Dresser Rand Company, Painted Post Operation, Superior Design, Madi, Painted Post, NY: October 23, 2006.* *TA-W-62,419; Flowserve Corporation, Dayton Foundry Operations, Dayton, OH: November 5, 2006.* *TA-W-62,517; Berkline/BenchCraft, LLC, Blue Mountain, MS: November 29, 2006.* *TA-W-62,549; Fisher Hamilton L.L.C., Division of Thermo Fisher Scientific, Two Rivers, WI: February 10, 2008.* *TA-W-62,371; Leach and Garner Company, North Attleboro, MA: October 26, 2006.* *TA-W-62,416; Four Corners Pine, Trout Creek, MT: October 26, 2006.* *TA-W-62,447; Georgia Pacific LLC, Wood Products Div., Sub Koch, East Texas Staffing, Logansport, LA: November 9, 2006.* *TA-W-62,547; Lighting Products, Inc., Hubbard, OH: December 6, 2006.* *TA-W-62,593; Cudahy Tanning Company Inc., Bell Resource, PA Staffing, Customized Industrial Placement, Cudahy, WI: December 19, 2006.* *TA-W-62,594; Carrollton Specialty Products Company, Mexico, MO: December 19, 2006.* The following certifications have been issued. The requirements of section 222(a)(2)(B) (shift in production) and section 246(a)(3)(A)(ii) of the Trade Act have been met. *TA-W-62,524; Kester, Inc., Illinois Tool Works, Itasca, IL: November 30, 2006.* *TA-W-62,567; Alcatel-Lucent, Global Supply Chain, Tucker Technologies, North Andover, MA: December 10, 2006.* *TA-W-62,577; Warnaco Swimwear Products, Inc., Warnaco Swimwear Group, Los Angeles, CA: December 13, 2006.* *TA-W-62,588; Rad Electronics, Inc., Triton Staffing Group, North Reading, MA: December 13, 2006.* *TA-W-62,635; The St. John Companies, Inc., West Jordan Plant, West Jordan, UT: January 3, 2007.* *TA-W-62,666; Liberty Screenprint, Wentworth Corporation, Madison, NC: January 19, 2008.* *TA-W-62,667; GoldToeMoretz, LLC, Burlington Manufacturing Division, Burlington, NC: December 21, 2007.* *TA-W-62,678; Dual-Lite Cayman Ltd, Lighting Division, Naguabo, PR: January 10, 2007.* *TA-W-62,425; Stoney Point Products, Inc., Also Know as Bushell Outdoor Products, New Ulm, MN: November 6, 2006.* *TA-W-62,500; Credence Systems Corp., Comsys, ESM, Express Personnel and I3, Hillsboro, OR: November 21, 2007.* *TA-W-62,500A; Credence Systems Corp., Comsys, ESM, Express Personnel and I3, Milpitas, CA: November 21, 2007.* *TA-W-62,556; Magneti Marelli North America, Inc., Cofap Div., Including Accuforce, Kingsport, TN: December 11, 2006.* *TA-W-62,564; Holt Sublimation Printing and Products, Inc., Burlington, NC: December 11, 2006.* *TA-W-62,604; Sintec Keramik USA, Inc., Bridgeport, CT: December 21, 2006.* *TA-W-62,645; Spotless Enterprises d/b/a Plasti-Form, Leased Workers of Pinnacle Staffing, Asheville, NC: January 7, 2007.* The following certifications have been issued. The requirements of Section 222(b) (supplier to a firm whose workers are certified eligible to apply for TAA) and section 246(a)(3)(A)(ii) of the Trade Act have been met. *TA-W-62,529; Jones Plastics and Engineering Co., LLC, Leitchfield Plastics, On-Site Leased Workers from Omni Personnel, Leitchfield, KY: November 29, 2006.* *TA-W-62,586; Tennplasco, Division of Manar, Inc., Lafayette, TN: December 17, 2006.* The following certifications have been issued. The requirements of section 222(b) (downstream producer for a firm whose workers are certified eligible to apply for TAA based on increased imports from or a shift in production to Mexico or Canada) and section 246(a)(3)(A)(ii) of the Trade Act have been met. *None.* Negative Determinations for Alternative Trade Adjustment Assistance In the following cases, it has been determined that the requirements of 246(a)(3)(A)(ii) have not been met for the reasons specified. The Department has determined that criterion
(1)of section 246 has not been met. The firm does not have a significant number of workers 50 years of age or older. *None.* The Department has determined that criterion
(2)of section 246 has not been met. Workers at the firm possess skills that are easily transferable. *None. * The Department has determined that criterion
(3)of section 246 has not been met. Competition conditions within the workers' industry are not adverse. *None. * Negative Determinations for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance In the following cases, the investigation revealed that the eligibility criteria for worker adjustment assistance have not been met for the reasons specified. Because the workers of the firm are not eligible to apply for TAA, the workers cannot be certified eligible for ATAA. The investigation revealed that criteria (a)(2)(A)(I.A.) and (a)(2)(B)(II.A.) (employment decline) have not been met. *TA-W-62,696; J. J. Peiger Company, Pittsburgh, PA.* The investigation revealed that criteria (a)(2)(A)(I.B.) (Sales or production, or both, did not decline) and (a)(2)(B)(II.B.) (shift in production to a foreign country) have not been met. *None. * The investigation revealed that criteria (a)(2)(A)(I.C.) (increased imports) and (a)(2)(B)(II.B.) (shift in production to a foreign country) have not been met. *TA-W-62,321; Dexter Axle, Inc., Tomkins Industries, Manchester, IN.* *TA-W-62,391; Multilayer Coating Technologies, LLC, New Bedford, MA.* *TA-W-62,649; A & R Machine Company, Inc., East Sparta, OH.* The workers' firm does not produce an article as required for certification under Section 222 of the Trade Act of 1974. *TA-W-62,206; Liz Claiborne, Inc., Distribution Center, North Bergen, NJ.* *TA-W-62,504; Electronic Data Systems, Data Management Team For Dow Chemical, Midland, MI.* *TA-W-62,694; Girard School District, Transportation Division, Girard, PA.* The investigation revealed that criteria of section 222(b)(2) has not been met. The workers' firm (or subdivision) is not a supplier to or a downstream producer for a firm whose workers were certified eligible to apply for TAA. *None.* I hereby certify that the aforementioned determinations were issued during the period of *January 22 through January 25, 2008.* Copies of these determinations are available for inspection in Room C-5311, U.S. Department of Labor, 200 Constitution Avenue, NW., Washington, DC 20210 during normal business hours or will be mailed to persons who write to the above address. Dated: January 31, 2008. Ralph DiBattista, Director, Division of Trade Adjustment Assistance. [FR Doc. E8-2234 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,210A; TA-W-62,210B] Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina; Including an Employee of Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina, Located in Marietta, Georgia; Amended Certification Regarding Eligibility to Apply for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance In accordance with Section 223 of the Trade Act of 1974 (19 U.S.C. 2273), and Section 246 of the Trade Act of 1974 (26 U.S.C. 2813), as amended, the Department of Labor issued a Certification Regarding Eligibility to Apply for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance on November 5, 2007, applicable to workers of Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina. The notice was published in the **Federal Register** on November 21, 2007 (72 FR 65607). At the request of the State agency, the Department reviewed the certification for workers of the subject firm. New information shows that a worker separation occurred involving an employee of the Charlotte, North Carolina facility of Dexter Chemical LLC, Textile Chemicals Division located in Marietta, Georgia. Mr. Richard H. Bass provided sales function services supporting the production of specialty chemicals for the textile industry that is produced at the subject firm. Based on these findings, the Department is amending this certification to include an employee of the Charlotte, North Carolina facility of Dexter Chemical LLC, Textile Chemicals Division working out of Marietta, Georgia. The intent of the Department's certification is to include all workers of Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina who were adversely affected by increased imports as an upstream supplier of component parts for textiles. The amended notice applicable to TA-W-62,210A is hereby issued as follows: “All workers of Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina (TA-W-62,210A) including an employee of Dexter Chemical LLC, Textile Chemicals Division, Charlotte, North Carolina located in Marietta, Georgia (TA-W-62,210B), who became totally or partially separated from employment on or after September 25, 2006, through November 5, 2009, are eligible to apply for adjustment assistance under Section 223 of the Trade Act of 1974, and are also eligible to apply for alternative trade adjustment assistance under Section 246 of the Trade Act of 1974.” Signed at Washington, DC this 29th day of January 2008. Elliott S. Kushner, Certifying Officer, Division Of Trade Adjustment Assistance. [FR Doc. E8-2239 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration Investigations Regarding Certifications of Eligibility To Apply for Worker Adjustment Assistance and Alternative Trade Adjustment Assistance Petitions have been filed with the Secretary of Labor under Section 221(a) of the Trade Act of 1974 (“the Act”) and are identified in the Appendix to this notice. Upon receipt of these petitions, the Director of the Division of Trade Adjustment Assistance, Employment and Training Administration, has instituted investigations pursuant to Section 221(a) of the Act. The purpose of each of the investigations is to determine whether the workers are eligible to apply for adjustment assistance under Title II, Chapter 2, of the Act. The investigations will further relate, as appropriate, to the determination of the date on which total or partial separations began or threatened to begin and the subdivision of the firm involved. The petitioners or any other persons showing a substantial interest in the subject matter of the investigations may request a public hearing, provided such request is filed in writing with the Director, Division of Trade Adjustment Assistance, at the address shown below, not later than February 19, 2008. Interested persons are invited to submit written comments regarding the subject matter of the investigations to the Director, Division of Trade Adjustment Assistance, at the address shown below, not later than February 19, 2008. The petitions filed in this case are available for inspection at the Office of the Director, Division of Trade Adjustment Assistance, Employment and Training Administration, U.S. Department of Labor, Room C-5311, 200 Constitution Avenue, NW., Washington, DC 20210. Signed at Washington, DC, this 31st day of January 2008. Ralph DiBattista, Director, Division of Trade Adjustment Assistance. APPENDIX [TAA petitions instituted between 1/22/08 and 1/25/08] TA-W Subject firm (petitioners) Location Date of institution Date of petition 62708 USR Optonix, Inc.
(Comp)Washington, NJ 01/22/08 01/16/08 62709 ITT Corp., Koni Friction Product Div. (State) Searcy, AR 01/22/08 01/18/08 62710 Mahle Engine Components
(USWA)Caldwell, OH 01/22/08 01/17/08 62711 Carrollton Specialty Products
(Wkrs)Carrollton, MO 01/22/08 01/17/08 62712 Emerson Motor Co/Hurst Manufacturing
(Comp)Princeton, IN 01/22/08 01/21/08 62713 NGT Controls, Inc. (State) Irvine, CA 01/22/08 01/18/08 62714 F.W. Rickard Seeds
(Wrks)Winchester, KY 01/22/08 01/21/08 62715 Formica Corporation
(Comp)Odenton, MD 01/22/08 01/17/08 62716 Lunt Manufacturing Co., Inc.
(Comp)Hampshire, IL 01/23/08 01/18/08 62717 EGS Electrical Group
(TLC)Celina, TN 01/23/08 01/22/08 62718 Fraser Timber Limited
(Comp)Ashland, ME 01/23/08 01/19/08 62719 OSRAM Sylvania (IAMAW) Warren, PA 01/23/08 01/22/08 62720 Pfizer Company
(Wrks)Portage, MI 01/23/08 01/22/08 62721 Kirby Lester, LLC (State) Stamford, CT 01/23/08 01/22/08 62722 Benson Manufacturing, Inc.
(Wkrs)Mineral Wells, WV 01/23/08 01/03/08 62723 Chestertown Foods, Inc. (State) Chestertown, MD 01/23/08 01/07/08 62724 Keola Precision Technology, Inc. (State) Fremont, CA 01/23/08 01/14/08 62725 Elmet Technologies (State) Lewiston, ME 01/23/08 01/22/08 62726 Metaldyne
(Wkrs)Farmington Hills, MI 01/23/08 01/17/08 62727 KAM Plastics, Inc. (State) Holland, MI 01/23/08 01/22/08 62728 Haldex Brake Products Corporation
(Comp)Prattville, AL 01/24/08 01/23/08 62729 McComb Mill Manufacturing Company, Inc.
(Comp)McComb, MS 01/24/08 01/22/08 62730 Bartech Group (workers assigned to Delphi)
(Wkrs)Oak Creek, WI 01/24/08 01/18/08 62731 Lufkin Industries, Inc.
(Comp)Lufkin, TX 01/24/08 01/16/08 62732 Tall, Inc.
(Rep)Miami, FL 01/24/08 01/18/08 62733 Ravenna Aluminum, Inc.
(Comp)Ravenna, OH 01/24/08 12/28/07 62734 Imerys Kaolin
(USWA)Dry Branch, GA 01/24/08 01/21/08 62735 GKN Driveline North America, Inc.
(Comp)Sanford, NC 01/25/08 01/24/08 62736 Meade Instruments Corporation (State) Irvine, CA 01/25/08 01/24/08 62737 Cherry Electrical Products
(Rep)Pleasant Prairie, WI 01/25/08 01/22/08 62738 Siemens Medical Solutions USA, Inc.
(Comp)Mountain View, CA 01/25/08 01/23/08 62739 Plymouth Rubber Co. LLC
(Comp)Canton, MA 01/25/08 01/24/08 62740 Tail, Inc.
(Rep)Miami, FL 01/25/08 01/18/08 62741 Corel
(Wkrs)Eden Prairie, MN 01/25/08 01/22/08 62742 Edge Builder Wall Panels, Inc./Norse Division
(Wkrs)Oakdale, MN 01/25/08 01/11/08 62743 Hearthstone Enterprises, Inc./dba Charleston Forge
(Comp)Boone, NC 01/25/08 01/24/08 62744 Epitec Group (State) Southfield, MI 01/25/08 01/15/08 62745 Fourth Generation Services, Inc. (State) Troy, MI 01/25/08 01/15/08 [FR Doc. E8-2233 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,101] American Woodmark, Hardy County Plant, Moorefield, WV; Notice of Negative Determination on Reconsideration On November 30, 2007, the Department issued an Affirmative Determination Regarding Application for Reconsideration for the workers and former workers of the subject firm. The notice was published in the **Federal Register** on December 11, 2007 (72 FR 70344). The initial investigation resulted in a negative determination based on the finding that imports of kitchen cabinet parts did not contribute importantly to worker separations at the subject firm and no shift of production to a foreign source occurred. The investigation also revealed that the products manufactured at the subject firm are sent to other affiliated facilities for further finishing and assembly. The Carpenters Industrial Council, United Brotherhood of Carpenters and Joiners of America filed a request for reconsideration in which they contend that the workers of the subject firm build and assemble the finished products, which does not require further manufacturing and are sold to customers. The petitioner also requested that the Department of Labor investigate whether there was an increase in imports of articles like or directly competitive with products manufactured at the subject firm. The Department contacted a company official to verify products manufactured at the subject firm and whether the subject firm had any outside customers. During reconsideration, the company official provided new information and confirmed that the subject firm manufactures kitchen cabinet parts and hardwood cabinets which are sold to outside customers. The official also supplied the Department with a list of major declining customers who purchased hardwood cabinets from the subject firm. The Department of Labor surveyed the major declining customers of the subject firm regarding their purchases of like or directly competitive products with hardwood cabinets purchased from the subject firm in 2005, 2006, and during January through September 2007 over the corresponding 2006 period. The survey revealed that the customers did not increase their import purchases while decreasing purchases from the subject firm. The subject firm did not import hardwood cabinets nor was there a shift in production from subject firm abroad during the relevant period. Conclusion After reconsideration, I affirm the original notice of negative determination of eligibility to apply for worker adjustment assistance for workers and former workers of American Woodmark, Hardy County Plant, Moorefield, West Virginia. Signed at Washington, DC, this 29th day of January, 2008. Elliott S. Kushner, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2236 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,189] Diaz Intermediates Corporation, West Memphis, AR; Notice of Negative Determination Regarding Application for Reconsideration By letter dated December 28, 2007, a company official requested administrative reconsideration regarding the Department's Negative Determination Regarding Eligibility to Apply for Worker Adjustment Assistance, applicable to the workers of the subject firm. The denial notice was signed on November 28, 2007 and published in the **Federal Register** on December 11, 2007 (72 FR 70346). Pursuant to 29 CFR 90.18(c) reconsideration may be granted under the following circumstances:
(1)If it appears on the basis of facts not previously considered that the determination complained of was erroneous;
(2)If it appears that the determination complained of was based on a mistake in the determination of facts not previously considered; or
(3)If in the opinion of the Certifying Officer, a misinterpretation of facts or of the law justified reconsideration of the decision. The initial investigation resulted in a negative determination which was based on the finding that imports of brominated chemical intermediates (i.e. bromobenzene, m-bromoanisole, n-propyl bromide, and other organics) did not contribute importantly to worker separations at the subject plant and no shift of production to a foreign source occurred. The “contributed importantly” test is generally demonstrated through a survey of the workers' firm's declining customers. The survey revealed customers did not purchase imported brominated chemical intermediates during the relevant period. The subject firm did not import brominated chemical intermediates and no shifted in production of brominated chemical intermediates to a foreign country occurred. The petitioner stated that most of the subject firm's sales were for export, however, there were losses in sales to domestic customers. The petitioner provided the name of a customer which ceased purchases from the subject firm in 2005 and at the same time started importing products like or directly competitive with brominated chemical intermediates produced by the subject firm. When assessing eligibility for Trade Adjustment Assistance (TAA), the Department exclusively considers import impact during the relevant time period (one year prior to the date of the petition). The Department surveyed customers of the subject firm regarding their purchases of brominated chemical intermediates during the relevant period. The survey revealed no imports of brominated chemical intermediates during the relevant period. Conclusion After review of the application and investigative findings, I conclude that there has been no error or misinterpretation of the law or of the facts which would justify reconsideration of the Department of Labor's prior decision. Accordingly, the application is denied. Signed in Washington, DC, this 30th day of January 2008. Elliott S. Kushner, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2237 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,207] Diaz Intermediates Corporation, Brockport, NY; Notice of Negative Determination Regarding Application for Reconsideration By application dated December 28, 2007, a company official requested administrative reconsideration of the Department's negative determination regarding eligibility to apply for Trade Adjustment Assistance (TAA), applicable to workers and former workers of the subject firm. The denial notice was signed on November 28, 2007 and published in the **Federal Register** on December 11, 2007 (72 FR 70346). Pursuant to 29 CFR 90.18(c) reconsideration may be granted under the following circumstances:
(1)If it appears on the basis of facts not previously considered that the determination complained of was erroneous;
(2)If it appears that the determination complained of was based on a mistake in the determination of facts not previously considered; or
(3)If in the opinion of the Certifying Officer, a misinterpretation of facts or of the law justified reconsideration of the decision. The investigation revealed that workers of the subject firm were in support of production of brominated chemical intermediates at Diaz Intermediates Corporation, West Memphis, Arkansas. The initial investigation resulted in a negative determination which was based on the finding that imports of brominated chemical intermediates (i.e., bromobenzene, m-bromoanisole, n-propyl bromide, and other organics) did not contribute importantly to worker separations at the subject plant and no shift of production to a foreign source occurred. The “contributed importantly” test is generally demonstrated through a survey of the workers' firm's declining customers. The survey revealed customers did not purchase imports of brominated chemical intermediates during the relevant period. The subject firm did not import brominated chemical intermediates and no shifted in production of brominated chemical intermediates to a foreign country occurred. The petitioner stated that most of the subject firm's sales were for export, and that there were losses in sales to domestic customers. The petitioner provided the name of a customer which ceased purchases from the subject firm in 2005 and at the same time started importing products like or directly competitive with brominated chemical intermediates produced by the subject firm. When assessing eligibility for TAA, the Department exclusively considers import impact during the relevant time period (one year prior to the date of the petition). The Department surveyed customers of the subject firm regarding their purchases of brominated chemical intermediates during the relevant period. The survey revealed no imports of brominated chemical intermediates during the relevant period. Conclusion After review of the application and investigative findings, I conclude that there has been no error or misinterpretation of the law or of the facts which would justify reconsideration of the Department of Labor's prior decision. Accordingly, the application is denied. Signed in Washington, DC, this 30th day of January, 2008. Elliott S. Kushner, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2238 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Employment and Training Administration [TA-W-62,668] Conrad Forest Products, Conrad Forest Products, North Bend, OR; Notice of Termination of Investigation Pursuant to Section 221 of the Trade Act of 1974, as amended, an investigation was initiated on January 11, 2008 in response to a worker petition filed by a company official on behalf of workers at Conrad Forest Products, North Bend, Oregon. The petitioner has requested that the petition be withdrawn. Consequently, the investigation has been terminated. Signed at Washington, DC this 29th day of January 2008. Richard Church, Certifying Officer, Division of Trade Adjustment Assistance. [FR Doc. E8-2232 Filed 2-6-08; 8:45 am] BILLING CODE 4510-FN-P DEPARTMENT OF LABOR Mine Safety and Health Administration Petitions for Modification AGENCY: Mine Safety and Health Administration, Labor. ACTION: Notice of petitions for modification of existing mandatory safety standards. SUMMARY: Section 101(c) of the Federal Mine Safety and Health Act of 1977 and 30 CFR Part 44 govern the application, processing, and disposition of petitions for modification. This notice is a summary of petitions for modification filed by the parties listed below to modify the application of existing mandatory safety standards published in Title 30 of the Code of Federal Regulations. DATES: All comments on the petitions must be received by the Office of Standards, Regulations, and Variances on or before March 10, 2008. ADDRESSES: You may submit your comments, identified by “docket number” on the subject line, by any of the following methods: 1. *Electronic Mail: Standards-Petitions@dol.gov* . 2. *Facsimile:* 1-202-693-9441. 3. *Regular Mail:* MSHA, Office of Standards, Regulations, and Variances, 1100 Wilson Boulevard, Room 2349, Arlington, Virginia 22209, Attention: Patricia W. Silvey, Director, Office of Standards, Regulations, and Variances. 4. *Hand-Delivery or Courier:* MSHA, Office of Standards, Regulations, and Variances, 1100 Wilson Boulevard, Room 2349, Arlington, Virginia 22209, Attention: Patricia W. Silvey, Director, Office of Standards, Regulations, and Variances. We will consider only comments postmarked by the U.S. Postal Service or proof of delivery from another delivery service such as UPS or Federal Express on or before the deadline for comments. Individuals who submit comments by hand-delivery are required to check in at the receptionist desk on the 21st floor. Individuals may inspect copies of the petitions and comments during normal business hours at the address listed above. FOR FURTHER INFORMATION CONTACT: Edward Sexauer, Chief, Regulatory Development Division at 202-693-9444 (Voice), *sexauer.edward@dol.gov* (E-mail), or 202-693-9441 (Telefax), or contact Barbara Barron at 202-693-9447 (Voice), *barron.barbara@dol.gov* (E-mail), or 202-693-9441 (Telefax). [These are not toll-free numbers.] SUPPLEMENTARY INFORMATION: I. Background Section 101(c) of the Federal Mine Safety and Health Act of 1977 (Mine Act) allows the mine operator or representative of miners to file a petition to modify the application of any mandatory safety standard to a coal or other mine if the Secretary determines that:
(1)An alternative method of achieving the result of such standard exists which will at all times guarantee no less than the same measure of protection afforded the miners of such mine by such standard; or
(2)that the application of such standard to such mine will result in a diminution of safety to the miners in such mine. In addition, the regulations at 30 CFR 44.10 and 44.11 establish the requirements and procedures for filing petitions for modifications. II. Petitions for Modification *Docket Number:* M-2007-073-C. *Petitioner:* B & B Coal Company, 225 East Main Street, Joliett, Pennsylvania 17981. *Mine:* B & B Rockridge Slope, MSHA I.D. No. 36-07741, located in Schuylkill County, Pennsylvania. *Regulation Affected:* 30 CFR 75.311(a) (Main mine fan operation). *Modification Request:* The petitioner requests a modification of the existing standard to allow the main mine fan to be idle during non-working hours. The petitioner states that historically, the main mine fan operation has been shut down during non-working shifts, because of icing during the winter months. The petitioner proposes to use the following stipulations in the fan stoppage plan:
(1)Shut the main mine fan down during idle periods;
(2)no mechanized equipment will be used underground;
(3)no electric power circuits enter the underground mine;
(4)the main mine fan will be operated for a minimum of one-half hour after the pressure recorder indicates that the normal mine ventilating pressure has been reached prior to anyone entering the mine;
(5)the mine battery locomotive may be used to make the required pre-shift examination;
(6)the communication circuit 9-volts will be energized prior to the pre-shift being made;
(7)a certified person will conduct an examination of the entire mine according to the requirements in 30 CFR 75.360; and
(8)persons will be allowed to enter the mine after it is determined to be safe and the pre-shift examination results have been recorded. The petitioner further states that repeated testing of methane concentrations have shown that concentration levels have at no time risen above 0.0 percent. The petitioner asserts that the proposed alternative method would provide at least the same measure of protection as the existing standard. *Docket Number:* M-2007-074-C. *Petitioner:* KenAmerican Resources, Inc., 7590 State Route 181, Central City, Kentucky 42330. *Mine:* Paradise Mine, MSHA I.D. No. 15-17741, located in Muhlenberg County, Kentucky. *Regulation Affected:* 30 CFR 75.350 (Belt air course ventilation). *Modification Request:* The petitioner proposes to develop two inner seam slopes from the No. 11 coal seam to the No. 9 coal seam, vertically a distance of approximately 110 feet. The petitioner states that:
(1)The slopes are designed at a nine degree slope for a total distance of 1,000 feet;
(2)as an alternative plan, air locks will be used at both the top and bottom of the belt/return slope so that the belt and return will be one slope for the purpose of return air and coal haulage;
(3)a carbon monoxide monitoring system will be used on the belt at the top and bottom of the slope with monitoring via computer in the mine office and the mine dispatcher station on the surface; and
(4)return air coursed up the slope will be routed to the return at the top of the slope and will not mix with belt air. The petitioner asserts that the proposed alternative method will at all times guarantee the same measure of protection and safety afforded the miners by the mandatory standard. *Docket Number:* M-2008-001-C. *Petitioner:* S & M Coal Company, 1744 E. Grand Avenue, Tower City, Pennsylvania 17980. *Mine:* Buck Mountain Slope, MSHA I.D. No. 36-02022, located in Daupin County, Pennsylvania. *Regulation Affected:* 30 CFR 75.1400 (Hoisting equipment; general). *Modification Request:* The petitioner proposes to use the slope (gunboat) to transport persons in shafts and slopes using an increased rope strength/safety factor and secondary safety rope connection instead of using safety catches or other no less effective devices. The petitioner asserts that a functional safety catch capable of working properly in slopes with knuckles and curves has not been developed and that the proposed alternative method will not provide less than the same measure of protection afforded the miners under the current standard. Dated: January 30, 2008. Jack Powasnik, Deputy Director, Office of Standards, Regulations, and Variances. [FR Doc. E8-2229 Filed 2-6-08; 8:45 am] BILLING CODE 4510-43-P DEPARTMENT OF LABOR Occupational Safety and Health Administration [Docket No. OSHA-2006-0040] SGS U.S. Testing Company, Inc.; Expansion of Recognition AGENCY: Occupational Safety and Health Administration (OSHA), Labor. ACTION: Notice. SUMMARY: This notice announces the Occupational Safety and Health Administration's final decision expanding the recognition of SGS U.S. Testing Company, Inc., (SGSUS) as a Nationally Recognized Testing Laboratory under 29 CFR 1910.7. DATES: The expansion of recognition becomes effective on February 7, 2008. FOR FURTHER INFORMATION CONTACT: MaryAnn Garrahan, Director, Office of Technical Programs and Coordination Activities, NRTL Program, Occupational Safety and Health Administration, U.S. Department of Labor, 200 Constitution Avenue, NW., Room N-3655, Washington, DC 20210, or phone
(202)693-2110. SUPPLEMENTARY INFORMATION: Notice of Final Decision The Occupational Safety and Health Administration
(OSHA)hereby gives notice of the expansion of recognition of SGS U.S. Testing Company, Inc., (SGSUS) as a Nationally Recognized Testing Laboratory (NRTL). The expansion covers the use of additional test standards. OSHA's current scope of recognition for SGSUS may be found in the following informational Web page: *http://www.osha.gov/dts/otpca/nrtl/sgs.html* . OSHA recognition of an NRTL signifies that the organization has met the legal requirements in Section 1910.7 of Title 29, Code of Federal Regulations (29 CFR 1910.7). Recognition is an acknowledgment that the organization can perform independent safety testing and certification of the specific products covered within its scope of recognition and is not a delegation or grant of government authority. As a result of recognition, employers may use products properly approved by the NRTL to meet OSHA standards that require testing and certification. The Agency processes applications by an NRTL for initial recognition or for expansion or renewal of this recognition following requirements in Appendix A to 29 CFR 1910.7. This appendix requires that the Agency publish two notices in the **Federal Register** in processing an application. In the first notice, OSHA announces the application and provides its preliminary finding and, in the second notice, the Agency provides its final decision on the application. These notices set forth the NRTL's scope of recognition or modifications of that scope. We maintain an informational Web page for each NRTL that details its scope of recognition. These pages can be accessed from our Web site at *http://www.osha.gov/dts/otpca/nrtl/index.html* . SGSUS applied on September 28, 2005, for expansion of its recognition to add seven test standards to its scope (see Exhibit 18-2, as cited in the preliminary notice). The NRTL Program staff determined that each of these standards is an “appropriate test standard” within the meaning of 29 CFR 1910.7(c). OSHA staff performed an on-site visit of the NRTL's Fairfield site in September 2005. Based on this visit, in February 2006, the staff recommended the expansion to include the seven additional test standards (see Exhibit 18-4, as cited in the preliminary notice). Therefore, OSHA is approving these test standards for the expansion. The preliminary notice announcing the expansion application and the SGSUS renewal application was published in the **Federal Register** on October 6, 2006 (71 FR 59131). Comments were requested by October 23, 2006, but no comments were received in response to this notice. However, publication of the final notice has been delayed to address matters unrelated to the expansion, which OSHA is now granting through this final notice. The renewal application will be the subject of a future notice. The most recent application processed by OSHA specifically related to the recognition of SGSUS granted an expansion, and the final notice for this expansion was published on May 12, 2000 (65 FR 30638). You may obtain or review copies of all public documents pertaining to the SGSUS application by contacting the Docket Office, Occupational Safety and Health Administration, U.S. Department of Labor, 200 Constitution Avenue, NW., Room N-2625, Washington, DC 20210. Docket No. OSHA-2006-0040 (formerly NRTL2-90) contains all materials in the record concerning the recognition of SGSUS. The current address of the SGSUS facility
(site)already recognized by OSHA is: SGS U.S. Testing Company, Inc., 291 Fairfield Avenue, Fairfield, New Jersey 07004. Final Decision and Order NRTL Program staff has examined the application, the assessor's recommendation, and other pertinent information. Based upon this examination and the assessor's recommendation, OSHA finds that SGSUS has met the requirements of 29 CFR 1910.7 for expansion of its recognition, subject to the limitation and conditions listed below. Pursuant to the authority in 29 CFR 1910.7, OSHA hereby expands the recognition of SGSUS, subject to this limitation and these conditions. Limitation OSHA limits the expansion of recognition of SGSUS to testing and certification of products for demonstration of conformance to the following test standards, each of which OSHA has determined is an appropriate test standard, within the meaning of 29 CFR 1910.7(c): UL 62 Flexible Cords and Cables UL 355 Cord Reels UL 498 Attachment Plugs and Receptacles UL 498A Current Taps and Adapters UL 817 Cord Sets and Power-Supply Cords UL 1363 Relocatable Power Taps UL 1581 Electrical Wires, Cables, and Flexible Cords The designations and titles of the above test standards were current at the time of the preparation of this final notice. OSHA's recognition of SGSUS, or any NRTL, for a particular test standard is limited to equipment or materials (i.e., products) for which OSHA standards require third-party testing and certification before use in the workplace. Consequently, if a test standard also covers any product(s) for which OSHA does not require such testing and certification, an NRTL's scope of recognition does not include that product(s). A test standard listed above may be approved as an American National Standard by the American National Standards Institute (ANSI). However, for convenience, we use the designation of the standards developing organization for the standard as opposed to the ANSI designation. Under our procedures, any NRTL recognized for an ANSI-approved test standard may use either the latest proprietary version of the test standard or the latest ANSI version of that standard. You may contact ANSI to find out whether or not a test standard is currently ANSI-approved. Conditions SGSUS must also abide by the following conditions of the recognition, in addition to those already required by 29 CFR 1910.7: OSHA must be allowed access to SGSUS's facilities and records for purposes of ascertaining continuing compliance with the terms of its recognition and to investigate as OSHA deems necessary; If SGSUS has reason to doubt the efficacy of any test standard it is using under this program, it must promptly inform the test standard developing organization of this fact and provide that organization with appropriate relevant information upon which its concerns are based; SGSUS must not engage in or permit others to engage in any misrepresentation of the scope or conditions of its recognition. As part of this condition, SGSUS agrees that it will allow no representation that it is either a recognized or an accredited Nationally Recognized Testing Laboratory
(NRTL)without clearly indicating the specific equipment or material to which this recognition is tied, or that its recognition is limited to certain products; SGSUS must inform OSHA as soon as possible, in writing, of any change of ownership, facilities, or key personnel, and of any major changes in its operations as an NRTL, including details; SGSUS will meet all the terms of its recognition and will always comply with all OSHA policies pertaining to this recognition; and SGSUS will continue to meet the requirements for recognition in all areas where it has been recognized. Signed at Washington, DC, this 30th day of January, 2008. Edwin G. Foulke, Jr., Assistant Secretary for Occupational Safety and Health. [FR Doc. E8-2199 Filed 2-6-08; 8:45 am] BILLING CODE 4510-26-P DEPARTMENT OF LABOR Occupational Safety and Health Administration [Docket No. OSHA-2007-0043] TUV America, Inc.; Application for Expansion of Recognition AGENCY: Occupational Safety and Health Administration (OSHA), Labor. ACTION: Notice. SUMMARY: This notice announces the application of TUV America, Inc., (TUVAM) for expansion of its recognition and presents the Agency's preliminary finding to grant this request. This preliminary finding does not constitute an interim or temporary approval of this application. DATES: You must submit information or comments, or any request for extension of the time to comment, by the following dates: • Hard copy: postmarked or sent by February 22, 2008. • Electronic transmission or facsimile: sent by February 22, 2008. ADDRESSES: You may submit comments by any of the following methods: *Electronically:* You may submit comments and attachments electronically at *http://www.regulations.gov,* which is the Federal eRulemaking Portal. Follow the instructions online for making electronic submissions. *Fax:* If your submissions, including attachments, are not longer than 10 pages, you may fax them to the OSHA Docket Office at
(202)693-1648. *Mail, hand delivery, express mail, messenger, or courier service:* You must submit three copies of your comments and attachments to the OSHA Docket Office, Docket No. OSHA-2007-0043 (formerly, NRTL2-2001), U.S. Department of Labor, Room N-2625, 200 Constitution Avenue, NW., Washington, DC 20210. Deliveries (hand, express mail, messenger and courier service) are accepted during the Department of Labor's and Docket Office's normal business hours, 8:15 a.m.-4:45 p.m., e.t. *Instructions:* All submissions must include the Agency name and the OSHA docket number for this notice (OSHA Docket No. OSHA-2007-0043). Submissions, including any personal information you provide, are placed in the public docket without change and may be made available online at *http://www.regulations.gov.* *Docket:* To read or download submissions or other material in the docket, go to *http://www.regulations.gov* or the OSHA Docket Office at the address above. All documents in the docket are listed in the *http://www.regulations.gov* index, however, some information (e.g., copyrighted material) is not publicly available to read or download through the Web site. All submissions, including copyrighted material, are available for inspection and copying at the OSHA Docket Office. *Extension of Comment Period:* Submit requests for extensions concerning this notice to the Office of Technical Programs and Coordination Activities, NRTL Program, Occupational Safety and Health Administration, U.S. Department of Labor, 200 Constitution Avenue, NW., Room N-3655, Washington, DC 20210. Or fax to
(202)693-1644. FOR FURTHER INFORMATION CONTACT: MaryAnn Garrahan, Director, Office of Technical Programs and Coordination Activities, NRTL Program, Occupational Safety and Health Administration, U.S. Department of Labor, 200 Constitution Avenue, NW., Room N3655, Washington, DC 20210, or phone
(202)693-2110. Our Web page includes information about the NRTL Program (see *http://www.osha.gov* and select “N” in the site index). SUPPLEMENTARY INFORMATION: Notice of Application The Occupational Safety and Health Administration
(OSHA)hereby gives notice that TUV America, Inc., (TUVAM) has applied for expansion of its current recognition as a Nationally Recognized Testing Laboratory (NRTL). TUVAM's expansion request covers the use of additional test standards. OSHA's current scope of recognition for TUVAM may be found in the following informational Web page: *http://www.osha.gov/dts/otpca/nrtl/tuvam.html.* OSHA recognition of an NRTL signifies that the organization has met the legal requirements in Section 1910.7 of Title 29, Code of Federal Regulations (29 CFR 1910.7). Recognition is an acknowledgment that the organization can perform independent safety testing and certification of the specific products covered within its scope of recognition and is not a delegation or grant of government authority. As a result of recognition, employers may use products properly approved by the NRTL to meet OSHA standards that require testing and certification. The Agency processes applications by an NRTL for initial recognition or for expansion or renewal of this recognition following requirements in Appendix A to 29 CFR 1910.7. This appendix requires that the Agency publish two notices in the **Federal Register** in processing an application. In the first notice, OSHA announces the application and provides its preliminary finding and, in the second notice, the Agency provides its final decision on the application. These notices set forth the NRTL's scope of recognition or modifications of that scope. We maintain an informational Web page for each NRTL that details its scope of recognition. These pages can be accessed from our Web site at *http://www.osha.gov/dts/otpca/nrtl/index.html.* The most recent application processed by OSHA specifically related to TUVAM's recognition granted an expansion, and the final notice for this expansion was published on August 30, 2005 (70 FR 51373). The current addresses of the TUVAM facilities already recognized by OSHA are: TUV Product Services (TUVAM), 5 Cherry Hill Drive, Danvers, MA 01923; TUV Product Services (TUVAM), 10040 Mesa Rim Road, San Diego, CA 92121; and TUV Product Services (TUVAM), 1775 Old Highway 8, NW., Suite 104, New Brighton (Minneapolis), MN 55112. General Background on the Application TUVAM submitted an application, dated October 6, 2005 (see Exhibit 11-1), to expand its recognition to include 142 additional test standards. It amended its application on February 17, 2006, to add two more test standards, and then in June 2006 and July 2007 further amended its application to reduce its request to 89 test standards (see Exhibits 11-2 through 11-4), one of which, however, has been withdrawn by the standards developing organization. Thus, TUVAM's request includes 88 standards. The NRTL Program staff has determined that each of the remaining standards is an “appropriate test standard” within the meaning of 29 CFR 1910.7(c). In connection with this request, NRTL Program assessment staff performed an on-site review of TUVAM's Massachusetts testing facility and recommended that TUVAM's recognition be expanded to include the additional test standards listed below (see Exhibit 11-5). As a result, the Agency would approve the 88 test standards for the expansion. TUVAM seeks recognition for testing and certification of products for demonstration of conformance to the following test standards: UL 48 Electric Signs. UL 69 Electric-Fence Controllers. UL 82 Electric Gardening Appliances. UL 201 Garage Equipment. UL 325 Door, Drapery, Gate, Louver, and Window Operators and Systems. UL 399 Drinking-Water Coolers. UL 474 Dehumidifiers. UL 482 Portable Sun/Heat Lamps. UL 497A Secondary Protectors for Communication Circuits. UL 506 Specialty Transformers. UL 561 Floor-Finishing Machines. UL 563 Ice Makers. UL 588 Seasonal and Holiday Decorative Products. UL 676 Underwater Luminaires and Submersible Junction Boxes. UL 696 Electric Toys. UL 697 Toy Transformers. UL 745-1 Portable Electric Tools. UL 745-2-1 Particular Requirements for Drills. UL 745-2-2 Particular Requirements for Screwdrivers and Impact Wrenches. UL 745-2-3 Particular Requirements for Grinders, Polishers, and Disk-Type Sanders. UL 745-2-4 Particular Requirements for Sanders. UL 745-2-5 Particular Requirements for Circular Saws and Circular Knives. UL 745-2-6 Particular Requirements for Hammers. UL 745-2-8 Particular Requirements for Shears and Nibblers. UL 745-2-9 Particular Requirements for Tappers. UL 745-2-11 Particular Requirements for Reciprocating Saws. UL 745-2-12 Particular Requirements for Concrete Vibrators. UL 745-2-14 Particular Requirements for Planers. UL 745-2-17 Particular Requirements for Routers and Trimmers. UL 745-2-30 Particular Requirements for Staplers. UL 745-2-31 Particular Requirements for Diamond Core Drills. UL 745-2-32 Particular Requirements for Magnetic Drill Presses. UL 745-2-33 Particular Requirements for Portable Bandsaws. UL 745-2-34 Particular Requirements for Strapping Tools. UL 745-2-35 Particular Requirements for Drain Cleaners. UL 745-2-36 Particular Requirements for Hand Motor Tools. UL 745-2-37 Particular Requirements for Plate Jointers. UL 749 Household Dishwashers. UL 775 Graphic Arts Equipment. UL 778 Motor-Operated Water Pumps. UL 826 Household Electric Clocks. UL 858 Household Electric Ranges. UL 859 Household Electric Personal Grooming Appliances. UL 867 Electrostatic Air Cleaners. UL 875 Electric Dry-Bath Heaters. UL 921 Commercial Dishwashers. UL 935 Fluorescent-Lamp Ballasts. UL 969 Marking and Labeling Systems. UL 977 Fused Power-Circuit Devices. UL 979 Water Treatment Appliances. UL 984 Hermetic Refrigerant Motor-Compressors. UL 987 Stationary and Fixed Electric Tools. UL 1018 Electric Aquarium Equipment. UL 1028 Hair Clipping and Shaving Appliances. UL 1030 Sheathed Heating Elements. UL 1086 Household Trash Compactors. UL 1088 Temporary Lighting Strings. UL 1097 Double Insulation Systems for Use in Electrical Equipment. UL 1206 Electric Commercial Clothes-Washing Equipment. UL 1230 Amateur Movie Lights. UL 1240 Electric Commercial Clothes-Drying Equipment. UL 1411 Transformers and Motor Transformers for Use In Audio-, Radio-, and Television-Type Appliances. UL 1419 Professional Video and Audio Equipment. UL 1431 Personal Hygiene and Health Care Appliances. UL 1449 Surge Protective Devices. UL 1484 Residential Gas Detectors. UL 1559 Insect-Control Equipment—Electrocution Type. UL 1561 Dry-Type General Purpose and Power Transformers. UL 1563 Electric Spas, Equipment Assemblies, and Associated Equipment. UL 1573 Stage and Studio Luminaires and Connector Strips. UL 1574 Track Lighting Systems. UL 1594 Sewing and Cutting Machines. UL 1598 Luminaires. UL 1741 Inverters, Converters, and Controllers and Interconnection System Equipment for Use With Distributed Energy Resources. UL 1778 Uninterruptible Power Supply Equipment. UL 1786 Direct Plug-In Nightlights. UL 1838 Low Voltage Landscape Lighting Systems. UL 1963 Refrigerant Recovery/Recycling Equipment. UL 1993 Self-Ballasted Lamps and Lamp Adapters. UL 2044 Commercial Closed-Circuit Television Equipment. UL 2111 Overheating Protection for Motors. UL 2157 Electric Clothes Washing Machines and Extractors. UL 2158 Electric Clothes Dryers. UL 60335-2-3 Household and Similar Electrical Appliances, Part 2: Particular Requirements for Electric Irons. UL 60745-1 Hand-Held Motor-Operated Electric Tools—Safety—Part 1: General Requirements. UL 61010A-2-020 Electrical Equipment for Laboratory Use; Part 2: Particular Requirements for Laboratory Centrifuges. UL 61010A-2-061 Electrical Equipment for Laboratory Use; Part 2: Particular Requirements for Laboratory Atomic Spectrometers with Thermal Atomization and Ionization. UL 61010B-2-031 Electrical Equipment for Measurement, Control, and Laboratory Use; Part 2: Particular Requirements for Hand-Held Probe Assemblies for Electrical Measurement and Test. The designations and titles of the above test standards were current at the time of the preparation of this notice. OSHA's recognition of TUVAM, or any NRTL, for a particular test standard is limited to equipment or materials (i.e., products) for which OSHA standards require third-party testing and certification before use in the workplace. Consequently, if a test standard also covers any product(s) for which OSHA does not require such testing and certification, an NRTL's scope of recognition does not include that product(s). A test standard listed above may also be approved as an American National Standard by the American National Standards Institute (ANSI). However, for convenience, we use the designation of the standards developing organization for the standard as opposed to the ANSI designation. Under our procedures, any NRTL recognized for an ANSI-approved test standard may use either the latest proprietary version of the test standard or the latest ANSI version of that standard. You may contact ANSI to find out whether or not a test standard is currently ANSI-approved. Preliminary Finding on the Application TUVAM has submitted an acceptable request for expansion of its recognition as an NRTL. Our review of the application file, the assessor's recommendation, and other pertinent documents indicate that TUVAM can meet the requirements, as prescribed by 29 CFR 1910.7, for the expansion for the additional test standards listed above. This preliminary finding does not constitute an interim or temporary approval of the application. OSHA welcomes public comments, in sufficient detail, as to whether TUVAM has met the requirements of 29 CFR 1910.7 for expansion of its recognition as a Nationally Recognized Testing Laboratory. Your comments should consist of pertinent written documents and exhibits. Should you need more time to comment, you must request it in writing, including reasons for the request. OSHA must receive your written request for extension at the address provided above no later than the last date for comments. OSHA will limit any extension to 30 days, unless the requester justifies a longer period. You may obtain or review copies of TUVAM's requests, the assessor's recommendation, and all submitted comments, as received, by contacting the Docket Office, Room N-2625, Occupational Safety and Health Administration, U.S. Department of Labor, at the above address. Docket No. OSHA-2007-0043 (formerly, NRTL2-2001) contains all materials in the record concerning TUVAM's application. The NRTL Program staff will review all timely comments and, after resolution of issues raised by these comments, will recommend whether to grant TUVAM's expansion request. The Assistant Secretary will make the final decision on granting the expansion and, in making this decision, may undertake other proceedings that are prescribed in Appendix A to 29 CFR Section 1910.7. OSHA will publish a public notice of this final decision in the **Federal Register** . Signed at Washington, DC, this 1st day of February, 2008. Edwin G. Foulke, Jr., Assistant Secretary for Occupational Safety and Health. [FR Doc. E8-2200 Filed 2-6-08; 8:45 am] BILLING CODE 4510-26-P NUCLEAR REGULATORY COMMISSION Status of the Office of Nuclear Reactor Regulation's Electronic Distribution Initiative The Office of Nuclear Reactor Regulation
(NRR)staff at the U.S. Nuclear Regulatory Commission
(NRC)is implementing an electronic distribution initiative
(EDI)that will modify the method of distributing selected categories (e.g., operating reactor license amendments) of operating reactor licensing correspondence. Specifically, this initiative involves replacing distribution of paper copies with electronic distribution to the plant mailing list for documents generated by NRR's Division of Operating Reactor Licensing. This initiative does not affect the availability of official agency records in NRC's Agencywide Documents Access and Management System (ADAMS), which are publicly available on the NRC's Web page *http://www.nrc.gov* . When this initiative is implemented, addressees will continue to receive the original correspondence, while those on the plant mailing list will receive electronic mail (e-mail). The distribution of safeguards information, proprietary or security-related information, or other information that is withheld from public disclosure will not be affected by this initiative. The NRC staff will protect the e-mail address from disclosure to others for privacy concerns. In order to evaluate the feasibility of electronic distribution, the staff engaged in a pilot program with Exelon Generation Company, LLC (West). The pilot program began July 1, 2007, and ended September 30, 2007. A **Federal Register** Notice announcing the pilot program was issued on June 28, 2007 (72 FR 35520). During the pilot program, the method used for distribution was e-mail. The e-mail contained an electronic link to ADAMS providing direct access to the correspondence. In addition, addressees received an Adobe Acrobat TM
(pdf)version of the correspondence. Several lessons were learned from the pilot program. For example, the use of e-mails with a direct link into ADAMS provides an effective communication of correspondence. However, it generally takes 5 business days for a document to become publicly available in ADAMS. Unless action is taken to make the document publicly available sooner or action taken to delay sending the e-mail until the document becomes publicly available, the direct link resulted in the document not being available when the e-mail was received. As another example, some licensees and organizations that have multiple recipients on the plant mailing list have determined that it is beneficial to provide one email address for the plant mailing list. This allows these entities to perform additional distribution of the documents through automatic forwarding features of their e-mail systems. Furthermore, this allows easy and rapid updating of changes to these additional distribution addresses without incurring the additional cost of developing and approving communications to the NRC to make changes to the plant mailing list. To obtain information to enhance the EDI, steps were taken to engage stakeholders. In the initial **Federal Register** notice (72 FR 35520) announcing the pilot program and in our letter dated October 11, 2007, (ADAMS Accession No. ML072820307) the NRC staff requested comments on the EDI. The NRC staff also sent an e-mail on October 24, 2007 (ADAMS Accession No. ML080160089) to all who participated in the pilot program to get their feedback. The comments (ADAMS Accession No. ML080170254) were overwhelmingly supportive of electronic distribution, generally because of the reduced need for copies and reduced handling costs. A few responders were concerned with e-mail box overloads and size limits. Such concerns can be eventually eliminated as individuals and organizations upgrade their electronic mail systems and will be addressed on a case-by-case basis. Because the pilot program demonstrated feasibility and the feedback received was overwhelmingly favorable, the NRC is taking additional steps to pursue implementation of electronic distribution of correspondence. Recognizing the potential to provide a more effective and efficient method of distributing correspondence, the NRC intends to implement this initiative in 2008. If you have specific comments regarding this initiative, please contact Mr. Russell Gibbs at 301-415-7198, or *rag1@nrc.gov* . Comments received within 30 days of this notice will be considered for implementation in the EDI. Dated at Rockville, Maryland, this 1st day of February 2008. For The Nuclear Regulatory Commission. Russell Gibbs, Chief, Plant Licensing Branch III-2, Division of Operating Reactor Licensing, Office of Nuclear Reactor Regulation. [FR Doc. E8-2243 Filed 2-6-08; 8:45 am] BILLING CODE 7590-01-P SECURITIES AND EXCHANGE COMMISSION [Investment Company Act Release No. 28140; 812-13386] PowerShares Capital Management LLC, et al.; Notice of Application February 1, 2008. AGENCY: Securities and Exchange Commission (“Commission”). ACTION: Notice of an application for an order under section 6(c) of the Investment Company Act of 1940 (“Act”) for an exemption from sections 2(a)(32), 5(a)(1) and 22(d) of the Act and rule 22c-1 under the Act, and under sections 6(c) and 17(b) of the Act for an exemption from sections 17(a)(1) and (a)(2) of the Act, and under section 12(d)(1)(J) for an exemption from sections 12(d)(1)(A) and
(B)of the Act. *Applicants:* PowerShares Capital Management LLC (the “Advisor”), AER Advisors, Inc. (“AER”), AIM Distributors, Inc. (the “Distributor”), and PowerShares Actively Managed Exchange-Traded Fund Trust (the “Trust”). *Summary of Application:* Applicants request an order that permits:
(a)Series of certain open-end management investment companies to issue shares (“Shares”) redeemable in large aggregations only (“Creation Units”);
(b)secondary market transactions in Shares to occur at negotiated market prices;
(c)certain affiliated persons of the series to deposit securities into, and receive securities from, the series in connection with the purchase and redemption of Creation Units; and
(d)certain registered management investment companies and unit investment trusts outside of the same group of investment companies as the series to acquire Shares. *Filing Dates:* The application was filed on May 18, 2007, and amended on November 9, 2007, November 16, 2007, November 30, 2007, December 20, 2007 and January 7, 2008. *Hearing or Notification of Hearing:* An order granting the requested relief will be issued unless the Commission orders a hearing. Interested persons may request a hearing by writing to the Commission's Secretary and serving applicants with a copy of the request, personally or by mail. Hearing requests should be received by the Commission by 5:30 p.m. on February 26, 2008, and should be accompanied by proof of service on applicants, in the form of an affidavit or, for lawyers, a certificate of service. Hearing requests should state the nature of the writer's interest, the reason for the request, and the issues contested. Persons who wish to be notified of a hearing may request notification by writing to the Commission's Secretary. ADDRESSES: Secretary, U.S. Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. Applicants: Advisor and Trust, 301 West Roosevelt Road, Wheaton, IL 60187; Distributor, 11 Greenway Plaza, Houston, TX 77046-1173; AER, 30 Laurence Lane, Rye Beach, NH 03871. FOR FURTHER INFORMATION CONTACT: Marilyn Mann, Branch Chief, or Michael W. Mundt, Assistant Director, at
(202)551-6821 (Division of Investment Management, Office of Investment Company Regulation). SUPPLEMENTARY INFORMATION: The following is a summary of the application. The complete application may be obtained for a fee at the Commission's Public Reference Desk, 100 F Street, NE., Washington, DC 20549-0102 (tel. 202-551-5850). Applicants' Representations 1. The Trust is an open-end management investment company registered under the Act and organized as a Delaware business trust. The Trust will offer two initial series subadvised by AER: The PowerShares Active AlphaQ Portfolio and the PowerShares Active Alpha Multi-Cap Portfolio (the “Initial AER Funds”). The Trust will also offer two initial series subadvised by Invesco Institutional (N.A.), Inc. (“Invesco”): The PowerShares Active Mega-Cap Portfolio (“Mega-Cap Fund”) and PowerShares Active Low Duration Portfolio (“Low Duration Fund,” and together with the Mega-Cap Fund, the “Initial Invesco Funds”). The Initial AER Funds and Initial Invesco Funds are collectively referred to as the “Initial Funds.” Each Initial AER Fund's investment objective will be to provide long-term capital appreciation by investing in stocks selected according to a quantitative screening methodology developed by AER. The Mega-Cap Fund's investment objective will be to provide long-term growth of capital by investing primarily in the equity securities of mega-capitalization companies according to a quantitative approach developed by Invesco. The Low Duration Fund's investment objective is to provide total return by investing primarily in U.S. government and corporate debt securities. 2. The Advisor plans to introduce future series of the Trust or of other open-end management investment companies that will invest in equity or fixed income securities traded in the U.S. markets (“Future Funds”). Applicants request that the order apply to any such Future Funds. Any Future Fund will be
(a)advised by the Advisor or an entity controlling, controlled by, or under common control with the Advisor, and
(b)comply with the terms and conditions of the order. The Initial Funds and Future Funds together are the “Funds.” Funds that invest in equity securities are “Equity Funds” and Funds that invest in fixed income securities are “Fixed Income Funds.” Each Fund will operate as an actively-managed exchange-traded fund (“ETF”). 3. The Advisor, a Delaware limited liability company, is registered as an investment adviser under the Investment Advisers Act of 1940 (“Advisers Act”) and serves as investment adviser to each Fund. The Advisor has retained AER as subadvisor to the Initial AER Funds and Invesco as subadviser to the Initial Invesco Funds, and may in the future retain other subadvisers (together with AER and Invesco, the “Fund Subadvisors”) to manage the portfolios of other Funds. AER, a New Hampshire corporation, and Invesco, a Delaware corporation, are registered under the Advisers Act, and any other Fund Subadvisor will be registered under the Advisers Act. The Distributor, a Delaware corporation, is registered as a broker-dealer under the Securities Exchange Act of 1934 (“Exchange Act”) and serves as the principal underwriter and distributor for the Funds. Each of the Advisor, Invesco and the Distributor is an indirect wholly-owned subsidiary of Invesco PLC, a public limited company organized in the United Kingdom. 1 1 All entities that currently intend to rely on the order are named as applicants. Any other entity that relies on the order in the future will comply with the terms and conditions of the application. An Investing Fund (as defined below) may rely on the order only to invest in Funds and not in any other registered investment company. 4. Shares of the Funds will be sold at a price of between $50 and $60 per Share in Creation Units of between 50,000 and 100,000 Shares. All orders to purchase Creation Units must be placed with the Distributor by or through a party that has entered into an agreement with the Trust and the Distributor (“Authorized Participant”). An Authorized Participant must be either:
(a)A broker-dealer or other participant in the continuous net settlement system of the National Securities Clearing Corporation (“NSCC”), a clearing agency registered with the Commission, or
(b)a participant in the Depository Trust Company (“DTC,” and such participant, “DTC Participant”). Shares of each Fund generally will be sold in Creation Units in exchange for an in-kind deposit by the purchaser of a portfolio of securities designated by the Advisor (the “Deposit Securities”), together with the deposit of a relatively small specified cash payment (“Cash Component”). The Cash Component is an amount equal to the difference between
(a)the net asset value (“NAV”) per Creation Unit of the Fund and
(b)the total aggregate market value per Creation Unit of the Deposit Securities. 2 Applicants state that in some circumstances it may not be practicable or convenient for a Fund to operate exclusively on an “in-kind” basis. The Trust reserves the right to permit, under certain circumstances, a purchaser of Creation Units to substitute cash in lieu of depositing some or all of the requisite Deposit Securities. 2 In addition to the list of names and amount of each security constituting the current Deposit Securities, it is intended that, on each day that a Fund is open, including as required by section 22(e) of the Act (“Business Day”), the Cash Component effective as of the previous Business Day, per outstanding Share of each Fund, will be made available. The Stock Exchange intends to disseminate, every 15 seconds, during regular trading hours, through the facilities of the Consolidated Tape Association, an approximate amount per Share representing the sum of the estimated Cash Component effective through and including the previous Business Day, plus the current value of the Deposit Securities, on a per Share basis. 5. An investor purchasing a Creation Unit from a Fund will be charged a fee (“Transaction Fee”) to prevent the dilution of the interests of the remaining shareholders resulting from costs in connection with the purchase of Creation Units. 3 The maximum Transaction Fees relevant to each Fund will be fully disclosed in the prospectus (“Prospectus”) or statement of additional information (“SAI”) of such Fund. All orders to purchase Creation Units will be placed with the Distributor by or through an Authorized Participant and it will be the Distributor's responsibility to transmit such orders to the Trust. The Distributor also will be responsible for delivering the Prospectus to those persons purchasing Creation Units, and for maintaining records of both the orders placed with it and the confirmations of acceptance furnished by it. In addition, the Distributor will maintain a record of the instructions given to the Trust to implement the delivery of Shares. 3 Where a Fund permits a purchaser to substitute cash in lieu of depositing a portion of the requisite Deposit Securities, the purchaser may be assessed a higher Transaction Fee to cover the cost of purchasing such Deposit Securities, including brokerage costs, and part or all of the spread between the expected bid and the offer side of the market relating to such Deposit Securities. 6. Purchasers of Shares in Creation Units may hold such Shares or may sell such Shares into the secondary market. Shares will be listed and traded on a national securities exchange as defined in section 2(a)(26) of the Act (“Stock Exchange”). It is expected that one or more member firms of a listing Stock Exchange will be designated to act as a specialist and maintain a market for Shares on the Stock Exchange (the “Specialist”), or if Nasdaq is the listing Stock Exchange, one or more member firms of Nasdaq will act as a market maker (“Market Maker”) and maintain a market for Shares. 4 Prices of Shares trading on a Stock Exchange will be based on the current bid/offer market. Shares sold in the secondary market will be subject to customary brokerage commissions and charges. 4 If Shares are listed on the Nasdaq, no particular Market Maker will be contractually obligated to make a market in Shares, although Nasdaq's listing requirements stipulate that at least two Market Makers must be registered as Market Makers in Shares to maintain the listing. Registered Market Makers are required to make a continuous, two-sided market at all times or be subject to regulatory sanctions. 7. Applicants expect that purchasers of Creation Units will include institutional investors and arbitrageurs (which could include institutional investors). The Specialist, or Market Maker, in providing a fair and orderly secondary market for the Shares, also may purchase Creation Units for use in its market-making activities. Applicants expect that secondary market purchasers of Shares will include both institutional investors and retail investors. 5 Applicants expect that the price at which the Shares trade will be disciplined by arbitrage opportunities created by the ability to continually purchase or redeem Creation Units at their NAV, which should ensure that the Shares will not trade at a material discount or premium in relation to their NAV. 5 Shares will be registered in book-entry form only. DTC or its nominee will be the registered owner of all outstanding Shares. DTC or DTC Participants will maintain records reflecting beneficial owners of Shares. 8. Shares will not be individually redeemable, and owners of Shares may acquire those Shares from a Fund, or tender such Shares for redemption to the Fund, in Creation Units only. To redeem, an investor will have to accumulate enough Shares to constitute a Creation Unit. Redemption orders must be placed by or through an Authorized Participant. An investor redeeming a Creation Unit generally will receive
(a)a portfolio of securities designated to be delivered for Creation Unit redemptions on the date that the request for redemption is submitted (“Fund Securities”), which may not be identical to the Deposit Securities required to purchase Creation Units on that date, and
(b)a “Cash Redemption Payment,” consisting of an amount calculated in the same manner as the Cash Component, although the actual amount of the Cash Redemption Payment may differ from the Cash Component if the Fund Securities are not identical to the Deposit Securities on that day. An investor may receive the cash equivalent of a Fund Security in certain circumstances, such as if the investor is constrained from effecting transactions in the security by regulation or policy. A redeeming investor may pay a Transaction Fee, calculated in the same manner as a Transaction Fee payable in connection with purchases of Creation Units. 9. Neither the Trust nor any individual Fund will be marketed or otherwise held out as an “open-end investment company” or a “mutual fund.” Instead, each Fund will be marketed as an “actively-managed exchange-traded fund.” All marketing materials that describe the method of obtaining, buying or selling Shares, or refer to redeemability, will prominently disclose that Shares are not individually redeemable and that the owners of Shares may purchase or redeem Shares from a Fund in Creation Units only. The same approach will be followed in the SAI, shareholder reports and investor educational materials issued or circulated in connection with the Shares. The Funds will provide copies of their annual and semi-annual shareholder reports to DTC Participants for distribution to beneficial owners of Shares. 10. The Funds' Web site, which will be publicly available prior to the public offering of Shares, will include the Prospectus and other information about the Funds that is updated on a daily basis, including the mid-point of the bid-ask spread at the time of the calculation of NAV (“Bid/Ask Price”). On each Business Day, before the commencement of trading in Shares on the Stock Exchange, each Fund will disclose the identities and quantities of the securities (“Portfolio Securities”) and other assets held in the Fund portfolio that will form the basis for the Fund's calculation of NAV at the end of the Business Day. 6 6 Applicants note that under accounting procedures followed by the Funds, trades made on the prior Business Day (“T”) will be booked and reflected in NAV on the current Business Day (“T + 1”). Accordingly, the Funds will be able to disclose at the beginning of the Business Day the portfolio that will form the basis for the NAV calculation at the end of the Business Day. Applicants' Legal Analysis 1. Applicants request an order under section 6(c) of the Act granting an exemption from sections 2(a)(32), 5(a)(1) and 22(d) of the Act and rule 22c-1 under the Act; and under sections 6(c) and 17(b) of the Act granting an exemption from sections 17(a)(1) and (a)(2) of the Act, and under section 12(d)(1)(J) for an exemption from sections 12(d)(1)(A) and
(B)of the Act. 2. Section 6(c) of the Act provides that the Commission may exempt any person, security or transaction, or any class of persons, securities or transactions, from any provision of the Act, if and to the extent that such exemption is necessary or appropriate in the public interest and consistent with the protection of investors and the purposes fairly intended by the policy and provisions of the Act. Section 17(b) of the Act authorizes the Commission to exempt a proposed transaction from section 17(a) of the Act if evidence establishes that the terms of the transaction, including the consideration to be paid or received, are reasonable and fair and do not involve overreaching on the part of any person concerned, and the proposed transaction is consistent with the policies of the registered investment company and the general provisions of the Act. Section 12(d)(1)(J) of the Act provides that the Commission may exempt any person, security, or transaction, or any class or classes of persons, securities or transactions, from any provision of section 12(d)(1) if the exemption is consistent with the public interest and the protection of investors. Sections 5(a)(1) and 2(a)(32) of the Act 3. Section 5(a)(1) of the Act defines an “open-end company” as a management investment company that is offering for sale or has outstanding any redeemable security of which it is the issuer. Section 2(a)(32) of the Act defines a redeemable security as any security, other than short-term paper, under the terms of which the holder, upon its presentation to the issuer, is entitled to receive approximately his proportionate share of the issuer's current net assets, or the cash equivalent. Because Shares will not be individually redeemable, applicants request an order that would permit each Fund, as a series of an open-end management investment company, to issue Shares that are redeemable in Creation Units only. Applicants state that investors may purchase Shares in Creation Units from each Fund and redeem Creation Units from each Fund. Applicants further state that because the market price of Shares will be disciplined by arbitrage opportunities, investors should be able to sell Shares in the secondary market at prices that do not vary substantially from their NAV. Section 22(d) of the Act and Rule 22c-1 under the Act 4. Section 22(d) of the Act, among other things, prohibits a dealer from selling a redeemable security, which is currently being offered to the public by or through a principal underwriter, except at a current public offering price described in the prospectus. Rule 22c-1 under the Act generally requires that a dealer selling, redeeming, or repurchasing a redeemable security do so only at a price based on its NAV. Applicants state that secondary market trading in Shares will take place at negotiated prices, not at a current offering price described in the prospectus, and not at a price based on NAV. Thus, purchases and sales of Shares in the secondary market will not comply with section 22(d) of the Act and rule 22c-1 under the Act. Applicants request an exemption under section 6(c) from these provisions. 5. Applicants assert that the concerns sought to be addressed by section 22(d) of the Act and rule 22c-1 under the Act with respect to pricing are equally satisfied by the proposed method of pricing Shares. Applicants maintain that while there is little legislative history regarding section 22(d), its provisions, as well as those of rule 22c-1, appear to have been designed to
(a)prevent dilution caused by certain riskless-trading schemes by principal underwriters and contract dealers,
(b)prevent unjust discrimination or preferential treatment among buyers resulting from sales at different prices, and
(c)assure an orderly distribution of investment company shares by eliminating price competition from dealers offering shares at less than the published sales price and repurchasing shares at more than the published redemption price. 6. Applicants believe that none of these purposes will be thwarted by permitting Shares to trade in the secondary market at negotiated prices. Applicants state that
(a)secondary market trading in Shares does not involve the Funds as parties and cannot result in dilution of an investment in Shares, and
(b)to the extent different prices exist during a given trading day, or from day to day, such variances occur as a result of third-party market forces, such as supply and demand. Therefore, applicants assert that secondary market transactions in Shares will not lead to discrimination or preferential treatment among purchasers. Finally, applicants contend that the proposed distribution system will be orderly because arbitrage activity will ensure that the difference between the market price of Shares and their NAV remains narrow. Section 12(d)(1) 7. Section 12(d)(1)(A) of the Act prohibits a registered investment company from acquiring shares of an investment company if the securities represent more than 3% of the total outstanding voting stock of the acquired company, more than 5% of the total assets of the acquiring company, or, together with the securities of any other investment companies, more than 10% of the total assets of the acquiring company. Section 12(d)(1)(B) of the Act prohibits a registered open-end investment company, its principal underwriter, or any other broker or dealer from selling its shares to another investment company if the sale will cause the acquiring company to own more than 3% of the acquired company's voting stock, or if the sale will cause more than 10% of the acquired company's voting stock to be owned by investment companies generally. 8. Applicants request that the order permit certain investment companies registered under the Act to acquire Shares beyond the limitations in section 12(d)(1)(A) and permit the Funds, any principal underwriter for the Funds, and any broker or dealer registered under the Exchange Act (“Brokers”), to sell Shares beyond the limitations in section 12(d)(1)(B). Applicants request that these exemptions apply to:
(1)Any Fund that is currently or subsequently part of the same “group of investment companies” as the Initial Funds within the meaning of section 12(d)(1)(G)(ii) of the Act as well as any principal underwriter for the Funds and any Brokers selling Shares of a Fund to an Investing Fund (as defined below); and
(2)each management investment company or unit investment trust registered under the Act that is not part of the same “group of investment companies” as the Funds within the meaning of section 12(d)(1)(G)(ii) of the Act and that enters into a FOF Participation Agreement (as defined below) with a Fund (such management investment companies are referred to herein as “Investing Management Companies,” such unit investment trusts are referred to herein as “Investing Trusts,” and Investing Management Companies and Investing Trusts are “Investing Funds”). Investing Funds do not include the Funds. Each Investing Trust will have a sponsor (“Sponsor”) and each Investing Management Company will have an investment adviser within the meaning of section 2(a)(20)(A) of the Act (“Investing Fund Advisor”) that does not control, is not controlled by or under common control with the Advisor. Each Investing Management Company may also have one or more investment advisers within the meaning of section 2(a)(20)(B) of the Act (each, a “Subadvisor”). 9. Applicants assert that the proposed transactions will not lead to any of the abuses that section 12(d)(1) was designed to prevent. Applicants submit that the proposed conditions to the requested relief address the concerns underlying the limits in section 12(d)(1), which include concerns about undue influence, excessive layering of fees and overly complex structures. 10. Applicants believe that neither the Investing Funds nor an Investing Fund Affiliate would be able to exert undue influence over the Funds. 7 To limit the control that an Investing Fund may have over a Fund, applicants propose a condition prohibiting the Investing Fund Advisor or Sponsor; any person controlling, controlled by, or under common with the Investing Fund Advisor or Sponsor; and any investment company or issuer that would be an investment company but for sections 3(c)(1) or 3(c)(7) of the Act that is advised or sponsored by the Investing Fund Advisor or advised or sponsored by the Sponsor, or any person controlling, controlled by, or under common control with the Investing Fund Advisor or Sponsor (“Investing Fund's Advisory Group”) from controlling (individually or in the aggregate) a Fund within the meaning of section 2(a)(9) of the Act. The same prohibition would apply to any Subadvisor; any person controlling, controlled by, or under common control with the Subadvisor; and any investment company or issuer that would be an investment company but for section 3(c)(1) or 3(c)(7) of the Act (or portion of such investment company or issuer) advised or sponsored by the Subadvisor or any person controlling, controlled by, or under common control with the Subadvisor (“Investing Fund's Subadvisory Group”). 7 An “Investing Fund Affiliate” is an Investing Fund Advisor, Subadvisor, Sponsor, promoter, and principal underwriter of an Investing Fund, and any person controlling, controlled by, or under common control with any of those entities. 11. Applicants propose other conditions to limit the potential for undue influence over the Funds, including that no Investing Fund or Investing Fund Affiliate (except to the extent it is acting in its capacity as an investment adviser to a Fund) will cause a Fund to purchase a security in any offering of securities during the existence of any underwriting or selling syndicate of which a principal underwriter is an Underwriting Affiliate (“Affiliated Underwriting”). An “Underwriting Affiliate” is a principal underwriter in any underwriting or selling syndicate that is an officer, director, member of an advisory board, Investing Fund Advisor, Subadvisor, employee or Sponsor of an Investing Fund, or a person of which any such officer, director, member of an advisory board, Investing Fund Advisor, Subadvisor, employee, or Sponsor is an affiliated person (except any person whose relationship to the Fund is covered by section 10(f) of the Act is not an Underwriting Affiliate). 12. Applicants do not believe that the proposed arrangement will involve excessive layering of fees. The board of directors or trustees of each Investing Management Company, including a majority of the disinterested directors or trustees, before approving any advisory contract under section 15 of the Act, will be required to determine that the advisory fees charged to the Investing Management Company are based on services provided that will be in addition to, rather than duplicative of, the services provided under the advisory contract(s) of any Fund in which the Investing Management Company may invest. In addition, the Investing Fund Advisor, trustee of an Investing Trust (“Trustee”) or Sponsor, as applicable, will waive fees otherwise payable to it by the Investing Fund in an amount at least equal to any compensation received from a Fund by the Investing Fund Advisor, Trustee or Sponsor, or an affiliated person of the Investing Fund Advisor, Trustee or Sponsor (other than any advisory fees), in connection with the investment by the Investing Fund in the Funds. Applicants also state that any sales charges and/or service fees charged with respect to shares of an Investing Fund will not exceed the limits applicable to a fund of funds set forth in Conduct Rule 2830 of the NASD (“Rule 2830”). 13. Applicants submit that the proposed arrangement will not create an overly complex fund structure. Applicants note that a Fund will be prohibited from acquiring securities of any investment company, or of any company relying on section 3(c)(1) or 3(c)(7) of the Act, in excess of the limits contained in section 12(d)(1)(A) of the Act. 14. To ensure that Investing Funds are aware of the terms and conditions of the requested order, the Investing Funds must enter into an agreement with the respective Funds (“FOF Participation Agreement”). The FOF Participation Agreement will include an acknowledgement from the Investing Fund that it may rely on the order only to invest in the Funds and not in any other investment company. The FOF Participation Agreement will further require any Investing Fund that exceeds the 5% or 10% limitations in section 12(d)(1)(A)(ii) and
(iii)to disclose in its Prospectus that it may invest in ETFs and disclose, in “plain English,” in its Prospectus the unique characteristics of the Investing Funds investing in investment companies, including but not limited to the expense structure and any additional expenses of investing in investment companies. Sections 17(a)(1) and
(2)of the Act 15. Section 17(a)(1) and
(2)of the Act generally prohibit an affiliated person of a registered investment company, or an affiliated person of such a person (“second tier affiliate”), from selling any security to or purchasing any security from the company. Section 2(a)(3) of the Act defines “affiliated person” to include any person directly or indirectly owning, controlling, or holding with power to vote 5% or more of the outstanding voting securities of the other person and any person directly or indirectly controlling, controlled by, or under common control with, the other person. Section 2(a)(9) of the Act provides that a control relationship will be presumed where one person owns more than 25% of another person's voting securities. The Funds may be deemed to be controlled by the Advisor or an entity controlling, controlled by or under common control with the Adviser and hence affiliated persons of each other. In addition, the Funds may be deemed to be under common control with any other registered investment company (or series thereof) advised by the Advisor or an entity controlling, controlled by or under common control with the Advisor (an “Affiliated Fund”). Applicants state that because the definition of “affiliated person” includes any person owning 5% or more of an issuer's outstanding voting securities, every purchaser of a Creation Unit will be affiliated with the Fund so long as fewer than twenty Creation Units are in existence, and any purchaser that owns more than 25% of a Fund's outstanding Shares will be affiliated with a Fund. 16. Applicants request an exemption from section 17(a) under sections 6(c) and 17(b), to permit in-kind purchases and redemptions by persons that are affiliated persons or second tier affiliates of the Funds solely by virtue of one or more of the following:
(1)Holding 5% or more, or more than 25%, of the outstanding Shares of the Trust or one or more Funds;
(2)an affiliation with a person with an ownership interest described in (1); or
(3)holding 5% or more, or more than 25%, of the shares of one or more Affiliated Funds. Applicants also request an exemption in order to permit each Fund to sell Shares to and redeem Shares from, and engage in the in-kind transactions that would accompany such sales and redemptions with, any Investing Fund of which it is an affiliated person or second tier affiliate because of one or more of the following:
(1)The Investing Fund holds 5% or more of the Shares of the Trust or one or more Funds;
(2)an Investing Fund described in
(1)is an affiliated person of the Investing Fund; or
(3)the Investing Fund holds 5% or more of the shares of one or more Affiliated Funds. 8 8 Although applicants believe that most Investing Funds will purchase and sell Shares in the secondary market, an Investing Fund might seek to transact in Shares directly with a Fund. With respect to these in-kind transactions, applicants are requesting relief for Funds that are affiliated persons or second tier affiliates of an Investing Fund solely by virtue of one or more of the reasons described above. 17. Applicants contend that no useful purpose would be served by prohibiting affiliated persons or second tier affiliates of a Fund from purchasing or redeeming Creation Units through “in-kind” transactions. The deposit procedure for in-kind purchases and the redemption procedure for in-kind redemptions will be the same for all purchases and redemptions. Deposit Securities and Fund Securities will be valued under the same objective standards applied to valuing Portfolio Securities. Therefore, applicants state that in-kind purchases and redemptions will afford no opportunity for the affiliated persons and second tier affiliates described above to effect a transaction detrimental to the other holders of Shares. Applicants also believe that in-kind purchases and redemptions will not result in abusive self-dealing or overreaching by these persons of the Fund. 18. Applicants also submit that the sale of Shares to and redemption of Shares from an Investing Fund satisfies the standards for relief under sections 17(b) and 6(c) of the Act. Applicants note that the consideration paid for the purchase or received for the redemption of Shares directly from a Fund by an Investing Fund (or any other investor) will be based on the NAV of the Shares. In addition, the securities received or transferred by the Fund in connection with the purchase or redemption of Shares will be valued in the same manner as the Fund's Portfolio Securities and thus the transactions will not be detrimental to the Investing Fund. Applicants also state that the proposed transactions will be consistent with the policies of each Investing Fund and Fund and with the general purposes of the Act. Applicants state that the FOF Participation Agreement will require an Investing Fund to represent that its ownership of Shares issued by a Fund is consistent with the investment policies set forth in the Investing Fund's registration statement. Applicants' Conditions The applicants agree that any order of the Commission granting the requested relief will be subject to the following conditions: A. Actively-Managed Exchange-Traded Fund Relief 1. Each Prospectus will clearly disclose that, for purposes of the Act, Shares are issued by a registered investment company and that the acquisition of Shares by investment companies and companies relying on sections 3(c)(1) or 3(c)(7) of the Act is subject to the restrictions of section 12(d)(1) of the Act, except as permitted by an exemptive order that permits registered investment companies to invest in a Fund beyond the limits in section 12(d)(1), subject to certain terms and conditions, including that the registered investment company enter into a FOF Participation Agreement with the Fund regarding the terms of the investment. 2. As long as the Funds operate in reliance on the requested order, the Shares of the Funds will be listed on a Stock Exchange. 3. Neither the Trust nor any Fund will be advertised or marketed as an open-end investment company or a mutual fund. Each Fund's Prospectus will prominently disclose that the Fund is an actively managed exchange-traded fund. Each Prospectus will prominently disclose that the Shares are not individually redeemable shares and will disclose that the owners of the Shares may acquire those Shares from the Fund and tender those Shares for redemption to the Fund in Creation Units only. Any advertising material that describes the purchase or sale of Creation Units or refers to redeemability will prominently disclose that the Shares are not individually redeemable and that owners of the Shares may acquire those Shares from the Fund and tender those Shares for redemption to the Fund in Creation Units only. 4. The website for the Funds, which is and will be publicly accessible at no charge, will contain the following information, on a per Share basis, for each Fund:
(a)the prior Business Day's NAV and the Bid/Ask Price, and a calculation of the premium or discount of the Bid/Ask Price against such NAV; and
(b)data in chart format displaying the frequency distribution of discounts and premiums of the daily Bid/Ask Price against the NAV, within appropriate ranges, for each of the four previous calendar quarters (or for the life of the Fund, if shorter). 5. The Prospectus and annual report for each Fund will also include:
(a)the information listed in condition A.4(b),
(i)in the case of the Prospectus, for the most recently completed year (and the most recently completed quarter or quarters, as applicable) and
(ii)in the case of the annual report, for the immediately preceding five years (or for the life of the Fund, if shorter), and
(b)calculated on a per Share basis for one-, five- and ten-year periods (or for the life of the Fund, if shorter), the cumulative total return and the average annual total return based on NAV and Bid/Ask Price. 6. On each Business Day, before commencement of trading in Shares on the Stock Exchange, the Fund will disclose on its website the identities and quantities of the Portfolio Securities and other assets held by the Fund that will form the basis for the Fund's calculation of NAV at the end of the Business Day. 7. The Advisor or Fund Subadvisor, directly or indirectly, will not cause any Authorized Participant (or any investor on whose behalf an Authorized Participant may transact with the Fund) to acquire any Deposit Security for the Fund through a transaction in which the Fund could not engage directly. 8. The requested order will expire on the effective date of any Commission rule under the Act that provides relief permitting the operation of actively managed exchange-traded funds. B. Section 12(d)(1) Relief 1. The members of the Investing Fund's Advisory Group will not control (individually or in the aggregate) a Fund within the meaning of section 2(a)(9) of the 1940 Act. The members of the Investing Fund's Subadvisory Group will not control (individually or in the aggregate) a Fund within the meaning of section 2(a)(9) of the 1940 Act. If, as a result of a decrease in the outstanding voting securities of a Fund, the Investing Fund's Advisory Group or the Investing Fund's Subadvisory Group, each in the aggregate, becomes a holder of more than 25 percent of the outstanding voting securities of a Fund, it will vote its Shares of the Fund in the same proportion as the vote of all other holders of the Fund's Shares. This condition does not apply to the Investing Fund's Subadvisory Group with respect to a Fund for which the Subadvisor or a person controlling, controlled by or under common control with the Subadvisor acts as the investment adviser within the meaning of section 2(a)(20)(A) of the Act. 2. No Investing Fund or Investing Fund Affiliate will cause any existing or potential investment by the Investing Fund in a Fund to influence the terms of any services or transactions between the Investing Fund or an Investing Fund Affiliate and the Fund or a Fund Affiliate. 3. The board of directors or trustees of an Investing Management Company, including a majority of the disinterested directors or trustees, will adopt procedures reasonably designed to assure that the Investing Fund Advisor and any Subadvisor are conducting the investment program of the Investing Management Company without taking into account any consideration received by the Investing Management Company or an Investing Fund Affiliate from a Fund or a Fund Affiliate in connection with any services or transactions. 4. Once an investment by an Investing Fund in the securities of a Fund exceeds the limit in section l2(d)(1)(A)(i) of the Act, the board of trustees (“Board”) of a Fund, including a majority of the disinterested Board members, will determine that any consideration paid by the Fund to the Investing Fund or an Investing Fund Affiliate in connection with any services or transactions:
(i)Is fair and reasonable in relation to the nature and quality of the services and benefits received by the Fund;
(ii)is within the range of consideration that the Fund would be required to pay to another unaffiliated entity in connection with the same services or transactions; and
(iii)does not involve overreaching on the part of any person concerned. This condition does not apply with respect to any services or transactions between a Fund and its investment adviser(s), or any person controlling, controlled by or under common control with such investment adviser(s). 5. The Investing Fund Advisor, or Trustee or Sponsor, as applicable, will waive fees otherwise payable to it by the Investing Fund in an amount at least equal to any compensation (including fees received pursuant to any plan adopted by a Fund under rule 12b-l under the Act) received from a Fund by the Investing Fund Advisor, or Trustee or Sponsor, or an affiliated person of the Investing Fund Advisor, or Trustee or Sponsor, other than any advisory fees paid to the Investing Fund Advisor, or Trustee or Sponsor, or its affiliated person by the Fund, in connection with the investment by the Investing Fund in the Fund. Any Subadvisor will waive fees otherwise payable to the Subadvisor, directly or indirectly, by the Investing Management Company in an amount at least equal to any compensation received from a Fund by the Subadvisor, or an affiliated person of the Subadvisor, other than any advisory fees paid to the Subadvisor or its affiliated person by the Fund, in connection with the investment by the Investing Management Company in the Fund made at the direction of the Subadvisor. In the event that the Subadvisor waives fees, the benefit of the waiver will be passed through to the Investing Management Company. 6. No Investing Fund or Investing Fund Affiliate (except to the extent it is acting in its capacity as an investment adviser to a Fund) will cause a Fund to purchase a security in an Affiliated Underwriting. 7. The Board of the Fund, including a majority of the disinterested Board members, will adopt procedures reasonably designed to monitor any purchases of securities by the Fund in an Affiliated Underwriting, once an investment by an Investing Fund in the securities of the Fund exceeds the limit of section 12(d)(1)(A)(i) of the Act, including any purchases made directly from an Underwriting Affiliate. The Board will review these purchases periodically, but no less frequently than annually, to determine whether the purchases were influenced by the investment by the Investing Fund in the Fund. The Board will consider, among other things:
(i)Whether the purchases were consistent with the investment objectives and policies of the Fund;
(ii)how the performance of securities purchased in an Affiliated Underwriting compares to the performance of comparable securities purchased during a comparable period of time in underwritings other than Affiliated Underwritings or to a benchmark such as a comparable market index; and
(iii)whether the amount of securities purchased by the Fund in Affiliated Underwritings and the amount purchased directly from an Underwriting Affiliate have changed significantly from prior years. The Board will take any appropriate actions based on its review, including, if appropriate, the institution of procedures designed to assure that purchases of securities in Affiliated Underwritings are in the best interest of shareholders. 8. Each Fund will maintain and preserve permanently in an easily accessible place a written copy of the procedures described in the preceding condition, and any modifications to such procedures, and will maintain and preserve for a period of not less than six years from the end of the fiscal year in which any purchase in an Affiliated Underwriting occurred, the first two years in an easily accessible place, a written record of each purchase of securities in Affiliated Underwritings once an investment by an Investing Fund in the securities of the Fund exceeds the limit of section 12(d)(1)(A)(i) of the 1940 Act, setting forth from whom the securities were acquired, the identity of the underwriting syndicate's members, the terms of the purchase, and the information or materials upon which the Board's determinations were made. 9. Before investing in a Fund in excess of the limit in section 12(d)(1)(A), an Investing Fund will execute a FOF Participation Agreement with the Fund stating that their respective boards of directors or trustees and their investment advisors, or Trustee and Sponsor, as applicable, understand the terms and conditions of the order, and agree to fulfill their responsibilities under the order. At the time of its investment in shares of a Fund in excess of the limit in section 12(d)(1)(A)(i), an Investing Fund will notify the Fund of the investment. At such time, the Investing Fund will also transmit to the Fund a list of the names of each Investing Fund Affiliate and Underwriting Affiliate. The Investing Fund will notify the Fund of any changes to the list as soon as reasonably practicable after a change occurs. The Fund and the Investing Fund will maintain and preserve a copy of the order, the FOF Participation Agreement, and the list with any updated information for the duration of the investment and for a period of not less than six years thereafter, the first two years in an easily accessible place. 10. Before approving any advisory contract under section 15 of the Act, the board of directors or trustees of each Investing Management Company, including a majority of the disinterested directors or trustees, will find that the advisory fees charged under such contract are based on services provided that will be in addition to, rather than duplicative of, the services provided under the advisory contract(s) of any Fund in which the Investing Management Company may invest. These findings and their basis will be recorded fully in the minute books of the appropriate Investing Management Company. 11. Any sales charges and/or service fees charged with respect to shares of an Investing Fund will not exceed the limits applicable to a fund of funds as set forth in Rule 2830. 12. No Fund will acquire securities of any investment company or company relying on section 3(c)(1) or 3(c)(7) of the Act in excess of the limits contained in section 12(d)(1)(A) of the Act. By the Commission. Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2269 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57241; File No. SR-Amex-2007-138] Self-Regulatory Organizations; American Stock Exchange LLC; Order Approving a Proposed Rule Change to Establish a New Class of Off-Floor Market Makers in ETFs Called Designated Amex Remote Traders January 31, 2008. I. Introduction On December 19, 2007, the American Stock Exchange LLC (“Amex” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”), pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 thereunder, 2 a proposal to create a new class of off-floor market makers, called “Designated Amex Remote Traders” or “DARTs,” in ETF securities. The proposed rule change was published for comment in the **Federal Register** on December 31, 2007. 3 The Commission received no comments regarding the proposal. This order approves the proposed rule change. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 Securities Exchange Act Release No. 57022 (December 20, 2007), 72 FR 74375. II. Description The Exchange proposes to create a new class of off-floor market makers in ETF securities and to make related changes to the Exchange's AEMI trading platform. 4 These market makers, to be called “Designated Amex Remote Traders” or “DARTs,” will electronically enter competitive quotations on a regular basis to satisfy market maker regulatory requirements. DARTs will also have to meet certain business requirements, which will include minimum performance standards as discussed below. 4 See Securities Exchange Act Release No. 56446 (September 17, 2007), 72 FR 54303 (September 24, 2007) (approving File No. SR-Amex-2007-085) (establishing DART program in ETFs and common stocks); letter dated September 5, 2007 to Nancy M. Morris, Secretary, Commission, from Brendan E. Cryan, Managing Member, Brendan E. Cryan & Company, LLC; Jonathan Q. Frey, Managing Partner, J. Streicher & Co.; Michael Marchisi, Managing Partner, AIM Securities Co.; and Robert B. Nunn, Chief Operating Officer, Cohen Specialist, LLC (“Comment Letter”) (commenting on SR-Amex-2007-085); Securities Exchange Act Release No. 56764 (November 7, 2007), 72 FR 64095 (November 14, 2007) (immediate effectiveness of File No. SR-Amex-2007-113) (eliminating DART rules). A DART will be a member or member organization physically located off-floor that will electronically enter competitive quotations into AEMI on a regular basis in all ETF securities to which it is assigned in the DARTs program. A DART may be either a regular or associate member of the Exchange that meets the requirements for electronic access to the Exchange's automated systems. The proposed DARTs program is similar to the Supplemental Registered Options Traders (“SROT”) program implemented by the Amex for options, 5 with certain unique features. Under the DARTs proposal, an Amex specialist firm may also be a DART, although it may not be registered as a DART in securities in which it is also the specialist. 5 See Amex Rule 993-ANTE (Supplemental Registered Options Traders). Amex's rules already provide for one type of competing market maker in ETF securities—Registered Traders. A Registered Trader is a member who is authorized to initiate trades in certain securities 6 for his or her account, while on the floor. 7 Like Registered Traders, DARTs will not be permitted to initiate transactions in equity securities. 8 DARTs will have obligations similar to Registered Traders under Exchange rules, such as those relating to a course of dealings that contributes to the maintenance of a fair and orderly market. 6 These include in index warrants, currency warrants, securities listed pursuant to Section 107 of the Amex Company Guide, Trust Issued Receipts, and Partnership Units. 7 See Amex Rule 1A(g)-AEMI. A DART would only be permitted to submit quotations electronically from off the floor of the Exchange. 8 See Amex Rule 110A(n)-AEMI. Due to their lack of a physical presence in the trading crowd, which is a basic requirement of the auction market, DARTs will not participate in any post-trade allocation in connection with an auction trade. Instead, a DART's participation in an auction pair-off on the Exchange will be limited to the marketable amount of its quotation on the AEMI Book at the time of the pair-off. For purposes of the priority and parity rules of Rule 126-AEMI, a DART's quotation would be treated as another crowd order, similar to a Registered Trader. Amex will establish minimum requirements for a DART to remain in the program, which may be modified by the Exchange from time to time. First, a DART must provide competitive quotations on a regular basis to satisfy market maker regulatory requirements. 9 The Exchange from time to time will determine minimum performance standards, including a volume participation rate and trade participation rate. A DART that fails to comply with one or more of these standards may be subject to loss of all or a portion of any benefits to which it would otherwise be entitled under Amex rules by virtue of its status as a DART, including possible suspension or termination of DART status. The number of ETF securities in which a DART may be permitted to make markets will be determined by the Exchange in accordance with Commentary .05 in proposed Rule 110A-AEMI. While management anticipates starting the program with a limited group of DARTs, no specific upper limit on the number of DARTs is anticipated. 9 See proposed Rule 110A-AEMI(b)(i), which requires a DART to “provide continuous two-sided quotations in all assigned securities * * *” This basic market maker requirement mirrors the definition of “market maker” set forth in Section 3(a)(38) of the Act, 15 U.S.C. 78c(3)(38), which requires a dealer in the security involved to hold himself out “as being willing to buy and sell such security for his own account on a regular or continuous basis.” The following additional regulatory requirements will be imposed by proposed Rule 110A-AEMI(b)(ii): “With respect to each security to which he/she is assigned by the Exchange, a DART's transactions must constitute a course of dealings reasonably calculated to contribute to the maintenance of a fair and orderly market. In connection with this function, a DART is required to make competitive bids and offers as reasonably necessary to contribute to the maintenance of a fair and orderly market and shall engage, to a reasonable degree under the existing circumstances, in dealings for his/her own account when there exists a lack of price continuity, a temporary disparity between the supply of and demand for the security(ies) in which he/she is trading, or a temporary distortion of the price relationships between the security(ies) in which he/she is trading and the security(ies) underlying or otherwise related to such security(ies).” In addition to the requirements described above, a DART will be required to meet eligibility criteria similar to those specified in the SROT program, which will include: • Adequacy of resources including capital, technology, and personnel; • History of stability, superior electronic capacity, and superior operational capacity; • Level of market-making and/or specialist experience in a broad array of securities; • Ability to interact with order flow in all types of markets; • Existence of order flow commitments; • Willingness and ability to make competitive markets on the Exchange and otherwise promote the Exchange in a manner that is likely to enhance the ability of the Exchange to compete successfully for order flow in the ETF securities it trades; • The number of member organizations requesting approval to act as a DART; and • Ability to transact in any ETF underlying markets. The regulatory requirements applicable to DARTs will be surveilled for by the FINRA Amex Regulation Division (“FINRA Amex”) consistent with current surveillance procedures for Registered Traders on the Exchange. FINRA Amex staff will work with Amex technical staff on planning the necessary changes to AEMI to capture required surveillance data and surveilling the increased number of market makers that the program is expected to attract. Adjustments to current technology and surveillance procedures will likely also be necessitated by the fact that DARTs will not be physically located on the floor of the Exchange. DARTs will interface with the Amex's Floor Officials in the case of trade disputes substantially in accordance with existing procedures used for SROTs. Each DART accordingly will be required to designate persons on and/or off-floor to be in direct real-time contact with Floor Officials on such matters. Regulation M will apply to DARTs in the same way that it applies to other market participants, as will Amex Rule 193 to the extent a DART is affiliated with a specialist member organization. However, no expansion of the application of Amex Rule 193 beyond current practice is intended. 10 10 The language in Rule 110A-AEMI(c)(ii) cross-referencing Amex Rule 193 is substantively identical to language also contained in Amex Rules 993-ANTE(d)(iii) (Supplemental Registered Options Traders) and 994-ANTE(d)(iii) (Remote Registered Options Traders), neither of which have been interpreted to expand the applicability of Amex Rule 193 beyond affiliates of specialists. Finally, the Comment Letter had observed that a provision proposed in SR-Amex-2007-85 relating to minimum capital requirements for DARTs is unnecessary due to its current inapplicability to DARTs (who will be subject to the Commission's net capital rule). 11 The Exchange has eliminated that provision from the current proposed rule change. 11 Rule 15c3-1 under the Act, 17 CFR 240.15c3-1. III. Discussion After careful review, the Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to a national securities exchange. 12 In particular, the Commission finds that the proposal is consistent with section 6(b)(5) of the Act, 13 which requires, among other things, that a national securities exchange's rules be designed to promote just and equitable principles of trade, to remove impediments to and to perfect the mechanism of a free and open market and a national market system, and, in general, to protect investors and the public interest. 12 In approving this proposal, the Commission has considered the proposed rule's impact on efficiency, competition, and capital formation. See 15 U.S.C. 78c(f). 13 15 U.S.C. 78f(b)(5). Under the proposal, DARTs would be permitted to quote electronically in ETFs from off the Exchange's physical trading floor. Amex's rules already provide for one type of competing market maker in ETF securities—Registered Traders. Like Registered Traders, DARTs will not be permitted to enter quotations in equity securities. In addition, similar rules would govern the allocations of DARTs and Registered Traders, except DARTs will not be permitted to participate in a post-trade allocation in connection with an auction trade. The Commission believes it is reasonable and consistent with the Act for Amex to establish DARTs as remote competitive market makers subject to the allocation rules described in the proposal. The Commission notes that DARTs will be required to meet certain eligibility requirements. The existence of order flow commitments between a DART applicant and order flow providers is one such factor. The Commission notes the Exchange's representation that a future change to, or termination of, any such commitments would not be used by the Exchange at any point in the future to terminate or take remedial action against a DART, and that the Exchange would not take remedial action solely because orders subject to any such commitments were not subsequently routed to the Exchange. Similarly, the Exchange has included the “willingness to promote the Exchange” as a factor that the Committee may consider when making its application decisions. The Commission notes the Exchange's representation that the Committee would not apply this factor to in any way restrict, either directly or indirectly, a DART's activities as a market maker or specialist on other exchanges, or to restrict how a DART handles orders it holds in a fiduciary capacity to which it owes a duty of best execution. The Commission also notes that, should the Committee decide not to approve a DART applicant, or should a DART's appointment be suspended or terminated in one or more classes, a DART applicant or DART, respectively, would be entitled to a hearing under Article IV, section 1(g) of the Amex Constitution and Amex Rule 40. Proposed Amex Rule 110A(b)-AEMI sets forth the obligations that a DART would be required to fulfill. Specifically, a DART would be required to generate continuous, two-sided quotations in all assigned ETF securities. A DART's affirmative market making obligations appear to be sufficient to justify the benefits it would receive as a market maker. The proposal also appears reasonably designed to prevent the misuse of material, non-public information with any affiliates that may conduct a brokerage business in securities assigned to a DART, or that may act as a specialist or market maker in any security underlying a derivative security assigned to a DART. IV. Conclusion *It is therefore ordered,* pursuant to section 19(b)(2) of the Act, 14 that the proposed rule change (SR-Amex-2007-138) is approved. 14 15 U.S.C. 78s(b)(2). For the Commission, by the Division of Market Regulation, pursuant to delegated authority. 15 15 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2123 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57250; File No. SR-CBOE-2008-11] Self-Regulatory Organizations; Chicago Board Options Exchange, Incorporated; Notice of Filing and Immediate Effectiveness of Proposed Rule Change Relating to CBOE's Holdback Timer February 1, 2008. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”), 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on January 29, 2008, the Chicago Board Options Exchange, Incorporated (“CBOE” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I and II below, which Items have been substantially prepared by the CBOE. The Exchange filed the proposal as a “non-controversial” proposed rule change pursuant to Section 19(b)(3)(A) of the Act 3 and Rule 19b-4(f)(6) thereunder, 4 which rendered the proposal effective upon filing with the Commission. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 15 U.S.C. 78s(b)(3)(A). 4 17 CFR 240.19b-4(f)(6). I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change CBOE proposes to amend its rules relating to the usage of its holdback timer. The text of the proposed rule change is available at CBOE, the Commission's Public Reference Room, and *http://www.cboe.org/Legal* . II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, CBOE included statements concerning the purpose of, and basis for, the proposed rule change and discussed any comments it received on the proposal. The text of these statements may be examined at the places specified in Item IV below. CBOE has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose On May 16, 2007, the Commission approved CBOE's proposed rule change, which implemented an additional quote mitigation strategy, namely, a holdback timer. 5 In its filing, CBOE stated that it would utilize a holdback timer that delays quotation updates to OPRA for no longer than one
(1)second, and that it would be used in option classes trading on the Hybrid Trading System and Hybrid 2.0 Platform. Subsequently, CBOE implemented a new trading platform, the Hybrid 3.0 Platform, which allows a single quoter to submit an electronic quote which represents the aggregate Market-Maker quoting interest in a series in the trading crowd. 6 5 *See* Securities Exchange Act Release 55772 (May 16, 2007), 72 FR 28732 (May 22, 2007) (SR-CBOE-2007-45). 6 *See* CBOE Rule 1.1(aaa). CBOE now proposes to clarify that it may utilize the holdback timer in any option classes traded on CBOE, including option classes traded on the Hybrid 3.0 Platform. CBOE believes that the holdback timer is an appropriate and useful tool in mitigating quotations, as it reduces the number of quotations that CBOE disseminates to OPRA, without negatively impacting transparency. CBOE also notes that the holdback timer has been endorsed by the Securities Information and Financial Markets Association. CBOE is not proposing to change the manner in which the holdback timer functions, as described in its original rule filing SR-CBOE-2007-45. 2. Statutory Basis The Exchange believes that its proposal is consistent with Section 6(b) of the Act 7 in general, and furthers the objectives of Section 6(b)(5) of the Act 8 in particular, in that it is designed to prevent fraudulent and manipulative acts and practices, promote just and equitable principles of trade, remove impediments to and perfect the mechanism of a free and open market and a national market system, and, in general to protect investors and the public interest. 7 15 U.S.C. 78f(b). 8 15 U.S.C. 78f(b)(5). B. Self-Regulatory Organization's Statement on Burden on Competition The Exchange does not believe that the proposed rule change will impose any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received from Members, Participants, or Others No written comments were either solicited or received by the Exchange. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action The proposed rule change has become effective pursuant to Section 19(b)(3)(A) of the Act 9 and Rule 19b-4(f)(6) thereunder, 10 because the foregoing proposed rule does not:
(i)significantly affect the protection of investors or the public interest;
(ii)impose any significant burden on competition; and
(iii)become operative for 30 days from the date on which it was filed, or such shorter time as the Commission may designate if consistent with the protection of investors and the public interest. 9 15 U.S.C. 78s(b)(3)(A). 10 17 CFR 240.19b-4(f)(6). A proposed rule change filed under Rule 19b-4(f)(6) normally may not become operative prior to 30-days after the date of filing. 11 However, Rule 19b-4(f)(6)(iii) permits the Commission to designate a shorter time if such action is consistent with the protection of investors and the public interest. 12 The Exchange has requested that the Commission waive the 30-day operative delay. The Commission believes that waiving the 30-day operative delay is consistent with the protection of investors and the public interest because such waiver will allow CBOE to implement the holdback timer in Hybrid 3.0 option classes immediately, and thus reduce the number of quotations it disseminates to OPRA. Furthermore, the proposed rule change does not present any novel regulatory issues as the holdback timer is already implemented with respect to options classes trading on the Hybrid Trading System and Hybrid 2.0 Platform. For these reasons, the Commission designates the proposal to be operative upon filing with the Commission. 13 11 17 CFR 240.19b-4(f)(6)(iii). In addition, Rule 19b-4(f)(6)(iii) requires the self-regulatory organization to give the Commission notice of its intent to file the proposed rule change, along with a brief description and text of the proposed rule change, at least five business days prior to the date of filing of the proposed rule change, or such shorter time as designated by the Commission. CBOE has satisfied the five-day pre-filing requirement. 12 17 CFR 240.19b-4(f)(6)(iii). 13 For purposes only of waiving the 30-day operative delay, the Commission has considered the proposed rule's impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f). At any time within 60 days of the filing of the proposed rule change, the Commission may summarily abrogate such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act. 14 14 *See* 15 U.S.C. 78s(b)(3)(C). IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov* . Please include File Number SR-CBOE-2008-11 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-CBOE-2008-11. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the CBOE. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-CBOE-2008-11 and should be submitted on or before February 28, 2008. 15 17 CFR 200.30-3(a)(12). For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 15 Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2204 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57256; File No. SR-CBOE-2008-09] Self-Regulatory Organizations; Chicago Board Options Exchange, Incorporated; Notice of Filing of Proposed Rule Change Establishing a Voluntary Professional Designation February 1, 2008. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 2 thereunder, notice is hereby given that on January 18, 2008, the Chicago Board Options Exchange, Incorporated (the “Exchange” or “CBOE”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been substantially prepared by the Exchange. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The Exchange proposes to adopt a voluntary professional designation. The text of the proposed rule change is available at CBOE, the Commission's Public Reference Room, and *(http://www.cboe.org/Legal)* . II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, CBOE included statements concerning the purpose of, and basis for, the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. CBOE has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and the Statutory Basis for, the Proposed Rule Change 1. Purpose This filing proposes to allow non-broker-dealer customers to voluntarily have their orders categorized as broker-dealer orders for order handling, order execution, and cancel fee calculation purposes (“Voluntary Professional(s)”). Specifically, these orders would be treated as broker-dealer orders for purposes of CBOE Rules 6.13 (CBOE Hybrid System's Automatic Execution Feature), 6.45 (Priority of Bids and Offers—Allocation of Trades), 6.45A (Priority and Allocation of Equity Option Trades on the CBOE Hybrid System), 6.45B (Priority and Allocation of Trades in Index Options and Options on ETFs on the CBOE Hybrid System), and 6.53C (Complex Orders on the Hybrid System). Some Exchange users have requested this flexibility because it is more suitable to their trading strategies that involve high volume order submission and cancellation. These Voluntary Professionals would participate on trades on the same terms as broker-dealer orders for purposes of the rules set forth above. Orders from Voluntary Professionals would continue to be treated as public customer orders for purposes of the linkage-related rules. CBOE would provide the same away-market protection for orders from Voluntary Professionals as for orders from public customers. Additionally, orders from Voluntary Professionals that are cancelled would not be counted as public customer order cancellations in connection with the cancellation fee calculation applicable to clearing members. The Exchange intends to establish, via a separate rule filing under Section 19(b) of the Act, a transaction fee applicable to Voluntary Professionals and the Exchange would not commence the Voluntary Professional program until such fee was in place. 2. Statutory Basis The Exchange believes that the proposed rule change is consistent with Section 6(b) of the Act, 3 in general, and furthers the objectives of Section 6(b)(5) of the Act, 4 in particular, in that it is designed to promote just and equitable principles of trade, serve to remove impediments to and perfect the mechanism of a free and open market and a national market system, and protect investors and the public interest. 3 15 U.S.C. 78f(b). 4 15 U.S.C. 78f(b)(5). B. Self-Regulatory Organization's Statement on Burden on Competition CBOE does not believe that the proposed rule change will impose any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants or Others No written comments were solicited or received with respect to the proposed rule change. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Within 35 days of the date of publication of this notice in the **Federal Register** or within such longer period
(i)as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or
(ii)as to which the self-regulatory organization consents, the Commission will:
(A)By order approve such proposed rule change or
(B)Institute proceedings to determine whether the proposed rule change should be disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form *(http://www.sec.gov/rules/sro.shtml)* or send an e-mail to *rule-comments@sec.gov.* Please include File Number SR-CBOE-2008-09 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-CBOE-2008-09. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site at *(http://www.sec.gov/rules/sro.shtml)* . Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of the Exchange. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-CBOE-2008-09 and should be submitted on or before February 28, 2008. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 5 5 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2266 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57257; File No. SR-FINRA-2007-020] Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Order Approving Proposed Rule Change To Create Exception to Principal Approval Requirements for Certain Filed Sales Material February 1, 2008. I. Introduction On November 1, 2007, the Financial Industry Regulatory Authority, Inc. (“FINRA”) (f/k/a National Association of Securities Dealers, Inc. (“NASD”)) filed with the Securities and Exchange Commission (“Commission”) pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 thereunder, 2 a proposed rule change relating to amendments to NASD Rule 2210. The proposed rule change was published for comment in the **Federal Register** on December 28, 2007. 3 The Commission received three comment letters in response to the proposed rule change. 4 This order approves the proposed rule change. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 *See* Securities Exchange Act Release No. 57010 (December 20, 2007); 72 FR 73928 (Dec. 28, 2007). 4 *See* letter from Neal E. Nakagiri, President, CEO & CCO, NPB Financial Group, LLC, dated January 16, 2008 (“NPB letter”); letter from Dale E. Brown, President & CEO, Financial Services Institute, dated January 18, 2008 (“FSI letter”); and letter from Dorothy Donohue, Senior Associate Counsel, Investment Company Institute, dated January 18, 2008 (“ICI letter”). II. Description of the Proposed Rule Change The proposed rule change amends NASD Rule 2210 (Communications with the Public) to create an exception from the principal approval requirements for certain filed sales material. NASD Rule 2210 (Communications with the Public) requires that a registered principal of a FINRA member firm approve in writing all advertisements, sales literature, and independently prepared reprints (collectively, “sales material”) prior to use. Certain types of sales materials, such as advertisements and sales literature concerning mutual funds or variable insurance products must be filed with the FINRA Advertising Regulation Department (“Department”). For funds and variable products that are sold through intermediary firms, a registered principal at the fund's or variable product's underwriter typically approves sales material internally and files the material with the Department. FINRA rules require registered principals at each of the intermediary firms that use the underwriter's sales material to re-approve in writing each of these items used by their firms. (The intermediary firm is not required to re-file the sales material with the Department so long as it is used without material change.) If firms have selling agreements with multiple fund families and insurance companies, the number of items that require re-approval can easily be in the hundreds, and often thousands, per firm annually. Based on recommendations made by its Small Firms Rules Impact Task Force, 5 and to eliminate what FINRA regards as a compliance redundancy, FINRA proposed to create an exception to Rule 2210's registered principal approval requirements for intermediary firms that use the sales material of another firm. The exception would apply only to sales material that another firm has filed with the Department, and for which the Department has issued a review letter finding that the material appears to be consistent with applicable standards. 5 NASD established the Small Firms Rules Impact Task Force in September 2006 to examine how existing NASD rules impact smaller firms. In particular, the Task Force focuses on possible opportunities to amend or modernize certain conduct rules that may be particularly burdensome for small firms, where such changes are consistent with investor protection and market integrity. The intermediary firm that relies on this exception could not materially alter the sales material or use it in a manner that is inconsistent with any conditions stated in the Department's review letter. For example, if the Department's review letter was based in part upon the representation by the filing firm that the sales material would be accompanied by a fund prospectus, the intermediary firm would be subject to a similar constraint. Although FINRA anticipates that firms will utilize the exception primarily with respect to mutual fund and variable insurance product sales material, the exception is not limited to sales material for particular products. Thus, the exception also would apply to sales material for other products, such as real estate investment trusts or direct participation programs, provided the sales material meets the exception's requirements. FINRA believes this exception would save intermediary firms' compliance personnel numerous hours that are currently spent reviewing sales material that has already been approved by a registered principal at the product underwriter, and that the Department staff also has reviewed and found to be consistent with applicable standards. Of course, some firms may want to continue to review this sales material, and the proposal would allow them to do so. 6 6 The proposed rule change would not affect the contractual obligations that exist between underwriters and intermediary firms. Some dealer agreements may, for example, restrict the ability of underwriters and product wholesalers to send their sales material directly to a retail firm's sales force. These restrictions can facilitate the intermediary firm's ability to supervise its sales force. The proposed rule change would not alter the underwriter's obligations to comply with these contractual restrictions. The proposed rule change would also revise certain of the advertising record-keeping requirements. Today, Rule 2210(b)(2)(A) states that firms must maintain a copy of all sales material for a period of three years from the date of last use. Existing practice has been to assume that the recordkeeping requirement begins on the date of first use. The proposal would codify this position. For sales material subject to the principal approval exception, firms would have to keep a record of the name of the firm that filed the sales material and a copy of the related FINRA review letter. III. Comment Letters The Commission received three comment letters in response to the proposed rule change. 7 All of the commenters supported the proposed rule change. Two commenters stated that the proposed rule change would eliminate hours of unnecessary work. 8 One commenter expressed support for the proposal, stating it would be a less burdensome alternative for intermediary firms. 9 Moreover, two commenters indicated that the proposed rule change should not compromise investor protection. 10 Similarly, one commenter opined that the existing requirement serves no useful or beneficial purpose, in terms of additional investor protection concerns. 11 7 *Supra* note 4. 8 FSI letter; NPB letter. 9 ICI letter. 10 FSI letter; ICI letter. 11 NPB letter. IV. Discussion and Findings After careful review, the Commission finds that the proposed rule change is consistent with the requirements of the Act, and the rules and regulations thereunder that are applicable to a national securities association. 12 In particular, the Commission believes that the proposed rule change is consistent with the provisions of section 15A(b)(6) of the Act, 13 which requires, among other things, that FINRA rules must be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest. The Commission believes that eliminating the requirement for firms to re-approve sales material in limited circumstances when a registered principal of a firm has previously approved the sales material and the Department has previously supplied a favorable review letter will eliminate a compliance redundancy while maintaining investor protections. Notably, the initial firm creating all sales material subject to this exception will continue to be required to obtain sales material approval from its registered principal, file the sales material for review with the Department, and obtain a favorable review letter from the Department. 12 In approving this proposal, the Commission has considered the proposed rule's impact on efficiency, competition and capital formation. *See* 15 U.S.C. 78c(f). 13 15 U.S.C. 78o-3(b)(6). V. Conclusions *It is therefore ordered,* pursuant to section 19(b)(2) of the Act, 14 that the proposed rule change (SR-FINRA-2007-020) be, and hereby is, approved. 14 15 U.S.C. 78s(b)(2). For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 15 Florence E. Harmon, Deputy Secretary. 15 17 CFR 200.30-3(a)(12). [FR Doc. E8-2161 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57259; File No. SR-FINRA-2008-001] Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Notice of Filing of Proposed Rule Change Relating to Amendments to FINRA's Gross Income Assessment and Technical Changes to Schedule A to FINRA's By-Laws February 1, 2008. Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on January 10, 2008, the Financial Industry Regulatory Authority, Inc. (“FINRA”) (f/k/a National Association of Securities Dealers, Inc. (“NASD”) filed with the Securities and Exchange Commission (“SEC” or “Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been substantially prepared by FINRA. 3 The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 On July 26, 2007, the Commission approved a proposed rule change filed by NASD to amend NASD's Certificate of Incorporation to reflect its name change to the Financial Industry Regulatory Authority, Inc., or FINRA, in connection with the consolidation of the member firm regulatory functions of NASD and NYSE Regulation, Inc. *See* Securities Exchange Act Release No. 56145 (July 26, 2007), 72 FR 42169 (August 1, 2007). I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change FINRA is proposing to amend Schedule A to the FINRA By-Laws to amend the Gross Income Assessment (“GIA”) paid by each FINRA member and to update the references to NASD that appear in Schedule A to the FINRA By-Laws. The text of the proposed rule change is available at NASD, the Commission's Public Reference Room, and *http://www.finra.org* . II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, FINRA included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. FINRA has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose On July 30, 2007, NASD and the New York Stock Exchange (“NYSE”) consolidated their member firm regulation operations into a combined organization, FINRA. The proposed rule change seeks to consolidate certain regulatory fees imposed by NASD and NYSE Regulation, Inc. (“NYSE Regulation”) to develop a single fee structure for FINRA that avoids duplicating fees charged by the two organizations. FINRA's member regulatory pricing structure currently consists primarily of the following fees: the GIA; the Trading Activity Fee (“TAF”); the Personnel Assessment (“PA”); and the Branch Office Assessment (“BOA”). As part of the consolidation, NYSE committed to transfer to FINRA certain regulatory revenues for the remainder of 2007. 4 NYSE fees subject to the transfer agreement include a gross FOCUS (Financial and Operational Combined Uniform Single Report) fee (“GFF”) 5 (comparable to NASD's GIA) 6 and registration fees for branch offices 7 (comparable to NASD's Branch Office System Processing Fee) 8 and registered representatives 9 (comparable to NASD's registration fees for the registration of representatives or principals). 10 4 *See* Securities Exchange Act Release No. 56145 (July 26, 2007); 72 FR 42169 (August 1, 2007) (Order Approving SR-NASD-2007-023). 5 *See* Securities Exchange Act Release No. 56181 (August 1, 2007), 72 FR 44206 (August 7, 2007) (Notice of Filing and Immediate Effectiveness of SR-NYSE-2007-70). 6 *See* Section 1(c) of Schedule A. 7 *See* NYSE Rule 342, Supplementary Material .11. 8 *See* Section 4(a) of Schedule A. 9 *See* NYSE Rule 345, Supplementary Material .14. 10 *See* Section 4(b) of Schedule A. In anticipation of the termination of the agreement to remit fees collected by NYSE, FINRA evaluated whether to consolidate or eliminate any duplicative fees, as well as whether to maintain or increase any non-duplicative fees. FINRA undertook its regulatory pricing review with the objectives of maintaining a fair assessment level for firms and of preserving revenue levels necessary to fund FINRA's member regulatory activities, including the regulation of members through examination, policymaking, rulemaking and enforcement activities. To achieve these objectives, FINRA determined that the most appropriate regulatory pricing structure would be to:
(1)Eliminate NYSE Regulation's legacy registration fees for branch offices and registered representatives, which totals approximately $18.6 million in fee reductions; 11
(2)maintain NASD's fee structures and levels for the TAF, the BOA and the PA; and
(3)consolidate, with certain adjustments, NASD's GIA rate structure with NYSE Regulation's GFF rate structure. 12 11 *See* Securities Exchange Act Release No. 57093 (January 3, 2008), 73 FR 1654 (January 9, 2008) (Notice of Filing and Immediate Effectiveness of SR-NYSE-2007-127). 12 The NYSE will continue to charge its member organizations an annual gross FOCUS fee; however, the fee was reduced by 75 percent beginning in 2008. *See* Securities Exchange Act Release No. 56181 (August 1, 2007), 72 FR 44206 (August 7, 2007) (Notice of Filing and Immediate Effectiveness of SR-NYSE-2007-70). The reduced gross FOCUS fee charged by NYSE will be retained by NYSE and will not be forwarded to FINRA. The GIA is currently assessed through a three-tier rate structure with a minimum GIA of $1,200.00. Under the current GIA, members are required to pay an annual GIA equal to the greater of $1,200.00 or the total of:
(1)0.125% of annual gross revenue less than or equal to $100 million;
(2)0.029% of annual gross revenue greater than $100 million up to $1 billion; and
(3)0.014% of annual gross revenue greater than $1 billion. 13 13 Gross revenue for assessment purposes is set out in Section 2 of Schedule A, which defines gross revenue as total income as reported on FOCUS form Part II or IIA excluding commodities income. In contrast, the legacy GFF was assessed at a flat rate of $0.42 per $1,000 of gross FOCUS revenue (or 0.042%). To consolidate these two legacy fees, FINRA proposes that the minimum assessment under the GIA of $1,200.00 will remain, with the ceiling increased from $960,000.00 to $1 million of annual assessable revenue. Because FINRA has committed to reduce the GIA by $1,200.00 per year for five years, subject to annual Board approval, this will effectively reduce the GIA to $0 for the first $1 million of annual assessable revenue. FINRA proposes that for annual gross revenue over $1 million, the regressive rate structure of the legacy GIA and the flat rate structure of the legacy GFF be combined into a new rate structure. Specifically, FINRA proposes to create a seven-tiered rate structure that balances the legacy GIA tiered rate structure with the legacy GFF flat rate structure. Under the proposed rule change, members will be assessed a GIA of:
(1)$1,200 on annual gross revenue up to $1 million;
(2)0.1215% of annual gross revenue greater than $1 million up to $25 million;
(3)0.2599% of annual gross revenue greater than $25 million up to $50 million;
(4)0.0518% of annual gross revenue greater than $50 million up to $100 million;
(5)0.0365% of annual gross revenue greater than $100 million up to $5 billion;
(6)0.0397% of annual gross revenue greater than $5 billion up to $25 billion; and
(7)0.0855% of annual gross revenue greater than $25 billion. FINRA estimates that the proposed rule change will result in aggregate fee reductions of approximately $25 million dollars in 2008 and forward, approximately $18.6 million of which relates to the elimination of NYSE Regulation's legacy registration fees and approximately $6.4 million for GIA rebates given to all FINRA member firms. FINRA estimates that, under the proposed rate structure described above, 93 percent of member firms will have either no change to their GIA or a reduced GIA due to this new rate structure. Certain firms with annual gross revenue exceeding $35 million dollars, however, will have an increase to their GIA under the proposed rate structure. To minimize the impact on members, the new rate structure will be implemented over a three-year period beginning in 2008. During this period, the change in the GIA paid to FINRA by each member will be subject to a cap based on the fees that the member would have paid under the prior NASD and NYSE rate structures. In 2008, a member's GIA will not be impacted by the new rate structure. In 2009, any increase or decrease to the member's GIA resulting from the new rate structure will be capped at a five percent increase or decrease. In 2010, any increase or decrease to the member's GIA resulting from the new rate structure will be capped at a ten percent increase or decrease. During this implementation period, a firm's GIA may increase or decrease due to a change in the member's assessable revenue from year to year; however, any changes to the firm's GIA that result from the change in rate structure will be subject to the cap. For firms that were members of NASD only (not NYSE) as of July 30, 2007, the cap will be calculated based upon the GIA that the member firm would have paid under the prior NASD GIA rate structure. For firms that became, or become, FINRA members on or after July 30, 2007 (excluding those firms that were members of NYSE only as of July 30, 2007 and were subsequently required to become FINRA members pursuant to NYSE Rule 2), the cap will be calculated based upon the GIA that the member firm would have paid under the prior NASD GIA rate structure. For firms that were members of the NYSE only (not NASD) as of July 30, 2007, the cap will be calculated based upon the NYSE GFF that the member would have paid under the prior NYSE GFF rate structure. 14 For firms that were members of both NASD and the NYSE as of July 30, 2007 (“Dual Members”), the cap will be calculated based upon the GIA and the GFF that the member would have paid under the prior NASD GIA rate structure and the prior NYSE GFF rate structure. 15 14 In calculating the cap based upon the GFF that a member would have paid under the prior NYSE GFF rate structure, FINRA will use only that portion of the GFF that would have been transferred by the NYSE to FINRA ( *i.e.,* 75 percent of the GFF paid by the member firm). 15 For example, assume that a Dual Member has gross revenue of $5 billion and assessable revenue (based on the prior year) of $4.95 billion for each of the first three years of the new fee rate structure. Under the legacy rate structures, the firm would have paid income assessments to FINRA of $2,512,800 each year (a legacy GFF of $1,575,000 transferred to FINRA ( *i.e.,* 75 percent of the firm's GFF); a legacy GIA to FINRA of $939,000; and net of a $1,200 rebate). Under the new rate structure in the proposed rule filing, the total income assessment charged by FINRA to the firm, without the cap, would be $1,892,224 (a GIA of $1,893,424 net of a $1,200 rebate). This would represent a decrease of $620,576. However, because the change is capped at zero percent in 2008, the firm would be assessed a GIA under the new rate structure of $2,512,800 ( *i.e.,* the same amount as what the firm would have paid under the two legacy rate structures). In 2009, the firm would pay a GIA of $2,387,160 (reflecting the maximum five percent change), and in 2010, the firm would pay a GIA of $2,261,520 (reflecting the maximum ten percent change). As discussed in footnote 12 above, Dual Members will also be subject to a reduced GFF charged by NYSE. Telephone conference between Kathleen O'Mara, Associate General Counsel, FINRA; Carrie DiValerio, Senior Director, FINRA; Nancy Burke-Sanow, Assistant Director, Division of Trading and Markets (“Division”), Commission; and Jan Woo, Special Counsel, Division, Commission, on January 31, 2008. Despite the reduction in revenue that will result from the new rate structure, FINRA believes that the revenue collected under the pricing proposal will fund its member regulatory programs. The integration of the member firm regulation operations of NASD and NYSE into FINRA should take up to three years, given FINRA's need to establish a new examination and enforcement program under a consolidated rule book. A new cost structure and revised pricing structure will be evaluated once the integration is complete. FINRA is proposing that the effective date of the proposed rule change will be retroactive to January 1, 2008. FINRA will announce the proposed rule change and subsequent approval in a *Regulatory Notice.* 2. Statutory Basis FINRA believes that the proposed rule change is consistent with the provisions of section 15A(b)(5) of the Act, 16 which requires, among other things, that FINRA rules provide for the equitable allocation of reasonable dues, fees, and other charges among members and issuers and other persons using any facility or system that FINRA operates or controls. FINRA believes that the proposed rule change balances NASD and NYSE Regulation legacy fees in a manner that is consistent with FINRA's statutory obligation under section 15A(b)(5) of the Act 17 to ensure that its fees are reasonable and equitably allocated. FINRA believes that the modified rates and the introduction of additional tiers appropriately balance the legacy fees. Moreover, FINRA has sought to minimize the impact that the proposed rule change will have on its members by phasing-in the proposed changes so that the changes will have minimal impact on members for the first three years. 16 15 U.S.C. 78o-3(b)(5). 17 15 U.S.C. 78o-3(b)(5). B. Self-Regulatory Organization's Statement on Burden on Competition FINRA does not believe that the proposed rule change will result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others Written comments were neither solicited nor received. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Within 35 days of the date of publication of this notice in the **Federal Register** or within such longer period
(i)as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or
(ii)as to which the NASD consents, the Commission will:
(A)By order approve such proposed rule change, or
(B)institute proceedings to determine whether the proposed rule change should be disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov* . Please include File Number SR-FINRA-2008-001 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-FINRA-2008-001. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of FINRA. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-FINRA-2008-001 and should be submitted on or before February 28, 2008. 18 17 CFR 200.30-3(a)(12). For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 18 Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2182 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57252; File No. SR-FINRA-2007-025] Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Notice of Filing and Immediate Effectiveness of Proposed Rule Change Relating to Amendments to FINRA's NYSE Rules 421, 440F, and 440G February 1, 2008. Pursuant to Section 19(b)(1) 1 of the Securities Exchange Act of 1934 (“Act”) 2 and Rule 19b-4 thereunder, 3 notice is hereby given that on December 4, 2007, Financial Industry Regulatory Authority, Inc. (“FINRA”) (f/k/a National Association of Securities Dealers, Inc. (“NASD”)) filed with the Securities and Exchange Commission (“SEC” or “Commission”) the proposed rule change as described in Items I and II below, which Items have been substantially prepared by FINRA. FINRA has designated the proposed rule change as constituting a “non-controversial” rule change under paragraph (f)(6) of Rule 19b-4 under the Act, 4 which renders the proposal effective upon filing with the Commission. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. 1 15 U.S.C. 78s(b)(1). 2 15 U.S.C. 78a *et seq.* 3 17 CFR 240.19b-4. 4 17 CFR 240.19b-4(f)(6). I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change FINRA is proposing to amend FINRA's NYSE Rules 421 (Periodic Reports), 440F (Public Short Sale Transactions Effected on the Exchange) and 440G (Transactions in Stock and Warrants for the Accounts of Members, Allied Members and Member Organizations) 5 to conform such rules with the SEC's amendments to Rule 10a-1 6 (“SEC Rule 10a-1”) and Regulation SHO 7 under the Act. 8 The proposed rule change makes conforming changes to FINRA's NYSE Rules 421, 440F and 440G, consistent with the proposed rule change by the New York Stock Exchange, LLC (“NYSE”) to its versions of Rules 421, 440F and 440G. 9 5 FINRA has incorporated into its rulebook certain rules of NYSE, including NYSE Rules 421, 440F and 440G. These incorporated NYSE rules apply solely to those members of FINRA that also are members of NYSE on or after July 30, 2007 (“Dual Members”), until such time as FINRA adopts a consolidated rulebook applicable to all of its members. The incorporated NYSE rules apply to the same categories of persons to which they applied as of July 30, 2007. In applying the incorporated NYSE rules to Dual Members, FINRA also has incorporated the related interpretive positions set forth in the NYSE Rule Interpretations Handbook and NYSE Information Memos. 6 17 CFR 240.10a-1. 7 17 CFR 240.200-203. 8 *See* Securities Exchange Act Release No. 55970 (June 28, 2007), 72 FR 36348 (July 3, 2007). 9 *See* File No. SR-NYSE-2007-62 (“NYSE's filing”). Below is the text of the proposed rule change. Proposed new language is in italics; proposed deletions are in brackets. Rule 421. Periodic Reports No Change. * * * Supplementary Material: .10 Short positions.—Member organizations for which the Exchange is the designated examining authority are required to report “short” positions, including odd lots, in each stock or warrant listed on the Exchange, and in each other stock or warrant not listed on the Exchange which is not otherwise reported to another United States securities exchange or securities association, using such automated format and methods as prescribed by the Exchange. Such reports must include customer and proprietary positions and must be made at such times and covering such time period as may be designated by the Exchange. Member organizations for which the Exchange is not the designated examining authority must report “short” positions to the self-regulatory organization which is its designated examining authority (“DEA”) if such DEA has a requirement for such reports. If the DEA does not have such a reporting requirement, then such member organization must comply with the provisions of Rule 421. The term “designated examining authority” means the self-regulatory organization which has been assigned responsibility for examining a member organization for compliance with applicable financial responsibility rules. (See Rule 17d-1 under the Securities Exchange Act of 1934 (the “Exchange Act”).) “Short” positions to be reported are those resulting from “short” sales as defined in Rule 200(a) of the Securities and Exchange Commission's Regulation SHO, but excluding positions *that meet the following requirements:* *(1) any sale by any person, for an account in which he has an interest, if such person owns the security sold and intends to deliver such security as soon as is possible without undue inconvenience or expense;* *(2) any sale of a security covered by a short sale rule on a national securities exchange (except a sale to a stabilizing bid complying with Rule 104 of Regulation M) effected with the approval of such exchange which is necessary to equalize the price of such security thereon with the current price of such security on another national securities exchange which is the principal exchange market for such security;* *(3) any sale of a security for a special arbitrage account by a person who then owns another security by virtue of which he is, or presently will be, entitled to acquire an equivalent number of securities of the same class as the securities sold; provided such sale, or the purchase which such sale offsets, is effected for the bona fide purpose of profiting from a current difference between the price of security sold and the security owned and that such right of acquisition was originally attached to or represented by another security or was issued to all the holders of any such class of securities of the issuer;* *
(4)any sale of a security registered on, or admitted to unlisted trading privileges on, a national securities exchange effected for a special international arbitrage account for the bona fide purpose of profiting from a current difference between the price of such security on a securities market not within or subject to the jurisdiction of the United States and on a securities market subject to the jurisdiction of the United States; provided the seller at the time of such sale knows or, by virtue of information currently received, has reasonable grounds to believe that an offer enabling him to cover such sale is then available to him in such foreign securities market and intends to accept such offer immediately; and * *(5) any sale by an underwriter, or any member of a syndicate or group participating in the distribution of a security, in connection with an over-allotment of securities, or any lay-off sale by such a person in connection with a distribution of securities through rights or a standby underwriting commitment.* [resulting from sales specified in clauses (1), (6), (7), (8), and
(10)of paragraph
(e)of Rule 10a-1 under the Exchange Act.] Also to be excluded are “short” positions carried for other member organizations reporting for themselves. Only one report should be made for each stock or warrant in which there is a short position. If more than one “account” has a short position in the same stock or warrant, the combined aggregate should be reported. NOTE: A member organization which does not carry customers' margin accounts and does not clear its own transactions may obtain an exemption from reporting by notifying the Exchange in writing. .20-.50 No Change. Rule 440F. Public Short Sale Transactions Effected on the Exchange * * * Supplementary Material: Reports on Form SS20 .10 Requirements for filing. No Change. General Instructions.— (1)-(2) No Change.
(3)[Exclude short-exempt sales, except for short-exempt sales in securities subject to the SEC's Pilot Order (SEA Release No. 34-50104)(July 28, 2004), as amended by the SEC's Second Pilot Order (SEA Release No. 34-50747)(November 29, 2004), and any subsequent orders. (4)] Exclude transactions in rights. [(5)] *(4)* If there are no reportable transactions for a specific week, a form should be filed marked “None”. [(6)] *(5)* File this report with Credit Regulation Department, via the New York Stock Exchange's Electronic Filing Platform (“EFP”), as soon as possible, but not later than 12:00 noon on the Friday of the week following the week covered by the report. [(7)] *(6)* Inquiries should be addressed to Credit Regulation Department, telephone 212-656-8572. [(8)] *(7)* Reserved. Specific Instructions.—
(1)No Change.
(2)Short sales for hedging accounts and short sales executed as such for arbitrage accounts should be included. [Sales made on a “short-exempt” basis for arbitrage accounts should not be included.]
(3)No Change. Rule 440G. Transactions in Stocks and Warrants for the Accounts of Members, Allied Members and Member Organizations * * * Supplementary Material: .10 Requirements for filing. No Change. Instructions.— (1)-(8) No Change.
(9)[Short-exempt sales are to be included with total sales only. Solely for purposes of Rule 440G and Form 121, “short-exempt sales” in securities subject to the SEC's Pilot Order (SEA Release 34-50104)(July 28, 2004), as amended by the SEC's Second Pilot Order (SEA Release 34-50747)(November 29, 2004), and any subsequent orders, are to be included with short sales on Form 121. (10)] Transactions are to be classified into one of the following three categories (a)-(c) No Change. [(11)] *(10)* If a reporting member or member organization does not have reportable transactions during a given week, a Form 121 report should be filed marked “No transactions”. [(12)] *(11)* The Member Firm Regulation Division will consider written requests for exemption from filing REGULAR weekly reports on Form 121. Exemption may be granted for a period of time not to exceed one year, renewable annually if the applicant does not expect to have any, or expects to have only an occasional, reportable transaction during this time. THE EXEMPTION, WHEN GRANTED, IS FROM FILING REGULARLY EACH WEEK AND, IF DURING THE EXEMPTION PERIOD A REPORTABLE TRANSACTION IS EFFECTED, A FORM 121 REPORT, FOR THE WEEK IN WHICH THE TRANSACTION(S) TOOK PLACE, MUST BE FILED IMMEDIATELY. [(13)] *(12)* File this report with the Credit Regulation Department, via the New York Stock Exchange's Electronic Filing Platform (“EFP”) as soon as possible but not later than 12:00 noon on the Friday following the week covered by the report. [(14)] *(13)* Inquiries should be addressed to the Credit Regulation Department, telephone 212-656-8572. [(15)] *(14)* No Change. II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, FINRA included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. FINRA has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose FINRA is proposing changes to FINRA's NYSE Rules 421, 440F and 440G to conform these rules with the SEC's amendments to SEC Rule 10a-1 and Regulation SHO. The SEC's amendments, among other things, remove the short sale price test in SEC Rule 10a-1 and remove the “short exempt” marking requirements in Regulation SHO. In light of the SEC's amendments, the NYSE has proposed amending its Rules 421, 10 440F 11 and 440G. 12 As detailed in the NYSE's filing, the proposed amendments would remove:
(1)The references to SEC Rule 10a-1 in NYSE Rule 421 and
(2)the references to the “short exempt” marking requirements in NYSE Rules 440F and 440G. NYSE has proposed to make the changes effective upon filing. 10 NYSE Rule 421 (Periodic Reports) contains the NYSE's short interest reporting requirements. 11 NYSE Rule 440F requires members and member organizations to report round-lot short sale transactions for public customers. 12 NYSE 440G requires members and member organizations to report round-lot short sale transactions for members, allied members, and member organizations. Given these changes, FINRA is proposing to make conforming changes to FINRA's NYSE Rules 421, 440F and 440G to ensure consistency with NYSE's versions of Rules 421, 440F and 440G. 13 13 Pursuant to Rule 17d-2 under the Exchange Act, NASD, NYSE, and NYSE Regulation, Inc. entered into an agreement (“Agreement”) to reduce regulatory duplication for firms that are Dual Members by allocating certain regulatory responsibilities for selected NYSE rules from NYSE Regulation to FINRA. The Agreement includes a list of all of those rules (“Common Rules”) for which FINRA has assumed examination, enforcement and surveillance responsibilities under the Agreement relating to compliance by Dual Members to the extent that such responsibilities involve member firm regulation. *See* Securities Exchange Act Release No. 56148 (July 26, 2007), 72 FR 42146 (August 1, 2007) (Notice of Filing and Order Approving and Declaring Effective a Plan for the Allocation of Regulatory Responsibilities). The Common Rules are the same NYSE rules that FINRA has incorporated into its rulebook. *See* Securities Exchange Act Release No. 56147 (July 26, 2007), 72 FR 42166 (August 1, 2007) (Notice of Filing and Order Granting Accelerated Approval of Proposed Rule Change to Incorporate Certain NYSE Rules Relating to Member Firm Conduct; File No. SR-NASD-2007-054). Paragraph 2(b) of the Agreement sets forth procedures regarding proposed changes by either NYSE or FINRA to the substance of any of the Common Rules. 2. Statutory Basis The proposed rule change is consistent with the provisions of Section 15A(b)(6) of the Act, 14 which requires, among other things, that FINRA rules must be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest. The proposed rule change is necessary and appropriate to comply with the amendments to SEC Rule 10a-1 and Regulation SHO and to maintain consistency with the NYSE's amendments to its Rules 421, 440F and 440G. 14 15 U.S.C. 78o-3(b)(6). B. Self-Regulatory Organization's Statement on Burden on Competition FINRA does not believe that the proposed rule change will result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received from Members, Participants, or Others Written comments were neither solicited nor received. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Because the foregoing proposed rule change does not:
(i)Significantly affect the protection of investors or the public interest;
(ii)impose any significant burden on competition; and
(iii)become operative for 30 days from the date on which it was filed, or such shorter time as the Commission may designate, it has become effective pursuant to Section 19(b)(3)(A) of the Act 15 and Rule 19b-4(f)(6) thereunder. 16 15 15 U.S.C. 78s(b)(3)(A). 16 17 CFR 240.19b-4(f)(6). FINRA has requested that the Commission waive the five-day pre-filing notice 17 and the requirement that the rule change, by its terms, not become operative for 30 days after the date of the filing. 18 FINRA has requested that the effective date of the proposed rule change be the same as the effective date of the NYSE's amendments to NYSE Rules 421, 440F and 440G to ensure that FINRA's NYSE Rules 421, 440F and 440G maintain their status as Common Rules under the Agreement. The Commission believes that waiver of the five-day pre-filing notice and the 30-day operative delay 19 is consistent with the protection of investors and the public interest, given that the compliance date for the Commission's amendments to Rule 10a-1 was July 6, 2007. In addition, waiver of these requirements will permit FINRA to implement its rule changes on the same date that proposed rule changes included in the NYSE's filing are implemented. For these reasons, the Commission designates the proposal to be effective and operative upon filing with the Commission. 17 17 CFR 240.19b-4(f)(6)(iii). 18 17 CFR 240.19b-4(f)(6)(iii). 19 For purposes only of waiving the 30-day operative delay, the Commission has considered the proposed rule's impact on efficiency, competition, and capital formation. *See* 15 U.S.C. 78c(f). At any time within 60 days of the filing of the proposed rule change, the Commission may summarily abrogate such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act. IV. Solicitation of Comments Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov.* Please include File Number SR-FINRA-2007-025 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-FINRA-2007-025. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. to 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of FINRA. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-FINRA-2007-025 and should be submitted on or before February 28, 2008. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 20 20 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2184 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57254; File No. SR-ISE-2006-26] Self-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing of Proposed Rule Change, as Modified by Amendment No. 1, Relating to Professional Account Holders February 1, 2008. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”), 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on May 5, 2006, the International Securities Exchange, LLC (“ISE” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”) a proposed rule change as described in Items I, II, and III below, which Items have been prepared substantially by the ISE. On January 25, 2008, the Exchange filed Amendment No. 1 to the proposal. 3 The Commission is publishing this notice to solicit comments on the proposed rule change, as modified by Amendment No. 1, from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 Amendment No. 1 replaced the previously filed proposed rule change in its entirety. I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The ISE is proposing to amend ISE Rules 713 (Priority of Quotes and Orders), 716 (Block Trades) and 723 (Price Improvement Mechanism for Crossing Transactions) to give certain non-broker-dealer orders the same priority as broker-dealer orders and market maker quotes. The ISE also proposes to charge the same fee for the execution of certain non-broker-dealer orders as is applicable to the execution of broker-dealer orders on the Exchange. The text of the proposed rule change is available on the Exchange's Web site ( *http://www.iseoptions.com* ), at the principal office of the Exchange, and at the Commission's Public Reference Room. II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, the ISE included statements concerning the purpose of, and basis for, the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The ISE has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose Under ISE rules, a “Public Customer” is any person or entity that is not a broker or dealer in securities, and a “Public Customer Order” is an order for the account of a Public Customer. 4 A “Non-Customer” is any person or entity that is a broker or dealer in securities, and a “Non-Customer Order” is an order for the account of a broker or dealer. 5 These terms are used in ISE specific rules that provide certain marketplace advantages to Public Customer Orders over Non-Customer Orders. In particular, under ISE rules
(i)Public Customer Orders are given priority over Non-Customer Orders and market maker quotes at the same price, 6 and
(ii)subject to certain exceptions, members are not charged a transaction fee for the execution of Public Customer Orders. The purpose of providing these marketplace advantages to Public Customer Orders is to attract retail investor order flow to the Exchange by leveling the playing field for retail investors over market professionals 7 and providing competitive pricing. 4 ISE Rule 100(a)(32) and (33). 5 ISE Rule 100(a)(22) and (23). 6 ISE Rules 713 (Priority of Quotes and Orders), 716 (Block Trades) and 723 (Price Improvement Mechanism for Crossing Transactions). 7 Market professionals have access to sophisticated trading systems that contain functionality not available to a retail customer, including things such as continuously updated pricing models based upon real-time streaming data, access to multiple markets simultaneously, and order and risk management tools. With respect to these ISE marketplace advantages, the Exchange does not believe the definitions of Public Customer and Non-Customer properly distinguish between non-professional retail investors and certain professionals. According to the Exchange, providing marketplace advantages based upon whether the order is for the account of a participant that is a registered broker-dealer is no longer appropriate in today's marketplace because some non-broker-dealer individuals and entities have access to information and technology that enables them to professionally trade listed options in the same manner as a broker or dealer in securities. 8 These individual traders and entities (collectively, “professional account holders”) have the same technological and informational advantages over retail investors as broker-dealers trading for their own account, which enables them to compete effectively with broker-dealer orders and market maker quotes for execution opportunities in the ISE marketplace. 9 8 Exchange staff visited a broker-dealer that provided their professional customers with multi-screened trading stations equipped with trading technology that allowed the trader to monitor and place orders on all six options exchanges simultaneously. These trading stations also provided compliance filters, order management tools, the ability to place orders in the underlying securities, and market data feeds. 9 Market makers enter quotes based upon the theoretical value of the option, which moves with various factors in their pricing models, such as the value of the underlying security. Professional customers place and cancel orders in relation to an options theoretical value in much the same manner as a market maker. This is evidenced by the entry of limit orders that join the best bid or offer and by a very high rate of orders that are canceled. In contrast, retail customers who enter orders as part of an investment strategy (such as a covered right or a directional trade) most frequently enter marketable orders or limit orders that they do not cancel and replace. A study of 10 retail-oriented broker-dealer members over a six-month period indicated that typically only around 20% of their executed customer volume resulted from orders that joined the ISE best bid or offer upon entry. In contrast, over the same period, around 45% of the volume executed by a broker-dealer with a professional trader client base resulted from orders that joined the ISE best bid and offer upon entry. Additionally, retail-oriented broker-dealer members generally have a cancel to trade ratio that is less than 1 ( *i.e.* , more of their orders are executed than canceled), whereas members with a professional trader client base generally have cancel to trade ratios that exceed 5 ( *i.e.* , for every order that is executed, 5 are canceled). The Exchange therefore does not believe that it is consistent with fair competition for these professional account holders to continue to receive the same marketplace advantages as retail investors over broker-dealers trading on the ISE. Moreover, because Public Customer Orders at the same price are executed in time priority, retail investors are prevented from fully benefiting from the priority advantage when professional account holders are afforded Public Customer Order priority. Accordingly, the Exchange is seeking to adopt two new terms that will be used to more appropriately provide ISE marketplace advantages to retail investors on the ISE. Under the proposal, execution priority under ISE Rules 713 (Priority of Quotes and Orders), 716 (Block Trades) and 723 (Price Improvement Mechanism for Crossing Transactions) will be given to “Priority Customer Orders” over “Professional Orders” and market maker quotes. Transaction fees will also be charged using these definitions. Specifically, the ISE will charge standard transaction fees currently applicable to broker-dealer orders for Professional Orders, and fee waivers currently available to Public Customer Orders will be limited to Priority Customer Orders. A Priority Customer Order will be defined as a person or entity that
(i)is not a broker or dealer in securities, and
(ii)does not place more than 390 orders in listed options per day on average during a calendar month for its own beneficial account(s). A “Professional Order” will be defined as an order that is for the account of a person or entity that is not a Priority Customer. The use of these new terms in the execution rules and fee schedule will result in professional account holders participating in the ISE's allocation process on equal terms with broker-dealer orders and market maker quotes. It will also result in members paying the same transaction fees for the execution of orders for a professional account as they do for broker-dealer orders. The proposal will not otherwise affect non-broker-dealer individuals or entities under the ISE rules, and in particular, all Public Customer Orders will continue to be treated equally for purposes of the linkage-related rules. For example, the ISE will provide the same away-market protection for all Public Customer Orders, including non-broker-dealer orders that are included in the definition of “Professional Orders.” 10 10 Orders for any customer that had an average of more than 390 orders per day during any month of a calendar quarter must be represented as Professional Orders for the next calendar quarter. Members will be required to conduct a quarterly review and make any appropriate changes to the way in which they are representing orders within five days after the end of each calendar quarter. While Members only will be required to review their accounts on a quarterly basis, if during a quarter the Exchange identifies a customer for which orders are being represented as Priority Customer Orders but that has averaged more than 390 orders per day during a month, the Exchange will notify the Member and the Member will be required to change the manner in which it is representing the customer's orders within five days. In order to properly represent orders entered on the Exchange according to the new definitions, Electronic Access Members will be required to indicate whether Public Customer Orders are “Priority Customer Orders” or “Professional Orders.” To comply with this requirement, Electronic Access Members will be required to review their customers' activity on at least a quarterly basis to determine whether orders that are not for the account of a broker or dealer should be represented as Priority Customer Orders or Professional Orders. The Exchange believes that identifying professional account holders based upon the average number of orders entered for a beneficial account is an appropriately objective approach that will reasonably distinguish such persons and entities from retail investors. The Exchange proposes the threshold of 390 orders per day on average over a calendar month because it believes it far exceeds the number of orders that are entered by retail investors in a single day, 11 while being a sufficiently low number of orders to cover the professional account holders that are competing with broker-dealers in the ISE marketplace. In addition, basing the standard on the number of orders that are entered in listed options for a beneficial account(s) assures that professional account holders cannot inappropriately avoid the purpose of the rule by spreading their trading activity over multiple exchanges, and using an average number over a calendar month will prevent gaming of the 390 order threshold. 11 Three hundred and ninety orders is equal to the total number of orders that a person would place in a day if that person entered one order every minute from market open to market close. A study of one of the largest retail-oriented options brokerage firms indicated that on a typical trading day, options orders were entered with respect to 5922 different customer accounts. There was only one order entered with respect to 3765 of the 5922 different customer accounts on this day, and there were only 17 customer accounts with respect to which more than 10 orders were entered. The highest number of orders entered with respect to any one account over the course of an entire week was 27. Additionally, many of the largest retail-oriented electronic brokers offer lower commission rates to customers they define as “active traders.” The Exchange reviewed the publicly available information from the Web sites for Charles Schwab, Fidelity, TD Ameritrade and optionsXpress, all of which define an “active trader” as someone who executes only a few options trades per month. The highest required trading activity to qualify as an active trader among these four firms was 35 trades per quarter. 2. Statutory Basis The basis under the Act for this proposed rule change is the requirement under Section 6(b)(5) 12 that an exchange have rules that are designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, to remove impediments to and perfect the mechanism for a free and open market and a national market system, and, in general, to protect investors and the public interest. In particular, the proposal will assure that retail investors continue to receive the appropriate marketplace and cost advantages in the ISE marketplace, while furthering fair competition among marketplace professionals by treating them equally within the ISE marketplace. 12 15 U.S.C. 78f(b)(5). B. Self-Regulatory Organization's Statement on Burden on Competition The proposed rule change does not impose any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others The Exchange has not solicited, and does not intend to solicit, comments on this proposed rule change. The Exchange has not received any written comments from members or other interested parties. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Within 35 days of the date of publication of this notice in the **Federal Register** or within such longer period
(i)as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or
(ii)as to which the Exchange consents, the Commission will:
(A)By order approve such proposed rule change, or
(B)Institute proceedings to determine whether the proposed rule change should be disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov.* Please include File Number SR-ISE-2006-26 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-ISE-2006-26. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the ISE. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-ISE-2006-26 and should be submitted on or before February 28, 2008. 13 17 CFR 200.30-3(a)(12). For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 13 Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2206 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57255; File No. SR-ISE-2007-76] Self-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing of Proposed Rule Change and Amendment No. 1 Thereto Relating to Voluntary Professionals February 1, 2008. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 2 thereunder, notice is hereby given that on August 24, 2007, the International Securities Exchange, LLC (“ISE” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been substantially prepared by the Exchange. On January 25, 2008, ISE filed Amendment No. 1 to the proposed rule change. The Commission is publishing this notice to solicit comments on the proposed rule change, as amended, from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The ISE proposes to allow, on a purely voluntary basis, non-broker-dealer customers to designate their orders as “Voluntary Professional.” Voluntary Professional orders will be treated the same as non-customer orders for purposes of execution priority and the ISE schedule of fees. The text of the proposed rule change is available at ISE, the Commission's Public Reference Room, and *http://www.iseoptions.com. * II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, the ISE included statements concerning the purpose of, and basis for, the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The ISE has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and the Statutory Basis for, the Proposed Rule Change 1. Purpose Under ISE rules, a “Public Customer” is any person or entity that is not a broker or dealer in securities and a “Public Customer Order” is an order for the account of a Public Customer. 3 A “Non-Customer” is any person or entity that is a broker or dealer in securities and a “Non-Customer Order” is an order for the account of a broker or dealer. 4 These terms are used in specific ISE rules that provide certain marketplace advantages to Public Customer Orders over Non-Customer Orders. In particular, under ISE rules Public Customer Orders are given priority over Non-Customer Orders and market maker quotes at the same price, and subject to certain exceptions, members are not charged a transaction fee for the execution of Public Customer Orders, but are subject to cancellation fees related to the execution of Public Customer Orders. 3 ISE Rule 100(a)(32) and (33). 4 ISE Rule 100(a)(22) and (23). Members have indicated that certain of their non-broker-dealer customers employing sophisticated trading strategies that involve cancelling a large percentage of their orders before the orders are executed would prefer to have their orders categorized as Non-Customer Orders, thereby gaining relief from the Exchange's cancellation fee that member firms pass through to these customers. Accordingly, the Exchange proposes to allow, on a purely voluntary basis, non-broker-dealer customers to instruct member firms, in writing, to designate their orders as Voluntary Professional. 5 Such orders would be considered Non-Customer Orders for purposes of ISE Rules 713 (Priority of Quotes and Orders), 716 (Block Trades), 722 (Complex Orders), and 723 (Price Improvement Mechanism for Crossing Transactions). For orders designated as Voluntary Professional, ISE would charge members standard transaction fees currently applicable to broker-dealer orders, which means that the cancellation fee will not be applicable to such orders. 5 The Exchange is also proposing to make non-substantive changes to correct cross references in Rule 100(a) to the Constitution, and to clarify that the term Public Customer means a person “or entity” that is not a broker or dealer securities. Under the proposal, Voluntary Professionals would participate in ISE's allocation process on equal terms with broker-dealer orders and market maker quotes. The proposal would also result in members paying the same transaction fees for the execution of Voluntary Professional orders as they do for broker-dealer orders. By definition, the Voluntary Professional designation would not otherwise affect these non-broker-dealer individuals or entities under the ISE rules. The Exchange notes that Voluntary Professional orders would continue to be treated the same as Public Customer Orders for purposes of linkage-related rules. For example, the ISE would provide the same away-market protection for orders designated as Voluntary Professional as it does for orders designated as Public Customer Orders by preventing incoming marketable orders from automatically executing at prices inferior to the best bid or offer on another national securities exchange. As provided in ISE Rule 714, such Voluntary Professional orders would be handled by the Primary Market Maker who may, according to ISE Rule 1901(c), send a P/A order to another exchange to get a better price for the customer. 2. Statutory Basis The basis under the Act for this proposed rule change is the requirement under Section 6(b)(5) that an exchange have rules that are designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, to remove impediments to and perfect the mechanism for a free and open market and a national market system, and, in general, to protect investors and the public interest. B. Self-Regulatory Organization's Statement on Burden on Competition The proposed rule change does not impose any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants or Others The Exchange has not solicited, and does not intend to solicit, comments on this proposed rule change. The Exchange has not received any unsolicited written comments from members or other interested parties. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Within 35 days of the date of publication of this notice in the **Federal Register** or within such longer period
(i)as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or
(ii)as to which the self-regulatory organization consents, the Commission will:
(A)By order approve such proposed rule change, or
(B)Institute proceedings to determine whether the proposed rule change should be disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ) or send an e-mail to *rule-comments@sec.gov.* Please include File Number SR-ISE-2007-76 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-ISE-2007-76. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site at ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of ISE. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-ISE-2007-76 and should be submitted on or before February 28, 2008. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 6 6 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2267 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34—57251; File No. SR-NYSE-2007-62] Self-Regulatory Organizations; New York Stock Exchange LLC; Notice of Filing and Immediate Effectiveness of Proposed Rule Changes to NYSE Rules 104 (Dealings by Specialists); 111 (Reports of Executions); 123A (Miscellaneous Reports); 123C (Market on the Close Policy and Expiration Procedures); 421(Periodic Reports); 440B (Short Sales); 440C (Short Sale Borrowing and Delivery Requirements); 440F (Public Short Sale Transactions Effected on the Exchange); 440G (Transactions in Stocks and Warrants for the Accounts of Members, Allied Members and Member Organizations); 902 (Off-Hours Trading Orders); 1000 (Automatic Execution of Limit Orders Against Orders Reflected in NYSE Published Quotation); and 1003 (Application of Tick Tests) Relating to Recent Amendments to Rule 10a-1 and Regulation SHO February 1, 2008. Pursuant to section 19(b)(1) 1 of the Securities Exchange Act of 1934 (“Act”) 2 and Rule 19b-4 3 thereunder, notice is hereby given that on July 6, 2007, the New York Stock Exchange LLC (“NYSE” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”), and on December 5, 2007 amended, the proposed rule change as described in Items I and II below, which items have been substantially prepared by the Exchange. The Exchange filed the proposals as “non-controversial” rule changes under Rule 19b-4(f)(6) 4 under the Act, which rendered the proposals effective upon filing with the Commission. The Commission is publishing this notice to solicit comments on the proposed rule changes from interested persons. 1 15 U.S.C. 78s(b)(1). 2 15 U.S.C. 78a et seq. 3 17 CFR 240.19b-4. 4 17 CFR 240.19b-4(f)(6). I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The NYSE proposes to make conforming amendments to certain of its rules in light of recent changes to short sale provisions in Rule 10a-1 5 of the Act and Regulation SHO. 6 The rules the Exchange proposes to amend are the following: Rule 104 (Dealings by Specialists); Rule 111 (Reports of Executions); Rule 123A (Miscellaneous Reports); Rule 123C (Market on the Close Policy and Expiration Procedures); Rule 421(Periodic Reports); Rule 440B (Short Sales); Rule 440C (Short Sale Borrowing and Delivery Requirements); Rule 440F (Public Short Sale Transactions Effected on the Exchange); Rule 440G (Transactions in Stocks and Warrants for the Accounts of Members, Allied Members and Member Organizations); Rule 902 (Off-Hours Trading Orders); Rule 1000 (Automatic Execution of Limit Orders Against Orders Reflected in NYSE Published Quotation); and Rule 1003 (Application of Tick Tests). 5 17 CFR 240.10a-1. 6 17 CFR 242.200-203. The text of the proposed rule change is available at the Exchange, on the Exchange's Web site at *http://www.nyse.com,* and in the Commission's Public Reference Room. II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, the Exchange included statements concerning the purpose of, and basis for, the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The Exchange has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose On June 28, 2007, the Commission approved final rules eliminating the price test of Rule 10a-1 and amending Regulation SHO (“Adopting Release”). 7 The amendments prohibit any self-regulatory organization (“SRO”) from having a price test and remove the “short exempt” marking requirement of Rule 200(g). The compliance date for these changes was July 6, 2007. 7 *See* Securities Exchange Act Release No. 55970 (June 28, 2007), 72 FR 36348 (July 3, 2007) (“Adopting Release”). Accordingly, NYSE is proposing conforming amendments to the following rules: Rule 104 (Dealings by Specialists); Rule 111 (Reports of Executions); Rule 123A (Miscellaneous Reports); Rule 123C (Market on the Close Policy and Expiration Procedures); Rule 421(Periodic Reports); Rule 440B (Short Sales); Rule 440C (Short Sale Borrowing and Delivery Requirements); Rule 440F (Public Short Sale Transactions Effected on the Exchange); Rule 440G (Transactions in Stocks and Warrants for the Accounts of Members, Allied Members and Member Organizations); Rule 902 (Off-Hours Trading Orders); Rule 1000 (Automatic Execution of Limit Orders Against Orders Reflected in NYSE Published Quotation); and Rule 1003 (Application of Tick Tests). Background Rule 10a-1 was adopted by the Commission as a means to restrict short selling in a declining market. 8 Rule 10a-1(a) covered short sales in listed securities, or admitted to unlisted securities trading privileges on a national securities exchange, if trades of the security were reported pursuant to an “effective transaction reporting plan” and information regarding such trades was made available in accordance with such plan on a real-time basis to vendors of market transaction information. 9 Rule 10a-1(a)(1) provided that, subject to certain exceptions, a listed security could be sold short either at a price above the price at which the immediately preceding sale was effected (plus tick), or at the last sale price if such price was higher than the last different price (zero-plus tick). 10 This requirement was commonly described as the “tick test.” 8 *See* Securities Exchange Act Release No. 1548 (Jan. 24, 1938), 3 FR 213 (Jan. 26, 1938). 9 Rule 10a-1 used the term “effective transaction reporting plan” as defined in Rule 600 of Regulation NMS (17 CFR 242.600) under the Exchange Act. *See* 17 CFR 240.10a-1(a)(1)(i). 10 The last sale price was the price reported pursuant to an effective transaction reporting plan, *i.e.* , the consolidated tape, or to the last sale price reported in a particular marketplace. Under Rule 10a-1, the Commission gave market centers the choice of measuring the tick of the last trade based on executions solely on their own exchange rather than those reported to the consolidated tape. *See* 17 CFR 240.10a-1(a)(2). The Commission periodically added exceptions to Rule 10a-1 and granted numerous written requests for relief from the provisions of Rule 10a-1. 11 Requests for exemptive relief increased considerably over time in response to significant developments in the securities markets, such as the increased use of matching systems that execute trades at independently derived prices during random times within specific time intervals and the spread of fully automated markets. Decimal pricing increments substantially reduced the difficulty of short selling on an uptick. In addition, under the then-effective short sale regulatory regime, different price tests applied to different securities trading in different markets and applied generally only to large or more actively-traded securities. 11 *See* Securities Exchange Act Release No. 54891 (December 7, 2006), 71 FR 75071-75072 (December 13, 2006) (“Proposing Release”) (discussing exceptions to Rule 10a-1 added by the Commission and relief granted by the Commission from the rule's restrictions in recent years). In 2004, the Commission adopted Regulation SHO to update short sale regulation in light of numerous market developments since short sale regulation was first adopted in 1938. 12 Rule 202T of Regulation SHO 13 established procedures for the Commission to temporarily suspend price tests so that the Commission could study their utility and effectiveness in connection with short sales. Under the authority of Rule 202T, in July 2004, the Commission issued an order to establish a pilot program (“Pilot”) for one year to temporarily suspend the provisions of Rule 10a-1(a) and any price test of any exchange or national securities association for short sales of certain securities. 14 The Pilot was designed to assist the Commission in assessing whether changes to current short sale regulation were necessary in light of current market practices. The Commission was interested in the extent to which price tests were necessary to further the objectives of short sale regulation. 15 12 *See* Securities Exchange Act Release No. 50103 (July 28, 2004), 69 FR 48008, 48012-48013 (Aug. 6, 2004) (“Regulation SHO Adopting Release”). 13 17 CFR 242.202T. 14 *See* Securities Exchange Act Release No. 50104 (July 28, 2004), 69 FR 48032 (Aug. 6, 2004). 15 *See id. See also* Adopting Release, 69 FR 48009. The Pilot commenced on May 2, 2005 and terminated on April 28, 2006. 16 The Commission collected and analyzed the data from the Pilot to determine whether the short sale rules should be amended. Generally, the Pilot results supported removal of price test restrictions. 17 16 *See* Securities Exchange Act Release No. 50747 (Nov. 29, 2004), 69 FR 70480 (Dec. 6, 2004). *See also* NYSE Information Memos 04-64 (Dec. 22, 2004) and 05-30 (April 27, 2005), which explain the establishment of the second Pilot Order. 17 *See* Proposing Release. Accordingly, in December 2006, the Commission, based on a careful study of the Pilot results and the status of price test restrictions, proposed amendments to remove the price test of Rule 10a-1 and add Rule 201 of Regulation SHO to provide that no price test, including any price test of any SRO, shall apply to short sales in any security. 18 The Commission also proposed to amend Rule 200(g) of Regulation SHO to remove the requirement that a broker-dealer mark a sell order of an equity security as “short exempt” if the seller was relying on an exception from a price test. The purpose of the amendments was to modernize and simplify short sale regulation and to provide greater regulatory consistency by removing restrictions where they no longer appeared necessary or effective. 19 The proposed amendments were adopted on June 28, 2007 and became effective upon publication in the **Federal Register** 20 on July 3, 2007. They had a July 6, 2007 compliance date. 18 *See* Proposing Release. 19 *See* Adopting Release. 20 *See* Adopting Release. The Adopting Release removed Rule 10a-1 and added Rule 201 of Regulation SHO to provide that no price test, including any price test by any SRO, shall apply to short selling in any security. Additionally, Rule 200 of Regulation SHO previously required broker-dealers to mark sales in all equity securities “long,” “short,” or “short exempt.” Under the Rule, an order could be marked “short exempt” if the seller was entitled to rely on any exception from the tick test, under Rule 10a-1 or any SRO price test. The amendments modified Rule 200(g) of Regulation SHO to remove the requirement that a broker-dealer mark a sell order of an equity security as “short exempt” if the seller is relying on an exception from the price test of Rule 10a-1, or any price test of any exchange or national securities association, to reflect the rescission of the price test requirements. 21 21 See Adopting Release. The Exchange notes the Adopting Release statement that “although the current price test restrictions are being removed, today's markets are characterized by high levels of transparency and regulatory surveillance. These characteristics greatly reduce the risk of undetected manipulation and permit regulators to monitor for the types of activities that current price test restrictions are designed to prevent.” The Commission also noted that “the general anti-fraud and anti-manipulation provisions of the federal securities laws continue to prohibit activity designed to improperly influence the price of a security.” 22 22 Adopting Release, 69 FR 48013. *See also, e.g.* , Section 17(a) of Securities Act of 1933, Sections 9(a), 10(b), and 15(c) of Exchange Act, and Rule 10b-5 thereunder. Proposed NYSE Amendments The NYSE is proposing amendments to certain of its rules to conform to the Commission's amendments to Rule 10a-1 and Regulation SHO. Specifically, the Exchange is proposing amendments to remove short sale price test provisions, references to Rule 10a-1 and references to the “short exempt” marking requirement to update its rules in light of the amendments. NYSE Rule 440B (Short Sales) NYSE Rule 440B incorporates by reference Exchange Act Rule 10a-1 and Rules 200 and 203 of Regulation SHO. Rule 440B also includes an Explanatory Note, which generally describes changes to short sale regulation and implementation dates. Specifically, the Explanatory Note incorporates and explains the tick test under Rule 10a-1. In addition, the Explanatory Note incorporates the Pilot order, issued under Regulation SHO by the SEC, which suspended the NYSE tick test and any SRO price test for designated securities. The proposed amendments to Rule 440B would delete the Explanatory Note as such information is no longer accurate as a result of the above-mentioned expiration of Rule 202T and the Commission's amendments rescinding Rule 10a-1 and prohibiting any SRO price tests on short sales. Current Rule 440B(a) provides restrictions on certain short sales pursuant to Rule 10a-1. Current Rule 440B(c) suspends subsection
(a)for such time and as to such securities as are designated under the Pilot. Additionally, Rule 440B(b) currently restricts a short sale by a specialist in which such specialist is registered for his own account or any other person in reliance upon the exemption provided under Rule 10a-1(e)(5). The Exchange is proposing to delete sections (a)-(c) of Rule 440B to reflect the rescission of Rule 10a-1. Current Rule 440B.10 generally explains Rule 10a-1 and sets forth the application of Rule 440B in connection with Rule 10a-1 and Regulation SHO. The Exchange is proposing to delete all references to Rule 10a-1 and its requirements in this provision. The Exchange is also proposing to amend Rule 440B.11 to delete any reference to Rule 10a-1 and to delete Rule 440B.12 which sets forth the place of transaction requirements in connection with Rule 10a-1. The Exchange also proposes to delete Rule 440B.15 as it describes prices at which short sales are to be made in accordance with Rule 10a-1. Further, the Exchange proposes to amend Rule 440B.13 to delete references to the “short exempt” marking requirement, and to delete Rule 440B.20, which sets forth such marking requirement, in its entirety, as the “short exempt” marking requirement has been removed by the Commission. The Supplementary Material of Rule 440B will be renumbered to reflect the proposed amendments. Rule 440C (Short Sale Borrowing and Delivery Requirements) NYSE Rule 440C governs borrowing and deliveries against short sales by incorporating by reference the requirements of Rule 203 of Regulation SHO and Exchange Act Rule 10a-1. The Exchange is proposing to delete reference in Rule 440C to Rule 10a-1. Rule 421 (Periodic Reports) NYSE Rule 421 requires that member organizations submit to the Exchange periodic reports with respect to short positions in securities, covering such time period as may be designated by the Exchange. Also, Rule 421.10 provides that short positions to be reported exclude positions resulting from certain provisions of Rule 10a-1(e). The proposed amendment to Rule 421.10 would delete reference to Rule 10a-1(e)(1), (6), (7),
(8)and
(10)based on the rescission of Rule 10a-1, and add the language from these specific provisions to the rule text. Although the tick test is being eliminated, the substance of these provisions will be maintained as it is appropriate to retain an exception to the short sale interest reporting requirements. Thus, Rule 421 will continue to provide the same exception as previously provided by Rule 10a-1(e)(1), (6), (7), (8), and
(10)to the short sale reporting requirements. Other Rules The proposed amendment to NYSE Rules 104, 111, 123A, 123C and 1000 would delete all references to Rule 10a-1 and short sale tick tests. The amendments would delete NYSE Rule 1003 in its entirety as it relates solely to tick tests. Further, the proposed amendments would delete references to the “short exempt” marking requirement in current NYSE Rules 440F, 440G and 902. 2. Statutory Basis The statutory basis for the proposed rule change is section 6(b)(5) 23 of the Act which requires, among other things, that the rules of an Exchange are designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, to foster cooperation and coordination with persons engaged in regulating, clearing, settling, processing information with respect to, and facilitating transactions in securities, to remove impediments to and perfect the mechanism of a free and open market and national market system, and in general, to protect investors and the public interest. The proposed amendment will serve these interests by conforming the subject NYSE rules of this filing with the Commission's recent amendments to provisions governing short sales. 23 15 U.S.C. 78f(b)(5). B. Self-Regulatory Organization's Statement on Burden on Competition The Exchange does not believe that the proposed rule change will impose any burden on competition not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants or Others The Exchange has neither solicited nor received written comments on the proposed rule change. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action Because the foregoing rule change does not:
(A)Significantly affect the protection of investors or the public interest;
(B)impose any significant burden on competition; and
(C)become operative for 30 days after the date of this filing, or such shorter time as the Commission may designate, it has become effective pursuant to section 19(b)(3)(A) 24 of the Act and Rule 19b-4(f)(6) 25 thereunder. 24 15 U.S.C. 78s(b)(3)(A). 25 17 CFR 240.19b-4(f)(6). The Exchange has requested that the Commission waive the 5-day pre-filing notice requirement 26 and the 30-day operative delay 27 of the proposed rule change. The Commission believes that such waiver is consistent with the protection of investors and the public interest 28 given that the compliance date for the Commission's amendments to Rule 10a-1 was July 6, 2007. 29 For this reason, the Commission designates the proposal to be effective and operative upon filing with the Commission. 26 *See* 17 CFR 240.19b-4(f)(6)(iii), which requires that a self-regulatory organization submit to the Commission written notice of its intent to file a proposed rule change, along with a brief description and text of the proposed rule change, at least five business days prior to the date of filing of the proposed rule change, or such shorter time as designated by the Commission. 27 *See* 17 CFR 240.19b-4(f)(6)(iii). 28 For purposes only of waiving the 30-day operative delay, the Commission has considered the proposed rule's impact on efficiency, competition, and capital formation. *See* 15 U.S.C. 78c(f). 29 *See* Adopting Release. At any time within 60 days of the filing of such proposed rule change the Commission may summarily abrogate such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors or otherwise in furtherance of the purposes of the Act. IV. Solicitation of Comments Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov* . Please include File Number SR-NYSE-2007-62 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549. All submissions should refer to File number SR-NYSE-2007-62. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site *http://www.sec.gov/rules/sro/shtml* . Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. to 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the NYSE. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File number SR-NYSE-2007-62 and should be submitted by February 28, 2008. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 30 30 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2183 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P SECURITIES AND EXCHANGE COMMISSION [Release No. 34-57253; File No. SR-Phlx-2008-08] Self-Regulatory Organizations; Philadelphia Stock Exchange, Inc.; Notice of Filing and Immediate Effectiveness of a Proposed Rule Change Relating to an Options Floor Broker Subsidy Program February 1, 2008. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on January 29, 2008, the Philadelphia Stock Exchange, Inc. (“Phlx” or “Exchange”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been substantially prepared by the Exchange. Phlx has designated this proposal as one establishing or changing a due, fee, or other charge imposed by Phlx under Section 19(b)(3)(A)(ii) of the Act 3 and Rule 19b-4(f)(2) thereunder, 4 which renders the proposal effective upon filing with the Commission. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b-4. 3 15 U.S.C. 78s(b)(3)(A)(ii). 4 17 CFR 240.19b-4(f)(2). I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change The Phlx proposes to:
(1)Adopt a tiered per contract floor broker options subsidy payable to member organizations with Exchange registered floor brokers for eligible contracts (as defined below) that are entered into the Exchange's Floor Broker Management System (”FBMS”) 5 and subsequently executed on the Exchange, 6 subject to two threshold volume requirements; and
(2)delete the current floor brokerage assessment that is set forth on the Exchange's fee schedule in several places, specifically the Summary of Equity Option and RUT and RMN Charges, the Summary of Index Option Charges, the Summary of U.S. Dollar-Settled Foreign Currency Option Charges, and the Summary of Physical Delivery Currency Option Charges. 5 The Exchange states that FBMS is designed to enable floor brokers and/or their employees to enter, route, and report transactions stemming from options orders received on the Exchange. FBMS also is designed to establish an electronic audit trail for options orders represented and executed by floor brokers on the Exchange. *See* Exchange Rule 1080, commentary .06. 6 Thus, outbound Linkage transactions, which are therefore not executed on the Exchange, are excluded from threshold calculations and subsidy payments, as further described below. Although changes to the fee schedule pursuant to this proposal are effective upon filing, the Exchange intends to implement the subsidy and delete the floor brokerage assessment beginning with transactions settling on or after February 1, 2008. The text of the proposed rule change is available at the Exchange, the Commission's Public Reference Room, and *http://www.phlx.com* . II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, the Exchange included statements concerning the purpose of and basis for the proposed rule change, and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. Phlx has prepared summaries, set forth in Sections A, B, and C below, of the most significant aspects of such statements. A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose The details of the tiered per contract floor broker subsidy program are set forth below. Threshold Calculations To qualify for the per contract subsidy, a member organization with Exchange registered floor brokers must have:
(1)More than an average of 75,000 executed contracts per day in the applicable month; and
(2)at least 40,000 executed contracts or more per day for at least eight trading days during that same month. 7 Only the floor broker volume from orders entered into FBMS and subsequently executed would be counted. The 75,000 contract and 40,000 contract thresholds, as described above, would be calculated per member organization floor brokerage unit. 7 For purposes of calculating the 75,000 and 40,000 thresholds, customer-to-customer transactions, customer-to-non-customer transactions, and non-customer-to-non-customer transactions would be included. Currently, the Exchange states that it does not charge an options comparison or transaction charge for customer transactions as set forth on the Exchange's Summary of Equity Option and RUT and RMN Charges. The Exchange, however, does charge for certain customer transactions as set forth on the Exchange's Summary of Index Option Charges and the Summary of U.S. Dollar-Settled Foreign Currency Option Charges. The Exchange believes that allowing customer transactions to be included in the threshold calculations should help to encourage floor brokers to send more order flow to the Exchange. In the event that two or more member organizations with Exchange registered floor brokers each entered one side of a transaction into FBMS, then the executed contracts would be divided among each qualifying member organization that participates in that transaction. 8 8 Set forth below are several examples to illustrate the threshold volume calculations:
(1)If one floor broker enters both sides of a transaction for 1,000 contracts, that floor broker would get 1,000 contracts credited towards its threshold volume;
(2)in a 1,000 contract trade where each side was entered by a different member organization with Exchange registered floor brokers, each such member organization would receive 500 contracts credited towards their respective threshold volumes;
(3)if one floor broker enters an order for 900 contracts to sell and three separate floor brokers enter the contra side to each buy 300 contracts, the floor broker that entered the 900 contracts to sell would receive 450 contracts towards its threshold calculation and each floor broker on the contra side would receive 150 contracts credited towards their respective threshold calculations; and
(4)if a floor broker enters an order to sell 900 contracts and two separate floor brokers each enter orders to buy 300 contracts and a registered options trader (“ROT”) bought the remaining 300 contracts, the floor broker that entered the 900 contracts would get 600 contracts towards its threshold (150 from each floor broker and 300 from the ROT (the entering floor broker that executed against the ROT receives credit for both sides of the transaction with the ROT ( *i.e.* , 300 contracts) because the subsidy is only available to floor brokers and, therefore, the ROT is not eligible to receive credit towards the subsidy)), and the two separate floor brokers would get 150 each to add up to the total 900 contracts. Eligible Contracts To be eligible for the per contract subsidy, an order must be entered through the Exchange's FBMS and subsequently executed on the Exchange. 9 9 Therefore, orders entered through FBMS, but executed away through Linkage would not count towards the 75,000 contract or the 40,000 contract thresholds. However, if an inbound Linkage order is received and is executed against an order that was entered through FBMS, the order that was entered through FBMS would count towards the threshold amount and per contract subsidy, if applicable, for the member organization that entered that order because that transaction was executed on the Exchange. As previously stated, customer-to-customer transactions would count towards reaching the 75,000 contract and 40,000 contract thresholds, but a per contract subsidy would not be paid on any customer-to-customer transactions. 10 10 Customer transactions are identified by the letter “c” in the Exchange's trading systems. For purposes of this proposal, customer transactions would exclude those orders entered into FMBS that represent an order other than a customer order, such as “firm,” “customer yield” (which are broker-dealer orders), “market maker” (which is an on-floor market maker), or “off-floor market maker.” Dividend, merger and short stock interest strategies would be excluded from all threshold volume calculations, and no per contract subsidy would be paid on these transactions. 11 11 The Exchange notes that each strategy is coded in such a way so that the Exchange's trading system is able to discern these different types of trading strategies. For a definition of these strategies, *see* Securities Exchange Act Release No. 55358 (February 27, 2007), 72 FR 9828 (March 5, 2007) (SR-Phlx-2007-14). Per Contract Average Daily Volume Subsidy Payment Tier I Tier II Tier III Tier IV Tier V 75,001 to 100,000 100,001 to 200,000 200,001 to 300,000 300,001 to 400,000 400,001 and greater. $0.01 per contract $0.04 per contract $0.05 per contract $0.06 per contract $0.07 per contract. The per contract subsidy would be paid based on the average daily contract volume for that month, which are customer-to-non-customer transactions 12 and are in excess of 75,000 contracts. 13 Payments would be made at the stated rate for each tier for those contracts that fall within that tier. These contracts may include customer-to-customer transactions for the purposes of reaching a tier, but as stated above, a per contract subsidy would not be paid on these executions. Therefore, if a member organization has 1,444,000 eligible contracts in a month with 19 trading days, that member organization would receive a per contract subsidy because it met the 75,000 contract threshold (1,444,000 eligible contracts/19 days = 76,000, the average daily contract volume). Therefore, the member organization with Exchange registered floor brokers would receive $0.01 per contract on 1,000 non-customer-to-customer contracts multiplied by 19 trading days, resulting in a subsidy of $190. 14 12 For purposes of this proposal, “customer-to-non-customer” transactions refers to customer-to-non-customer transactions, as well as non-customer-to-non-customer transactions. 13 Based on the amount of customer-to-customer contracts, a member organization could enter Tier II or a higher tier due to the amount of customer-to-customer contract volume. For example, assuming the threshold requirements have been met and the average daily customer-to-customer transactions are 105,000 contracts, if a member organization has 2,200,000 eligible contracts in a month with 20 trading days (110,000 average daily contract volume, with 5,000 contracts representing customer-to-non-customer contracts), that member organization would receive no subsidy for Tier I ($0.01 per contract), as there were no customer-to-non-customer contracts considered when calculating Tier 1. Of the remaining 10,000 contracts, the member organization would receive $0.04 per contract multiplied by 20 trading days on the 5,000 customer-to-non-customer contracts. Thus, that member organization would receive a subsidy for that month totaling $4,000. 14 This example assumes that the threshold requirements have been met and the average daily customer-to-customer transactions are less than 75,001 contracts, which means that the subsidy will be paid starting with contract 75,001. To illustrate a subsidy covering two tiers, (again assuming the threshold requirements have been met (2,200,000 eligible contracts/20 days = 110,000, the average daily contract volume) and the average daily customer-to-customer transactions are less than 75,001 contracts), if a member organization has 2,200,000 eligible contracts in a month with 20 trading days, that member organization would receive $0.01 per contract on 25,000 customer-to-non-customer contracts multiplied by 20 trading days, with the remaining 10,000 contracts receiving $0.04 per contract multiplied by 20 trading days. Thus, that member organization would receive a subsidy for that month totaling $13,000. To further illustrate the impact of customer-to-customer volume, assuming the threshold requirements have been met and the average daily customer-to-customer transactions are 85,000 contracts, if a member organization has 2,200,000 eligible contracts in a month with 20 trading days, that member organization would receive $0.01 per contract on 15,000 customer-to-non-customer contracts multiplied by 20 trading days, with the remaining 10,000 contracts receiving $0.04 per contract multiplied by 20 trading days. Thus, that member organization would receive a subsidy for that month totaling $11,000. When computing the threshold amounts, the Exchange intends to first count all customer-to-customer transactions and then all other customer-to-non-customer transactions. 15 15 The exchange believes that this method of calculation should therefore help member organizations with Exchange registered floor brokers to maximize the subsidy that is paid to them because customer-to-customer transactions will help the member organization reach the threshold requirements and then qualifying transactions after the threshold requirements are met will be paid the applicable per contract subsidy. *See* footnotes 13 and 14 above for specific examples. The Exchange also proposes to eliminate the floor brokerage assessment that is set forth on the Exchange's fee schedule in several places, specifically the Summary of Equity Option and RUT and RMN Charges, the Summary of Index Option Charges, the Summary of U.S. Dollar-Settled Foreign Currency Option Charges, and the Summary of Physical Delivery Currency Option Charges. The Exchange states that purpose of providing for a subsidy and deleting the floor brokerage assessment is to attract additional floor brokerage business to the Exchange, which should, in turn, attract more consistent liquidity as the Exchange's market share increases. The purpose of deleting the floor brokerage assessment on the Summary of Physical Delivery Currency Option Charges is to delete a fee that is deemed no longer necessary by the Exchange at this time. 16 16 To clarify, the floor broker subsidy set forth in this proposal does not apply to the physical delivery currency options, as those options are not entered into FBMS. The Exchange represents that this proposal should not adversely affect its commitment of resources to its regulatory oversight program. B. Self-Regulatory Organization's Statement on Burden on Competition The Exchange does not believe that the proposed rule change will impose any burden on competition not necessary or appropriate in furtherance of the purposes of the Act. C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others No written comments were solicited or received with respect to the proposed rule change. III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action The foregoing proposed rule change has been designated as a fee change pursuant to Section 19(b)(3)(A)(ii) of the Act 17 and Rule 19b-4(f)(2) 18 thereunder, because it establishes or changes a due, fee, or other charge imposed by the Exchange. Accordingly, the proposal will take effect upon filing with the Commission. At any time within 60 days of the filing of such proposed rule change the Commission may summarily abrogate such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act. 17 15 U.S.C. 78s(b)(3)(A)(ii). 18 17 CFR 240.19b-4(f)(2). IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/sro.shtml* ); or • Send an e-mail to *rule-comments@sec.gov.* Please include File Number SR-Phlx-2008-08 on the subject line. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number SR-Phlx-2008-08. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/sro.shtml* ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of the Exchange. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-Phlx-2008-08 and should be submitted on or before February 28, 2008. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 19 19 17 CFR 200.30-3(a)(12). Florence E. Harmon, Deputy Secretary. [FR Doc. E8-2245 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P DEPARTMENT OF STATE [Public Notice 6092] Bureau of Educational and Cultural Affairs
(ECA)*Request for Grant Proposals:* Summer Institute for European Student Leaders. *Announcement Type:* New Cooperative Agreement. *Funding Opportunity Number:* ECA/A/E/EUR 08-04. *Catalog of Federal Domestic Assistance Number:* 00.000. *Key Dates:* May 7, 2008-January 1, 2009. *Application Deadline:* March 17, 2008. *Executive Summary:* The Office of Academic Exchange Programs, European and Eurasian Programs Branch (ECA/A/E/EUR) announces an open competition for a five-week Summer Institute for European Student Leaders. Accredited, post-secondary educational institutions in the United States may submit proposals to administer the program. The Summer Institute for European Student Leaders will offer a group of twenty young Europeans from a broad range of ethnic, religious and socio-economic backgrounds the opportunity to learn about the United States and build leadership skills during a five-week program on an American campus. The Fulbright Commissions in Denmark, France, the Netherlands, Norway, Portugal, Spain, Sweden, and the United Kingdom will recruit participants who are first- or second-year undergraduate students or recent high school graduates who will enter university in fall 2008. The goals of the Institute are to promote study and learning about the United States, leadership development, and civic engagement through academic coursework and participatory activities that will serve the participants in their academic and professional careers and to promote mutual understanding between the United States and their home countries. ECA anticipates that program dates will be for the approximate period of July 13-August 16, 2008. I. Funding Opportunity Description Authority: Overall grant making authority for this program is contained in the Mutual Educational and Cultural Exchange Act of 1961, Public Law 87-256, as amended, also known as the Fulbright-Hays Act. The purpose of the Act is “to enable the Government of the United States to increase mutual understanding between the people of the United States and the people of other countries * * *; to strengthen the ties which unite us with other nations by demonstrating the educational and cultural interests, developments, and achievements of the people of the United States and other nations * * * and thus to assist in the development of friendly, sympathetic and peaceful relations between the United States and the other countries of the world.” The funding authority for the program above is provided through legislation. *Purpose:* The purpose of the Summer Institute for European Student Leaders is to provide undergraduate students from a broad range of ethnic, religious, geographic, and socioeconomic backgrounds, the opportunity to learn about the United States and to participate in coursework that will serve them well in their academic and professional careers. The program will allow participants to explore the concepts of leadership and civic engagement from American perspectives. Please refer to the Project Objectives, Goals, and Implementation
(POGI)document for the complete program description. *Guidelines:* The program should be designed to support the following components:
(a)An academic program that will introduce participants to the important events, people, and documents that have shaped the United States and contemporary American life. The host institution is encouraged to identify or develop an academic course that Institute participants can take together with American students at the university.
(b)A cultural component that complements and reinforces the academic component. Activities should include visits to historical and cultural sites of interest and participation in extra-curricular activities that will allow an optimal level of interaction with American peers. This component should include plans for participants to be engaged in a community service activity one to two hours per week.
(c)An English language component designed to strengthen the English proficiency of all participants. While all program activities should aim to promote English-language learning, preparations should be in place to assist students through one-on-one or small group tutorials. Institute participants will be required to take the Oral Proficiency Interview
(OPI)administered by American Council on the Teaching of Foreign Languages (ACTFL). The host institution will work with ACTFL to administer the OPI to participants before they depart Europe for the United States. The one-on-one and/or small group tutorials should be held at least three times a week throughout the duration of the Institute and will be mandatory for those participants deemed to require additional language instruction based on the OPI assessment.
(d)A U.S. student mentor program. The host institution should retain four qualified U.S. mentors/escorts (upper division or graduate students) who exhibit cultural sensitivity and an understanding of the Institute's objectives to serve as cultural interpreters and accompany the participants throughout the program. The mentors should reside in the dormitories or other campus housing with the participants. Applicants should take into account that the participants may not be familiar with the American student-centered classroom approach and will have varying degrees of experience in expressing their opinions in a classroom environment. All aspects of the Institute program should be designed to encourage the students to interact with each other and American counterparts. ECA anticipates that the participants will travel to the United States and directly to the host institution campus on approximately Sunday, July 13, 2008, and depart for Europe from Washington, DC, on Thursday, August 14, 2008. Round-trip international travel will be booked and paid for by the participating Fulbright Commissions. *Please note that* in a cooperative agreement, *ECA/A/E/EUR* is substantially involved in program activities above and beyond routine grant monitoring. *ECA/A/E/EUR's* activities and responsibilities for this program are as follows: ○ ECA will select participants who are nominated by the participating Fulbright Commissions. ○ ECA will facilitate sending pre-arrival orientation materials electronically to participants via the participating Fulbright Commissions. ○ ECA will enroll all participants in the Accident and Sickness and Sickness Program for Exchanges (ASPE). This health benefits program will be of no cost to the host institution. The participants will be responsible for the co-pays for medical treatment. ○ ECA will issue DS-2019s for the participants to enter the United States on J-visas. ○ ECA will organize a debriefing session in Washington, DC, at the conclusion of the Institute. All costs for the debriefing (travel to Washington, lodging, meals) will be the responsibility of the host institution and should be included in the proposal budget. ○ ECA will provide the host institution with biographical information about the participants and their travel itineraries. ○ ECA will be available to provide additional guidance and consultation. *Proposal Contents:* Applicants should submit a complete and thorough proposal describing the program in a convincing and comprehensive manner. Since there is no opportunity for applicants to meet with reviewing officials, the proposal should respond to the criteria set forth in the solicitation and other guidelines as clearly as possible. II. Award Information *Type of Award:* ECA's level of involvement in this program is listed under number I above. *Fiscal Year Funds:* 2008. *Approximate Total Funding:* $180,000. *Approximate Number of Awards:* 1. *Anticipated Award Date:* May 7, 2008. *Anticipated Project Completion Date:* January 1, 2009. *Additional Information:* Pending successful implementation of this program and the availability of funds in subsequent fiscal years, it is ECA's intent to renew this grant for two additional fiscal years, before openly competing it again. III. Eligibility Information *III.1. Eligible applicants:* Applications may be submitted by public and private non-profit organizations meeting the provisions described in Internal Revenue Code section 26 U.S.C. 501(c)(3). *III.2.* Cost Sharing or Matching Funds: There is no minimum or maximum percentage required for this competition. However, the Bureau encourages applicants to provide maximum levels of cost sharing and funding in support of its programs. When cost sharing is offered, it is understood and agreed that the applicant must provide the amount of cost sharing as stipulated in its proposal and later included in an approved grant agreement. Cost sharing may be in the form of allowable direct or indirect costs. For accountability, you must maintain written records to support all costs which are claimed as your contribution, as well as costs to be paid by the Federal government. Such records are subject to audit. The basis for determining the value of cash and in-kind contributions must be in accordance with OMB Circular A-110, (Revised), Subpart C.23—Cost Sharing and Matching. In the event you do not provide the minimum amount of cost sharing as stipulated in the approved budget, ECA's contribution will be reduced in like proportion. III.3. Other Eligibility Requirements
(a)Bureau grant guidelines require that organizations with less than four years experience in conducting international exchanges be limited to $60,000 in Bureau funding. ECA anticipates awarding one grant, in an amount up to $180,000 to support program and administrative costs required to implement this exchange program. Therefore, organizations with less than four years experience in conducting international exchanges are ineligible to apply under this competition. The Bureau encourages applicants to provide maximum levels of cost sharing and funding in support of its programs. IV. Application and Submission Information Note: Please read the complete announcement before sending inquiries or submitting proposals. Once the RFGP deadline has passed, Bureau staff may not discuss this competition with applicants until the proposal review process has been completed. IV.1. Contact Information to Request an Application Package: Please contact the *Office of Academic Exchange Programs, European and Eurasian Programs, U.S. Department of State, SA-44, 301 4th Street, SW., Washington, DC 20547* , *202-453-8524* to request a Solicitation Package. Please refer to the Funding Opportunity Number *ECA/A/E/EUR 08-04* located at the top of this announcement when making your request. Alternatively, an electronic application package may be obtained from grants.gov. Please see section IV.3f for further information. The Solicitation Package contains the Proposal Submission Instruction
(PSI)document which consists of required application forms, and standard guidelines for proposal preparation. It also contains the Project Objectives, Goals and Implementation
(POGI)document, which provides specific information, award criteria and budget instructions tailored to this competition. Please specify *Carolina Chavez, Program Officer,* and refer to the Funding Opportunity Number ( *ECA/A/E/EUR 08-04* ) located at the top of this announcement on all other inquiries and correspondence. IV.2. To Download a Solicitation Package Via Internet The entire Solicitation Package may be downloaded from the Bureau's Web site at *http://exchanges.state.gov/education/rfgps/menu.htm,* or from the Grants.gov Web site at *http://www.grants.gov.* *Please read all information before downloading.* IV.3. Content and Form of Submission Applicants must follow all instructions in the Solicitation Package. The application should be submitted per the instructions under IV.3f. “Application Deadline and Methods of Submission” section below. *IV.3a.* You are required to have a Dun and Bradstreet Data Universal Numbering System
(DUNS)number to apply for a grant or cooperative agreement from the U.S. Government. This number is a nine-digit identification number, which uniquely identifies business entities. Obtaining a DUNS number is easy and there is no charge. To obtain a DUNS number, access *http://www.dunandbradstreet.com* or call 1-866-705-5711. Please ensure that your DUNS number is included in the appropriate box of the SF-424 which is part of the formal application package. *IV.3b.* All proposals must contain an executive summary, proposal narrative and budget. Please refer to the Solicitation Package. It contains the mandatory Proposal Submission Instructions
(PSI)document and the Project Objectives, Goals and Implementation
(POGI)document for additional formatting and technical requirements. *IV.3c.* You must have nonprofit status with the IRS at the time of application. If your organization is a private nonprofit which has not received a grant or cooperative agreement from ECA in the past three years, or if your organization received nonprofit status from the IRS within the past four years, you must submit the necessary documentation to verify nonprofit status as directed in the PSI document. Failure to do so will cause your proposal to be declared technically ineligible. *IV.3d.* Please take into consideration the following information when preparing your proposal narrative: *IV.3d.1 ADHERENCE TO ALL REGULATIONS GOVERNING THE J VISA* The Bureau of Educational and Cultural Affairs places critically important emphases on the security and proper administration of the Exchange Visitor (J visa) Programs and adherence by grantees and sponsors to all regulations governing the J visa. Therefore, proposals should demonstrate the applicant's capacity to meet all requirements governing the administration of the Exchange Visitor Programs as set forth in 22 CFR 62, including the oversight of Responsible Officers and Alternate Responsible Officers, screening and selection of program participants, provision of pre-arrival information and orientation to participants, monitoring of participants, proper maintenance and security of forms, record-keeping, reporting and other requirements. ECA will be responsible for issuing DS-2019 forms to participants in this program. A copy of the complete regulations governing the administration of Exchange Visitor
(J)programs is available at *http://exchanges.state.gov* or from: United States Department of State, Office of Exchange Coordination and Designation, ECA/EC/ECD—SA-44, Room 734, 301 4th Street, SW., Washington, DC 20547, Telephone:
(202)203-5029, FAX:
(202)453-8640. Please refer to Solicitation Package for further information. *IV.3d.2 Diversity, Freedom and Democracy Guidelines* Pursuant to the Bureau's authorizing legislation, programs must maintain a non-political character and should be balanced and representative of the diversity of American political, social, and cultural life. “Diversity” should be interpreted in the broadest sense and encompass differences including, but not limited to ethnicity, race, gender, religion, geographic location, socio-economic status, and disabilities. Applicants are strongly encouraged to adhere to the advancement of this principle both in program administration and in program content. Please refer to the review criteria under the ‘Support for Diversity’ section for specific suggestions on incorporating diversity into your proposal. Public Law 104-319 provides that “in carrying out programs of educational and cultural exchange in countries whose people do not fully enjoy freedom and democracy,” the Bureau “shall take appropriate steps to provide opportunities for participation in such programs to human rights and democracy leaders of such countries.” Public Law 106—113 requires that the governments of the countries described above do not have inappropriate influence in the selection process. Proposals should reflect advancement of these goals in their program contents, to the full extent deemed feasible. *IV.3d.3. Program Monitoring and Evaluation* Proposals must include a plan to monitor and evaluate the project's success, both as the activities unfold and at the end of the program. The Bureau recommends that your proposal include a draft survey questionnaire or other technique plus a description of a methodology to use to link outcomes to original project objectives. The Bureau expects that the grantee will track participants or partners and be able to respond to key evaluation questions, including satisfaction with the program, learning as a result of the program, changes in behavior as a result of the program, and effects of the program on institutions (institutions in which participants work or partner institutions). The evaluation plan should include indicators that measure gains in mutual understanding as well as substantive knowledge. Successful monitoring and evaluation depend heavily on setting clear goals and outcomes at the outset of a program. Your evaluation plan should include a description of your project's objectives, your anticipated project outcomes, and how and when you intend to measure these outcomes (performance indicators). The more that outcomes are “smart” (specific, measurable, attainable, results-oriented, and placed in a reasonable time frame), the easier it will be to conduct the evaluation. You should also show how your project objectives link to the goals of the program described in this RFGP. Your monitoring and evaluation plan should clearly distinguish between program *outputs* and *outcomes* . *Outputs* are products and services delivered, often stated as an amount. Output information is important to show the scope or size of project activities, but it cannot substitute for information about progress towards outcomes or the results achieved. Examples of outputs include the number of people trained or the number of seminars conducted. *Outcomes* , in contrast, represent specific results a project is intended to achieve and is usually measured as an extent of change. Findings on outputs and outcomes should both be reported, but the focus should be on outcomes. We encourage you to assess the following four levels of outcomes, as they relate to the program goals set out in the RFGP (listed here in increasing order of importance): 1. Participant satisfaction with the program and exchange experience. 2. Participant learning, such as increased knowledge, aptitude, skills, and changed understanding and attitude. Learning includes both substantive (subject-specific) learning and mutual understanding. 3. Participant behavior, concrete actions to apply knowledge in work or community; greater participation and responsibility in civic organizations; interpretation and explanation of experiences and new knowledge gained; continued contacts between participants, community members, and others. 4. Institutional changes, such as increased collaboration and partnerships, policy reforms, new programming, and organizational improvements. Please note: Consideration should be given to the appropriate timing of data collection for each level of outcome. For example, satisfaction is usually captured as a short-term outcome, whereas behavior and institutional changes are normally considered longer-term outcomes. Overall, the quality of your monitoring and evaluation plan will be judged on how well it
(1)specifies intended outcomes;
(2)gives clear descriptions of how each outcome will be measured;
(3)identifies when particular outcomes will be measured; and
(4)provides a clear description of the data collection strategies for each outcome (i.e., surveys, interviews, or focus groups). (Please note that evaluation plans that deal only with the first level of outcomes [satisfaction] will be deemed less competitive under the present evaluation criteria.) Grantees will be required to provide reports analyzing their evaluation findings to the Bureau in their regular program reports. All data collected, including survey responses and contact information, must be maintained for a minimum of three years and provided to the Bureau upon request. *IV.3e. Please take the following information into consideration when preparing your budget:* *IV.3e.1.* Applicants must submit a comprehensive budget for the entire program. Budget requests may not exceed $180,000. There must be a summary budget as well as breakdowns reflecting both administrative and program budgets. Applicants may provide separate sub-budgets for each program component, phase, location, or activity to provide clarification. IV.3f. Application Deadline and Methods of Submission: *Application Deadline Date:* March 17, 2008. *Reference Number:* ECA/A/E/EUR 08-04. *Methods of Submission:* Applications may be submitted in one of two ways:
(1)In hard-copy, via a nationally recognized overnight delivery service (i.e., DHL, Federal Express, UPS, Airborne Express, or U.S. Postal Service Express Overnight Mail, etc.), or
(2)Electronically through *http://www.grants.gov* . Along with the Project Title, all applicants must enter the above Reference Number in Box 11 on the SF-424 contained in the mandatory Proposal Submission Instructions
(PSI)of the solicitation document. IV.3f.1. Submitting Printed Applications Applications must be shipped no later than the above deadline. Delivery services used by applicants must have in-place, centralized shipping identification and tracking systems that may be accessed via the Internet and delivery people who are identifiable by commonly recognized uniforms and delivery vehicles. Proposals shipped on or before the above deadline but received at ECA more than seven days after the deadline will be ineligible for further consideration under this competition. Proposals shipped after the established deadlines are ineligible for consideration under this competition. ECA will *not* notify you upon receipt of application. It is each applicant's responsibility to ensure that each package is marked with a legible tracking number and to monitor/confirm delivery to ECA via the Internet. Delivery of proposal packages *may not* be made via local courier service or in person for this competition. Faxed documents will not be accepted at any time. Only proposals submitted as stated above will be considered. Important note: When preparing your submission please make sure to include one extra copy of the completed SF-424 form and place it in an envelope addressed to “ECA/EX/PM”. The original and *8 copies* of the application should be sent to: U.S. Department of State, SA-44, Bureau of Educational and Cultural Affairs, Ref.: ECA/A/E/EUR-08-04, Program Management, ECA/EX/PM, Room 534, 301 4th Street, SW., Washington, DC 20547. Applicants submitting hard-copy applications must also submit the “Executive Summary” and “Proposal Narrative” sections of the proposal in a Microsoft Word format on a CD-ROM. *IV.3f.2.—Submitting Electronic Applications* Applicants have the option of submitting proposals electronically through *Grants.gov* ( *http://www.grants.gov* ). Complete solicitation packages are available at Grants.gov in the “Find” portion of the system. Please follow the instructions available in the `Get Started' portion of the site ( *http://www.grants.gov/GetStarted* ). Several of the steps in the *Grants.gov* registration process could take several weeks. Therefore, applicants should check with appropriate staff within their organizations immediately after reviewing this RFGP to confirm or determine their registration status with *Grants.gov* . Once registered, the amount of time it can take to upload an application will vary depending on a variety of factors including the size of the application and the speed of your Internet connection. Therefore, we strongly recommend that you not wait until the application deadline to begin the submission process through *Grants.gov* . Direct all questions regarding *Grants.gov* registration and submission to: *Grants.gov* Customer Support, Contact Center Phone: 800-518-4726, Business Hours: Monday-Friday, 7 a.m.-9 p.m. Eastern Time, E-mail: *support@Grants.gov* . Applicants have until midnight (12 a.m.), Washington, DC time of the closing date to ensure that their entire application has been uploaded to the *Grants.gov* site. There are no exceptions to the above deadline. Applications uploaded to the site after midnight of the application deadline date will be automatically rejected by the *Grants.gov* system, and will be technically ineligible. Applicants will receive a confirmation e-mail from *Grants.gov* upon the successful submission of an application. ECA will *not* notify you upon receipt of electronic applications. It is the responsibility of all applicants submitting proposals via the *Grants.gov* Web portal to ensure that proposals have been received by *Grants.gov* in their entirety, and ECA bears no responsibility for data errors resulting from transmission or conversion processes. *IV.3g. Intergovernmental Review of Applications:* Executive Order 12372 does not apply to this program. V. Application Review Information V.1. Review Process The Bureau will review all proposals for technical eligibility. Proposals will be deemed ineligible if they do not fully adhere to the guidelines stated herein and in the Solicitation Package. All eligible proposals will be reviewed by the program office, as well as the Public Diplomacy section overseas, where appropriate. Eligible proposals will be subject to compliance with Federal and Bureau regulations and guidelines and forwarded to Bureau grant panels for advisory review. Proposals may also be reviewed by the Office of the Legal Adviser or by other Department elements. Final funding decisions are at the discretion of the Department of State's Assistant Secretary for Educational and Cultural Affairs. Final technical authority for cooperative agreements resides with the Bureau's Grants Officer. Review Criteria Technically eligible applications will be competitively reviewed according to the criteria stated below. These criteria are not rank ordered and all carry equal weight in the proposal evaluation: 1. *Quality of Program Idea/Plan:* Your proposal should exhibit originality, substance, precision, and relevance to the Bureau's mission. Detailed agenda and relevant work plan should demonstrate substantive undertakings and logistical capacity. 2. *Ability To Achieve Overall Program Objectives:* Objectives should be reasonable, feasible, and flexible. Your proposal should clearly demonstrate how the institution will meet the program's objectives and plan. 3. *Support for Diversity:* Your proposal should demonstrate substantive support of the Bureau's policy on diversity. Achievable and relevant features should be cited in both program administration (selection of presenters, program venue and program evaluation) and program content (orientation and wrap-up sessions, program meetings and resource materials). 4. *Evaluation and Follow-Up:* Your proposal should include a plan to evaluate the activity's success, both as the activities unfold and at the end of the program. Your proposal should also discuss provisions made for follow-up with returned grantees as a means of establishing longer-term individual and institutional linkages. 5. *Cost-effectiveness/Cost-sharing:* The overhead and administrative components of the proposal, including salaries and honoraria, should be kept as low as possible. All other items should be necessary and appropriate. Your proposal should maximize cost-sharing through other private sector support as well as institutional direct funding contributions. 6. *Institutional Track Record/Ability:* Your proposal should demonstrate an institutional record of successful exchange programs, including responsible fiscal management and full compliance with all reporting requirements for past Bureau grants as determined by Bureau Grants Staff. The Bureau will consider the past performance of prior recipients and the demonstrated potential of new applicants. Proposed personnel and institutional resources should be fully qualified to achieve the project's goals. VI. Award Administration Information *VI.1a. Award Notices:* Final awards cannot be made until funds have been appropriated by Congress, allocated and committed through internal Bureau procedures. Successful applicants will receive an Assistance Award Document
(AAD)from the Bureau's Grants Office. The AAD and the original grant proposal with subsequent modifications (if applicable) shall be the only binding authorizing document between the recipient and the U.S. Government. The AAD will be signed by an authorized Grants Officer, and mailed to the recipient's responsible officer identified in the application. Unsuccessful applicants will receive notification of the results of the application review from the ECA program office coordinating this competition. VI.2. Administrative and National Policy Requirements Terms and Conditions for the Administration of ECA agreements include the following: Office of Management and Budget Circular A-122, “Cost Principles for Nonprofit Organizations.” Office of Management and Budget Circular A-21, “Cost Principles for Educational Institutions.” OMB Circular A-87, “Cost Principles for State, Local and Indian Governments”. OMB Circular No. A-110 (Revised), Uniform Administrative Requirements for Grants and Agreements with Institutions of Higher Education, Hospitals, and other Nonprofit Organizations. OMB Circular No. A-102, Uniform Administrative Requirements for Grants-in-Aid to State and Local Governments. OMB Circular No. A-133, Audits of States, Local Government, and Non-profit Organizations Please reference the following Web sites for additional information: *http://www.whitehouse.gov/omb/grants.http://exchanges.state.gov/education/grantsdiv/terms.htm#articleI* . VI.3. Reporting Requirements You must provide ECA with a hard copy original plus 8 copies of the following reports:
(1)A final program and financial report no more than 90 days after the expiration of the award; Grantees will be required to provide reports analyzing their evaluation findings to the Bureau in their regular program reports. (Please refer to IV. Application and Submission Instructions (IV.3.d.3) above for Program Monitoring and Evaluation information.) All data collected, including survey responses and contact information, must be maintained for a minimum of three years and provided to the Bureau upon request. All reports must be sent to the ECA Grants Officer and ECA Program Officer listed in the final assistance award document. VII. Agency Contacts For questions about this announcement, contact: Carolina Chavez, ECA/A/E/EUR, Room 246, ECA/A/E/EUR 08-04, U.S. Department of State, SA-44, 301 4th Street, SW., Washington, DC 20547, 202-453-8524, *ChavezCC@state.gov* . All correspondence with the Bureau concerning this RFGP should reference the above title and number ECA/A/E/EUR 08-03. Please read the complete announcement before sending inquiries or submitting proposals. Once the RFGP deadline has passed, Bureau staff may not discuss this competition with applicants until the proposal review process has been completed. VIII. Other Information Notice The terms and conditions published in this RFGP are binding and may not be modified by any Bureau representative. Explanatory information provided by the Bureau that contradicts published language will not be binding. Issuance of the RFGP does not constitute an award commitment on the part of the Government. The Bureau reserves the right to reduce, revise, or increase proposal budgets in accordance with the needs of the program and the availability of funds. Awards made will be subject to periodic reporting and evaluation requirements per section VI.3 above. Dated: January 30, 2008. C. Miller Crouch, Acting Assistant Secretary, Bureau of Educational and Cultural Affairs, Department of State. [FR Doc. E8-2268 Filed 2-6-08; 8:45 am] BILLING CODE 4710-05-P DEPARTMENT OF STATE [Public Notice 6093] Culturally Significant Objects Imported for Exhibition Determinations: “Gilbert & George” SUMMARY: Notice is hereby given of the following determinations: Pursuant to the authority vested in me by the Act of October 19, 1965 (79 Stat. 985; 22 U.S.C. 2459), Executive Order 12047 of March 27, 1978, the Foreign Affairs Reform and Restructuring Act of 1998 (112 Stat. 2681, *et seq.* ; 22 U.S.C. 6501 note, *et seq.* ), Delegation of Authority No. 234 of October 1, 1999, Delegation of Authority No. 236 of October 19, 1999, as amended, and Delegation of Authority No. 257 of April 15, 2003 [68 FR 19875], I hereby determine that an object to be included in the exhibition “Gilbert & George”, imported from abroad for temporary exhibition within the United States, is of cultural significance. The object is imported pursuant to loan agreements with the foreign owners or custodians. I also determine that the exhibition or display of the exhibit object at the Fine Arts Museums of San Francisco, de Young Museum, San Francisco, CA, from on or about February 16, 2008, until on or about May 18, 2008, and at possible additional exhibitions or venues yet to be determined, is in the national interest. Public Notice of these Determinations is ordered to be published in the **Federal Register** . FOR FURTHER INFORMATION CONTACT: For further information, including a list of the exhibit objects, contact Richard Lahne, Attorney-Adviser, Office of the Legal Adviser, U.S. Department of State (telephone: 202/453-8058). The address is U.S. Department of State, SA-44, 301 4th Street, SW., Room 700, Washington, DC 20547-0001. Dated: February 1, 2008. C. Miller Crouch, Principal Deputy Assistant Secretary for Educational and Cultural Affairs, Department of State. [FR Doc. E8-2272 Filed 2-6-08; 8:45 am] BILLING CODE 4710-05-P DEPARTMENT OF STATE [Public Notice: 6073] U.S. Advisory Commission on Public Diplomacy; Notice of Meeting The U.S. Advisory Commission on Public Diplomacy will hold a public meeting on February 21, 2008, in Room 602 (Lindner Family Commons) at the Elliot School of International Affairs, George Washington University, 1957 E Street NW., Washington, DC. The meeting will be held from 9 a.m. to 12 noon. The Commissioners will discuss public diplomacy issues, including the application of political communication theory, and associated disciplines, in U.S. government public diplomacy efforts. The Advisory Commission was originally established under 604 of the United States Information and Exchange Act of 1948, as amended (22 U.S.C. 1469) and section 8 of Reorganization Plan Numbered 2 of 1977. It was reauthorized pursuant to Public Law 110-21 (2007). The Commission is a bipartisan panel created by Congress in 1948 to assess public diplomacy policies and programs of the U.S. government and publicly funded nongovernmental organizations. The Commission reports its findings and recommendations to the President, the Congress and the Secretary of State and the American people. Current Commission members include Barbara M. Barrett of Arizona, who is the Chairman; Harold Pachios of Maine; Ambassador Penne Percy Korth of Washington, DC.; Ambassador Elizabeth Bagley of Washington, DC.; Jay T. Snyder of New York; and Maria Sophia Aguirre of Washington, DC. Seating at this meeting is limited. To attend and for more information, please contact Carl Chan at
(202)203-7883. E-mail: *chanck@state.gov* . Dated: January 31, 2008. Carl Chan, Interim Executive Director, ACPD, Department of State. [FR Doc. E8-2271 Filed 2-6-08; 8:45 am] BILLING CODE 4710-11-P DEPARTMENT OF TRANSPORTATION Office of the Secretary In the Matter of the Continuing Fitness of Boston-Maine Airways Corp. AGENCY: Department of Transportation. ACTION: Notice of Order to Show Cause (Order 2008-2-3) Dockets DOT-OST-2000-7668, DOT-OST-2003-14985, and DOT-OST-2004-19919. SUMMARY: The Department of Transportation is directing all interested persons to show cause why it should not issue an order finding that Boston-Maine Airways, Corp, is not fit, willing, and able, to provide air transportation as a U.S. certificated air carrier. DATES: Persons wishing to file objections should do so no later than March 3, 2008. ADDRESSES: Objections and answers to objections should be filed in Dockets DOT-OST-2000-7668, DOT-OST-2003-14985, and DOT-OST-2004-19919 and addressed to Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Ave SE., West Building, Room W12-140, Washington, DC 20590, and should be served upon the parties listed in Attachment B to the order. FOR FURTHER INFORMATION CONTACT: Vanessa R. Balgobin, Air Carrier Fitness Division, U.S. Department of Transportation, 1200 New Jersey Ave SE., West Building, Room W86-463, Washington, DC 20590,
(202)366-9721. Dated: February 1, 2008. Michael W. Reynolds, Acting Assistant Secretary for Aviation and International Affairs. [FR Doc. E8-2275 Filed 2-6-08; 8:45 am] BILLING CODE 4910-9X-P DEPARTMENT OF TRANSPORTATION Federal Motor Carrier Safety Administration [Docket No. FMCSA-99-5748, FMCSA-99-6156] Qualification of Drivers; Exemption Applications; Vision AGENCY: Federal Motor Carrier Safety Administration (FMCSA), DOT. ACTION: Notice of renewal of exemptions; request for comments. SUMMARY: FMCSA announces its decision to renew the exemptions from the vision requirement in the Federal Motor Carrier Safety Regulations for 6 individuals. FMCSA has statutory authority to exempt individuals from the vision requirement if the exemptions granted will not compromise safety. The Agency has concluded that granting these exemption renewals will provide a level of safety that is equivalent to, or greater than, the level of safety maintained without the exemptions for these commercial motor vehicle
(CMV)drivers. DATES: This decision is effective March 7, 2008. Comments must be received on or before March 10, 2008. ADDRESSES: You may submit comments bearing the Federal Docket Management System
(FDMS)Docket ID FMCSA-99-5748, FMCSA-99-6156, using any of the following methods. • *Federal eRulemaking Portal:* Go to *http://www.regulations.gov.* Follow the on-line instructions for submitting comments. • *Mail:* Docket Management Facility; U.S. Department of Transportation, 1200 New Jersey Avenue, SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001. • *Hand Delivery or Courier:* West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. • *Fax:* 1-202-493-2251. Each submission must include the Agency name and the docket number for this Notice. Note that DOT posts all comments received without change to *http://www.regulations.gov,* including any personal information included in a comment. Please see the Privacy Act heading below. *Docket:* For access to the docket to read background documents or comments, go to *http://www.regulations.gov* at any time or Room W12-140 on the ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The FDMS is available 24 hours each day, 365 days each year. If you want acknowledgment that we received your comments, please include a self-addressed, stamped envelope or postcard or print the acknowledgment page that appears after submitting comments on-line. *Privacy Act:* Anyone may search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or of the person signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the DOT's complete Privacy Act Statement in the **Federal Register** published on April 11, 2000 (65 FR 19477-78; Apr. 11, 2000). This information is also available at *http://DocketInfo.dot.gov.* FOR FURTHER INFORMATION CONTACT: Dr. Mary D. Gunnels, Director, Medical Programs,
(202)366-4001, *fmcsamedical@dot.gov,* FMCSA, Department of Transportation, 1200 New Jersey Avenue, SE., Room W64-224, Washington, DC 20590-0001. Office hours are from 8:30 a.m. to 5 p.m. Monday through Friday, except Federal holidays. SUPPLEMENTARY INFORMATION: Background Under 49 U.S.C. 31136(e) and 31315, FMCSA may renew an exemption from the vision requirements in 49 CFR 391.41(b)(10), which applies to drivers of CMVs in interstate commerce, for a two-year period if it finds “such exemption would likely achieve a level of safety that is equivalent to, or greater than, the level that would be achieved absent such exemption.” The procedures for requesting an exemption (including renewals) are set out in 49 CFR part 381. Exemption Decision This notice addresses 6 individuals who have requested a renewal of their exemption in accordance with FMCSA procedures. FMCSA has evaluated these 6 applications for renewal on their merits and decided to extend each exemption for a renewable two-year period. They are: Dennis J. Lessard James D. Simon Robert J. Townsley Harry R. Littlejohn Wayland O. Timberlake Jeffery G. Wuensch These exemptions are extended subject to the following conditions:
(1)That each individual have a physical examination every year
(a)by an ophthalmologist or optometrist who attests that the vision in the better eye continues to meet the standard in 49 CFR 391.41(b)(10), and
(b)by a medical examiner who attests that the individual is otherwise physically qualified under 49 CFR 391.41;
(2)that each individual provide a copy of the ophthalmologist's or optometrist's report to the medical examiner at the time of the annual medical examination; and
(3)that each individual provide a copy of the annual medical certification to the employer for retention in the driver's qualification file and retain a copy of the certification on his/her person while driving for presentation to a duly authorized Federal, State, or local enforcement official. Each exemption will be valid for two years unless rescinded earlier by FMCSA. The exemption will be rescinded if:
(1)The person fails to comply with the terms and conditions of the exemption;
(2)the exemption has resulted in a lower level of safety than was maintained before it was granted; or
(3)continuation of the exemption would not be consistent with the goals and objectives of 49 U.S.C. 31136(e) and 31315. Basis for Renewing Exemptions Under 49 U.S.C. 31315(b)(1), an exemption may be granted for no longer than two years from its approval date and may be renewed upon application for additional two-year periods. In accordance with 49 U.S.C. 31136(e) and 31315, each of the 6 applicants has satisfied the entry conditions for obtaining an exemption from the vision requirements (64 FR 40404; 64 FR 66962; 67 FR 10475; 69 FR 8260; 71 FR 6824; 64 FR 54948; 65 FR 159). Each of these 6 applicants has requested renewal of the exemption and has submitted evidence showing that the vision in the better eye continues to meet the standard specified at 49 CFR 391.41(b)(10) and that the vision impairment is stable. In addition, a review of each record of safety while driving with the respective vision deficiencies over the past two years indicates each applicant continues to meet the vision exemption standards. These factors provide an adequate basis for predicting each driver's ability to continue to drive safely in interstate commerce. Therefore, FMCSA concludes that extending the exemption for each renewal applicant for a period of two years is likely to achieve a level of safety equal to that existing without the exemption. Request for Comments FMCSA will review comments received at any time concerning a particular driver's safety record and determine if the continuation of the exemption is consistent with the requirements at 49 U.S.C. 31136(e) and 31315. However, FMCSA requests that interested parties with specific data concerning the safety records of these drivers submit comments by March 10, 2008. FMCSA believes that the requirements for a renewal of an exemption under 49 U.S.C. 31136(e) and 31315 can be satisfied by initially granting the renewal and then requesting and evaluating, if needed, subsequent comments submitted by interested parties. As indicated above, the Agency previously published notices of final disposition announcing its decision to exempt these 6 individuals from the vision requirement in 49 CFR 391.41(b)(10). The final decision to grant an exemption to each of these individuals was based on the merits of each case and only after careful consideration of the comments received to its notices of applications. The notices of applications stated in detail the qualifications, experience, and medical condition of each applicant for an exemption from the vision requirements. That information is available by consulting the above cited **Federal Register** publications. Interested parties or organizations possessing information that would otherwise show that any, or all of these drivers, are not currently achieving the statutory level of safety should immediately notify FMCSA. The Agency will evaluate any adverse evidence submitted and, if safety is being compromised or if continuation of the exemption would not be consistent with the goals and objectives of 49 U.S.C. 31136(e) and 31315, FMCSA will take immediate steps to revoke the exemption of a driver. Issued on: January 31, 2008. Larry W. Minor, Associate Administrator for Policy and Program Development. [FR Doc. E8-2216 Filed 2-6-08; 8:45 am] BILLING CODE 4910-EX-P DEPARTMENT OF TRANSPORTATION Federal Transit Administration [Docket No: FTA-2008-0002] National Transit Database: Amendments to Urbanized Area Annual Reporting Manual AGENCY: Federal Transit Administration (FTA), DOT. ACTION: Notice of Availability of Proposed Amendments to the 2007 National Transit Database Urbanized Area Annual Reporting Manual. SUMMARY: This notice provides interested parties with the opportunity to comment on changes to the Federal Transit Administration's
(FTA)2008 National Transit Database
(NTD)Urbanized Area Annual Reporting Manual (Annual Manual). Pursuant to 49 U.S.C. 5335, FTA requires recipients of FTA Urbanized Area Formula Grants to provide an annual report to the Secretary of Transportation via the NTD reporting system according to a uniform system of accounts (USOA). Other transit agencies in urbanized areas report to the NTD under these requirements on a voluntary basis, for purposes of including data from their transit agencies in the apportionment of Urbanized Area Formula Grants. In an ongoing effort to improve the NTD reporting system and be responsive to the needs of the transit agencies reporting to the NTD, FTA annually refines and clarifies the reporting requirements through revisions to the Annual Manual. DATES: Comments must be received on or before March 10, 2008. FTA will consider late filed comments to the extent practicable. ADDRESSES: You may submit comments [identified by DOT Docket ID Number FTA-2008-0002] at the Federal eRulemaking Portal at: *http://www.regulations.gov.* Follow the online instructions for submitting comments. *Fax:* 202-493-2251. *Mail:* Docket Management Facility: U.S. Department of Transportation, 1200 New Jersey Avenue, SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001. *Hand Delivery or Courier:* West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE., between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal holidays. *Instructions:* When submitting comments you must use docket number FTA-2008-0002. This will ensure that your comment is placed in the correct docket. If you submit comments by mail, you should submit two copies and include the above docket number. Note that all comments received will be posted, without change, to *http://www.regulations.gov* including any personal identifying information. FOR FURTHER INFORMATION CONTACT: For program issues, John D. Giorgis, Office of Budget and Policy,
(202)366-5430 (telephone);
(202)366-7989 (fax); or *john.giorgis@dot.gov* (e-mail). For legal issues, Richard Wong, Office of the Chief Counsel,
(202)366-0675 (telephone);
(202)366-3809 (fax); or *richard.wong@dot.gov* (e-mail). SUPPLEMENTARY INFORMATION: I. Background The National Transit Database
(NTD)is the Federal Transit Administration's (FTA's) primary database for statistics on the transit industry. Recipients of FTA's Urbanized Area Formula Program (section 5307) and Other Than Urbanized Area Formula Program (section 5311) are required by statute to submit data to the NTD. These data are used to “help meet the needs of... the public for information on which to base public transportation service planning...” (49 U.S.C 5335). Other transit agencies in urbanized areas report to the NTD under these requirements on a voluntary basis, for purposes of including data from their transit agencies in the apportionment of Urbanized Area Formula Grants. FTA details the NTD reporting requirements for urbanized area transit agencies in the NTD Urbanized Area Annual Reporting Manual (Annual Manual). Currently, over 650 transit agencies in urbanized areas report to the NTD through an Internet-based reporting system. Each year, performance data from these submissions are used to apportion over $4 billion of FTA funds under the Urbanized Area Formula Grants Program. These data are also used in the annual National Transit Summaries and Trends report, the biennial Conditions and Performance Report to Congress, and in meeting FTA's obligations under the Government Performance and Results Act. In an ongoing effort to improve the NTD Internet reporting system and to be responsive to the needs of the transit agencies reporting to the NTD and the transit community, FTA annually refines and clarifies reporting requirements to the NTD. This notice provides interested parties with the opportunity to comment on changes to FTA's 2008 Annual Manual. For purposes of comparison, the 2007 Annual Manual can be reviewed on the NTD Web site, *http://www.ntdprogram.gov.* II. Proposed Changes in the 2008 Annual Manual Contractual Relationship (B-30) Form FTA proposes to greatly simplify this form so as to reduce the substantial confusion that this form has caused among reporters in the past. Under FTA's proposal, this form will allow reporters to report three types of relationships:
(1)Traditional purchased transportation contracts;
(2)taxicab contracts for demand response service; and
(3)pass-through relationships. This change responds to the numerous difficulties that reporters have had in the past in reporting their taxicab contracts and pass-through relationships on a form that had been designed for traditional purchased transportation contracts. For traditional purchased transportation contracts and taxicab contracts the simplified form will make it clear to transit agencies that they are to report:
(1)The vehicles and maintenance facilities that may be provided to, or nominally leased to, the seller;
(2)the number of months the contract was operated in the past year;
(3)the number of vehicles or rail passenger cars operated during maximum service by the seller of service;
(4)the fare revenues accrued under the service;
(5)whether the fare revenues are retained by the seller, or returned to the purchasing transit agency;
(6)the contract administration expenses incurred by the purchasing transit agency; and
(7)all other costs incurred by the purchasing agency to support the contract, such as fuel, maintenance, insurance, and marketing costs. The new option for *taxicab contracts* will relieve agencies of the requirement to provide detailed asset data on the A-30 form for these services. This will effectively make *taxicab* a third *Type of Service* under the NTD. The new option for *pass-through* relationships will greatly simplify the reporting of these relationships for transit agencies. A transit agency reporting a *pass-through relationship* will need to report:
(1)The nature of the pass-through (e.g. grant monies or vehicles);
(2)contact information for the recipient of the pass-through; and
(3)whether the reporting transit agency is including service provided the recipient of the pass-through on the reporting transit agency's NTD report, or if the reporting transit agency is expecting the recipient of the pass-through to provide its own NTD report. In many cases, a transit agency that is a direct recipient of an Urbanized Area Formula Grant passes through the monies provided by the grant or vehicles funded by the grant to some other transit agency. In the past, this has created a great deal of confusion, and this proposal should provide significant clarity to the reporting requirements. Funds Expended and Earned (F-10) Form FTA currently requires transit agencies to identify funds earned from various types of dedicated taxes (specifically, income, sales, property, gasoline, and other taxes; as well as regular tolls, high-occupancy tolls, and other dedicated revenues) from various types of sources (each of the above generated from independent political entities, local governments, and state governments, respectively) and to specify how much of each of these were expended on operations and how much of each of these were expended on capital. FTA proposes to eliminate this requirement at the level of individual types of taxes, and to only report the total revenue earned from each type of dedicated tax from each type of source. FTA proposes to only require transit agencies to separate funds earned and spent on operations from funds earned and spent on capital in the context of fare revenues, total directly-generated revenues (e.g. parking and advertising revenues), contributed services (e.g. services provided directly by another government body), the various sources of Federal funds, total state government revenues, total local government revenues, and total revenues from independent political entities. Additionally, FTA proposes to simplify this form by only making the option to report revenue from independent political entities available to those transit agencies that qualify as such entities, by virtue of having their own tax-raising authority. Bonds and Loans FTA proposes to eliminate the requirement to report Bond and Loan payments separately for each category of funding. Instead, FTA proposes simplified bond and loan reporting that would require transit agencies to report:
(1)Year-beginning principal outstanding;
(2)new bonds and loans (new principal);
(3)total interest paid;
(4)total principal repaid; and
(5)total year-end principal outstanding. Uses of Capital (F-20) Form FTA proposes to reduce the reporting requirements by no longer requiring transit agencies to separately report capital spending on *Fare Revenue Collection Equipment and Communication and Information Systems.* FTA proposes to replace these two categories with a single category for reporting capital expenditures on *Intelligent Transportation Systems (ITS.)* Operating Expenses (F-30) Form FTA proposes to reduce the reporting requirements by combining separate reporting for *Fuels and Lubricants* and for Tires and Lubes into reporting for a single category of *Fuels and Lubes.* Additionally, FTA proposes to combine separate reporting for *Taxes* and for *Miscellaneous Expenses* into a single category for *Miscellaneous Expenses.* FTA proposes these changes to reduce the reporting burden of the NTD. Additionally, FTA proposes to simplify this form by limiting the *operating functions* for which a number of *object classes* can be reported. Specifically, FTA proposes to make the following changes for reporting of directly operated services:
(1)Eliminate reporting of the *Fuels and Lubes* object classes under the *Non-Vehicle Maintenance* and *General Administration* operating functions;
(2)eliminate reporting of the Utilities object class under the *Non-Vehicle Maintenance* operating function;
(3)only permit the *Casualty and Liability* and Miscellaneous Expenses object classes to be reported under the *General Administration* operating function. Operating Expenses Summary (F-40) Form FTA proposes to eliminate collecting *Funds Not Applied, Depreciation* , and *Amortization of Intangibles.* The NTD does not collect intangible assets, so these data are not necessary. FTA proposes to stop collecting *Interest Expenses* , as this information will now be collected with other information relating to bonds and loans, as described in this Notice. FTA proposes to stop collecting information on lease agreements on this form. Leases should already be collected as part of the cost of purchased transportation. FTA proposes to continue collecting information on reconciling items on this form, but will require an explanation of all reconciling items. Operator's Wages (F-50) Form FTA proposes to discontinue this form. FTA already collects data on employees, and employee hours on the R-10 Form, and FTA already collects data on employees' pay and benefits on the F-10 Form. Discontinuing this form will mean that FTA will no longer collect the hours and expenditures on employees based on *Platform Time, Straight Time Allowance, Premium Time* , and *Non-Operating Work Time.* FTA is proposing this change to reduce the reporting burden of the NTD. Service (S-10) Form For Motorbus and Trolleybus services, FTA proposes to change the categories currently labeled *Total Actual Hours* and *Total Actual Miles.* These categories have caused a great deal of confusion in the past, as despite their names, transit agencies were to report on these lines only Revenue Hours and Miles plus Deadhead Hours and Miles; all other hours and miles were to be excluded. FTA proposes to make reporting much more intuitive by replacing these categories with *Deadhead Hours* and *Deadhead Miles.* Transit agencies will be required to report actual deadhead hours and miles in these categories. Additionally, FTA proposes to eliminate the reporting of *Charter Service Hours* and of *School Bus Hours.* Transit agencies should not be conducting school bus service, transit agencies that do so are not eligible to report to the NTD. Charter service among transit agencies is intended to be very small, and is to be reported to FTA's Charter Registration Web site, in accordance with 49 CFR Part 604. Instead, FTA will simplify reporting by adding new categories for *Other Hours* and *Other Miles.* Transit agencies should report miles and hours for maintenance, training, charter service, and any other non-revenue and non-deadhead service on these lines. For reference, FTA proposes to add an automatically-calculated line to the form that will show transit agencies the total hours and miles being reported. For rail service, FTA proposes to make similar changes:
(1)Changing *Total Train Hours* and *Total Train Miles to Deadhead Train Hours* and *Deadhead Train Miles;
(2)changing Total Passenger Car Hours* and *Total Passenger Car Miles to Deadhead Passenger Car Hours* and *Deadhead Passenger Car Miles;
(3)adding lines for Other Train Hours* and *Other Train Miles;*
(4)adding lines for *Other Passenger Car Hours* and *Other Passenger Car Miles;* and
(5)adding automatically-calculated reference lines for *Total Train Hours, Total Train Miles, Total Passenger Car Hours,* and *Total Passenger Car Miles.* For demand response service, FTA proposes similar changes for directly operated and purchased transportation services:
(1)Changing *Total Actual Vehicle Hours* and *Total Actual Vehicle Miles* to *Deadhead Hours and Deadhead Miles;*
(2)eliminating *Charter Service Hours* and *School Bus Hours;*
(3)adding *Other Vehicle Hours* and *Other Vehicle Miles;* and
(4)adding automatically-calculated reference lines for *Total Vehicle Hours* and *Total Vehicle Miles.* Additionally, FTA proposes to institute simplified reporting for demand response services provided through taxicabs. This simplified report would not require the reporting of *Deadhead Hours, Deadhead Miles, Other Hours* , and *Other Miles.* For vanpool service, FTA proposes similar changes:
(1)Eliminating *Charter Service Hours* and *School Bus Hours;*
(2)adding *Other Vehicle Hours* and *Other Vehicle Miles;* and
(3)adding automatically-calculated reference lines for *Total Vehicle Hours* and *Total Vehicle Miles.* FTA also proposes to eliminate collecting information on deadhead for vanpool services, as vanpools do not have deadhead, except in rare circumstances where the vanpool has an employee driver. In these rare cases, deadhead miles and hours would be reported under *Other Hours* and *Other Miles.* FTA also proposes to stop collecting *Time Service Begins* and *Time Service Ends* for vanpool services. For jitney and público services, FTA proposes similar changes:
(1)Eliminating *Charter Service Hours* and *School Bus Hours;*
(2)adding *Other Vehicle Hours* and *Other Vehicle Miles;* and
(3)adding automatically-calculated reference lines for *Total Vehicle Hours* and *Total Vehicle Miles.* FTA also proposes to stop collecting information on deadhead for jitney and público, as the nature of these services being run by owner-operated vehicles makes collecting deadhead information overly burdensome. FTA proposes to reduce reporting burden for these services by simply collecting hours and miles as being either *Revenue Hours and Miles* or as *Other Hours and Miles.* FTA proposes similar changes for ferryboat and aerial tramway services:
(1)Changing *Total Actual Vehicle Hours* and *Total Actual Vehicle Miles* to *Deadhead Hours* and *Deadhead Miles;*
(2)eliminating *Charter Service Hours;*
(3)adding *Other Vehicle Hours* and *Other Vehicle Miles;* and
(4)adding automatically-calculated reference lines for *Total Vehicle Hours* and *Total Vehicle Miles.* Additionally, FTA proposes to drop to reporting of peak data on service times and vehicles in operation for these services. For heavy rail, light rail, and commuter rail systems, in 2007 FTA introduced a requirement for these systems agencies to report Average Weekday Unlinked Passenger Trips and Actual Passenger Car Revenue Miles by four time categories: Weekday a.m. Peak, Weekday Midday, Weekday p.m. Peak and Weekday Other. FTA proposes to exempt rail systems with 9 or fewer rail vehicles operated in maximum services from this requirement, so as to reduce the reporting burden on these small systems. Employee Resources (R-10) Form FTA proposes to add reporting of *Paid Non-Work Hours* to this form. This data was previously reported on the F-50 Form, which is being dropped. Maintenance Performance (R-20) Form FTA proposes to drop the reporting requirement for *Total Labor Hours for Inspection and Maintenance.* This information is already reported in the R-10 Form. FTA also proposes to require that this form be completed by transit agencies for purchased transportation service (it is currently only required for directly operated services). These data would produce a clear picture of the role of maintenance breakdowns in transit service. Energy Consumption (R-30) Form FTA proposes to drop the lines on this form for certain rarely-used fuels, specifically, *Methanol, Bunker Fuel,* and *Grain Additive.* These fuels will still be reportable under the *Other Fuels* category. FTA also proposes to require that this form be completed for purchased transportation services (it is currently only required for directly operated services). These data would support the significant public interest in the fuel needs and emissions of transit services. Stations and Maintenance Facilities (A-10) Form FTA proposes to expand some of the reporting requirements for stations. Currently, FTA requires transit agencies to only report how many of their stations are multi-modal. FTA proposes to begin requiring transit agencies to specify the nature of the multi-modal services at each station. Transit agencies will be able to group together similar stations, as is done for asset reporting on revenue vehicles. For example, a transit agency will be able to report that it has 10 stations that are multi-modal with light rail and motorbus service. In addition to reporting the transit modes providing service at each station, FTA proposes to have transit agencies indicate if the transit station has Intercity Bus, Amtrak, Airport, Seaport, Car Rental, Bicycle Rental, or Parking Lot facilities. For motorbus, trolleybus, and light rail service, FTA proposes to ask transit agencies to report how many stops and how many shelters that they have. Previously, FTA only collected the number of enclosed stations for each mode, which understated the number of transit stations for these services. Both of these data collections will assist FTA in assessing the scope and needs of the Nation's transit systems for the biennial Conditions and Performance Report to Congress. Transit Way Mileage (A-20) Form FTA proposes to merge this Form with the Fixed Guideway Segments (S-20) Form, to reduce reporting burden. For each segment of rail fixed guideway reported on the S-20 form, FTA proposes to have transit agencies report the construction-type of the segment ( *e.g.* exclusive guideway at-grade, at-grade with crossings, non-exclusive at-grade, open-cut, elevated on fill, elevated structure, and subway) and the number of grade crossings for the segment. For each segment of non-rail fixed guideway reported on the S-20 form, FTA proposes to have transit agencies report whether the segment is exclusive right-of-way or controlled-access right-of-way. This change will simplify the reporting requirements, reduce the large number of reporting errors made on the A-20 form, and reduce the number of forms FTA requires of its reporters. Revenue Vehicle Inventory (A-30) Form FTA proposes to simply collect whether the vehicles are compliant with the Americans with Disabilities Act (ADA Accessible), and to not separately collect those vehicles that are ADA Accessible by virtue of having lifts and those that are ADA Accessible by virtue of having ramps or low floors. FTA also proposes to stop collecting *Total Miles on Active Vehicles During this Time Period* . This information is infrequently used and is duplicative of information on total miles collected on the S-10 Form. Additionally, since the A-10 form only collects information on vehicles that are active at the end of a transit agency's fiscal year, this information cannot be used as a measure of total miles from the previous year. FTA is retaining collection of *Average Lifetime Miles per Active Vehicle* as a measure of asset condition and age. Federal Funding Allocation (FFA-10) Form FTA proposes to make this form required for all transit agencies serving more than one urbanized area, or an urbanized area and a non-urbanized area. This form is currently required only for transit agencies serving an urbanized area over 200,000 in population and either a non-urbanized area or another urbanized area. This form is used to allocate service data from transit agencies across the various urbanized areas (and any non-urbanized areas) served by the transit agency for purposes of apportioning Urbanized Area Formula Grants. With the passage of the Safe, Accountable, Flexible, Efficient, Transportation Equity Act: A Legacy for Users (SAFETEA-LU), the Urbanized Area Formula Grant formula was amended to include grants for Small Transit-Intensive Cities (STIC Grants.) Prior to SAFETEA-LU service data was only used to apportion Urbanized Area Formula Grants to urbanized areas over 200,000 in population. The STIC Grants, however, use service data to apportion grants to urbanized areas under 200,000 in population. Therefore, FTA must require the FFA-10 form from transit agencies in small urbanized areas, in order to ensure to support the accurate apportionment of STIC Grants. Issued in Washington, DC, this 1st day of February 2008. James S. Simpson, Administrator. [FR Doc. E8-2163 Filed 2-6-08; 8:45 am] BILLING CODE 4910-57-P DEPARTMENT OF THE TREASURY Office of Foreign Assets Control Additional Designations of Entities Pursuant to Executive Order 13391 AGENCY: Office of Foreign Assets Control, Treasury. ACTION: Notice. SUMMARY: The Treasury Department's Office of Foreign Assets Control (“OFAC”) is publishing the names of 4 newly-designated entities and individuals whose property and interests in property are blocked pursuant to Executive Order 13391 of November 22, 2005, “Blocking Property of Additional Persons Undermining Democratic Processes or Institutions in Zimbabwe”. DATES: The designation by the Director of OFAC of the four entities and individuals identified in this notice, pursuant to Executive Order 13391, is effective January 30, 2008. FOR FURTHER INFORMATION CONTACT: Assistant Director, Compliance Outreach & Implementation, Office of Foreign Assets Control, Department of the Treasury, 1500 Pennsylvania Avenue, NW. (Treasury Annex), Washington, DC 20220, Tel.: 202/622-2490. SUPPLEMENTARY INFORMATION: Electronic and Facsimile Availability Information about this designation and additional information concerning OFAC are available from OFAC's Web site ( *http://www.treas.gov/ofac* ) or via facsimile through a 24-hour fax-on-demand service, Tel.: 202/622-0077. Background On November 22, 2005, the President issued Executive Order 13391 (the “Order”) with respect to Zimbabwe pursuant to, *inter alia* , the International Emergency Economic Powers Act (50 U.S.C. 1701-06). In the Order, the President took additional steps with respect to the national emergency declared in Executive Order 13288 of March 7, 2003, in order to address the continued political repression and the undermining of democratic processes and institutions in Zimbabwe. The new Order, which replaced and superseded Executive Order 13288, expanded the list of sanctions targets to include immediate family members of any individual designated pursuant to the Zimbabwe sanctions, as well as those persons providing assistance to any sanctions target. The President identified 128 individuals and 33 entities as subject to the economic sanctions in the Annex to the Order. Section 1 of the Order blocks, with certain exceptions, all property, and interests in property, that are in, or hereafter come within, the United States or the possession or control of United States persons for persons listed in the Annex and those persons determined by the Secretary of the Treasury, after consultation with the Secretary of State, to satisfy any of the criteria set forth in subparagraphs (a)(ii)(A) through (a)(ii)(D) of section 1. On January 30, 2008, the Director of OFAC exercised the Secretary of the Treasury's authority to designate, pursuant to one or more of the criteria set forth in section 1, subparagraphs (a)(ii)(A) through (a)(ii)(D) of the Order, the following two individuals and two entities, whose names have been added to the list of Specially Designated Nationals and whose property and interests in property are blocked, pursuant to the Order: 1. BONYONGWE, Happyton Mabhuya; DOB 6 Nov 1960; POB Chikomba District, Zimbabwe; nationality Zimbabwe; Director General, Central Intelligence Organization (individual) [ZIMBABWE] 2. MUGABE, Leo (a.k.a. CDE MUGABE), 72 Green Groove Drive, Greendale, Harare, Zimbabwe; DOB 28 Feb 1957; alt. DOB 28 Aug 1962; MP for Makonde; Son of Sabina MUGABE; Nephew of Robert MUGABE (individual) [ZIMBABWE] 3. JONGWE PRINTING AND PUBLISHING COMPANY (a.k.a. JONGWE PRINTING & PUBLISHING COMPANY
(PVT)LTD; a.k.a. JONGWE PRINTING AND PUBLISHING CO), Po Box 5988, Harare, Zimbabwe; 14 Austin Road, Coventry Road, Workington, Harare, Zimbabwe [ZIMBABWE] 4. ZIDCO HOLDINGS (a.k.a. ZIDCO HOLDINGS
(PVT)LTD), 88 Robert Mugabe Road, Harare, Zimbabwe; Po Box 1275, Harare, Zimbabwe [ZIMBABWE] Dated: January 30, 2008. Adam J. Szubin, Director, Office of Foreign Assets Control. [FR Doc. E8-2228 Filed 2-6-08; 8:45 am] BILLING CODE 4811-42-P DEPARTMENT OF THE TREASURY United States Mint Notification of American Eagle Platinum Proof Coin and American Eagle Platinum Uncirculated Coin Price Increases SUMMARY: The United States Mint is adjusting prices for its American Eagle Platinum Proof Coins and American Eagle Platinum Uncirculated Coins. Pursuant to the authority that 31 U.S.C. 5111(a) and 5112(k) grant the Secretary of the Treasury to mint and issue platinum coins, and to prepare and distribute numismatic items, the United States Mint mints and issues 2007 American Eagle Platinum Proof and Uncirculated Coins in four denominations with the following weights: one-ounce, one-half ounce, one-quarter ounce, one-tenth ounce. The United States Mint also produces American Eagle Platinum Proof and Uncirculated four-coin sets that contain one coin of each denomination. In accordance with 31 U.S.C. 9701(b)(2)(B), the United States Mint is changing the price of these coins to reflect the increase in value of the underlying precious metal content of the coins—the result of increases in the market price of platinum. Accordingly, effective February 1, 2008, the United States Mint will commence selling the following 2007 American Eagle Proof and Uncirculated Coins according to the following price schedule: Description Price American Eagle Platinum Proof Coins: One-ounce platinum coin $1,979.95 One-half ounce platinum coin 999.95 One-quarter ounce platinum coin 535.95 One-tenth ounce platinum coin 269.95 Four-coin platinum set 3,629.95 American Eagle Platinum Uncirculated Coins: One-ounce platinum coin $1,869.95 One-half ounce platinum coin 949.95 One-quarter ounce platinum coin 499.95 One-tenth ounce platinum coin 229.95 Four-coin platinum set 3,479.95 FOR FURTHER INFORMATION CONTACT: Gloria C. Eskridge, Associate Director for Sales and Marketing; United States Mint; 801 Ninth Street, NW., Washington, DC 20220; or call 202-354-7500. Authority: 31 U.S.C. 5111, 5112 & 9701. Dated: January 31, 2008. Daniel P. Shaver, Acting Deputy Director, United States Mint. [FR Doc. E8-2156 Filed 2-6-08; 8:45 am] BILLING CODE 4810-02-P DEPARTMENT OF THE TREASURY United States Mint Notification of American Eagle Gold Proof and Uncirculated Coin Price Increase SUMMARY: The United States Mint is adjusting prices for its 2007 American Eagle Gold Proof and Uncirculated Coins. Pursuant to the authority that 31 U.S.C. 5111(a) and 5112(a)(7-10) grant the Secretary of the Treasury to mint and issue gold coins, and to prepare and distribute numismatic items, the United States Mint mints and issues 2007 American Eagle Gold Proof and Uncirculated Coins with the following weights: One-ounce, one-half ounce, one-quarter ounce, one-tenth ounce. The United States Mint also produces an American Eagle four-coin set that contains one coin of each denomination. In accordance with 31 U.S.C. 9701(b)(2)(B), the United States Mint is changing the price of these coins to reflect the increase in value of the underlying precious metal content of the coins—the result of increases in the market price of gold. Accordingly, effective February 1, 2008, the United States Mint will commence selling the following 2007 American Eagle Gold Uncirculated Coins and the 2007 American Eagle 1/10 -Ounce Proof Coin according to the following price schedule: Description Price 2007 American Eagle 1/10 -Ounce Gold Proof Coin: $146.95 American Eagle Gold Uncirculated Coins: One-ounce gold uncirculated coin 1,045.95 One-half ounce gold uncirculated coin 529.95 One-quarter ounce gold uncirculated coin 279.95 One-tenth ounce gold uncirculated coin 119.95 Four-coin gold uncirculated set 1,939.95 FOR FURTHER INFORMATION CONTACT: Gloria C. Eskridge, Associate Director for Sales and Marketing; United States Mint; 801 Ninth Street, NW., Washington, DC 20220; or call 202-354-7500. Authority: 31 U.S.C. 5111, 5112 & 9701. Dated: January 31, 2008. Daniel P. Shaver, Acting Deputy Director, United States Mint. [FR Doc. E8-2207 Filed 2-6-08; 8:45 am] BILLING CODE 4810-02-P 73 26 Thursday, February 7, 2008 Rules and Regulations Part II Department of Energy Federal Energy Regulatory Commission 18 CFR Part 40 Mandatory Reliability Standards for Critical Infrastructure Protection; Final Rule DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM06-22-000; Order No. 706] Mandatory Reliability Standards for Critical Infrastructure Protection Issued January 18, 2008. AGENCY: Federal Energy Regulatory Commission, Department of Energy. ACTION: Final Rule. SUMMARY: Pursuant to section 215 of the Federal Power Act (FPA), the Commission approves eight Critical Infrastructure Protection
(CIP)Reliability Standards submitted to the Commission for approval by the North American Electric Reliability Corporation (NERC). The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. In addition, pursuant to section 215(d)(5) of the FPA, the Commission directs NERC to develop modifications to the CIP Reliability Standards to address specific concerns. DATES: *Effective Date:* This rule will become effective April 7, 2008. FOR FURTHER INFORMATION CONTACT: Gary Cohen (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426,
(202)502-8321. Christy Walsh (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426,
(202)502-6523. Regis Binder (Technical Issues), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426,
(202)502-6460. Jan Bargen (Technical Issues), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426,
(202)502-6333. SUPPLEMENTARY INFORMATION: **TABLE OF CONTENTS** Paragraph Nos. I. Background 2 II. Discussion 13 A. Overview 13 B. Approval of NERC's Proposed CIP Reliability Standards 15 1. NOPR Proposal 15 2. Comments 16 3. Commission Determination 24 C. Applicability 31 1. NOPR Proposal 32 2. Comments 35 3. Commission Determination 47 D. Compliance Measured by Outcome 54 1. Performance-Based Standards 54 2. Adequacy of Outcomes 65 E. Implementation Plan 77 1. Commission Approval of Implementation Plan 78 2. Self-Certification 91 3. Adding a Cyber Security Assessment to NERC's Readiness Reviews 100 F. Issues Presented by Terminology 106 1. Reasonable Business Judgment 107 2. Acceptance of Risk 139 3. Technical Feasibility 157 G. Use of National Institute of Standards and Technology
(NIST)Standards in Developing Future Revisions to the CIP Reliability Standards 223 1. NOPR Proposal 223 2. Comments 224 3. Commission Determination 232 H. Discussion of Each CIP Reliability Standard 234 1. CIP-002-1—Critical Cyber Asset Identification 234 2. CIP-003-1—Security Management Controls 342 3. CIP-004-1—Personnel and Training 413 4. CIP-005-1—Electronic Security Perimeter(s) 477 5. CIP-006-1—Physical Security of Critical Cyber Assets 548 6. CIP-007-1—Systems Security Management 584 7. CIP-008-1—Incident Reporting & Response Planning 653 8. CIP-009-1—Recovery Plans for Critical Cyber Assets 688 I. Violation Risk Factors 749 1. General Issues 754 2. Specific Modifications to Violation Risk Factors 761 III. Information Collection Statement 770 IV. Environmental Analysis 777 V. Regulatory Flexibility Act 778 A. NOPR Proposal 782 B. Comments 788 C. Commission Determination 799 VI. Document Availability 807 VII. Effective Date and Congressional Notification 810 Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff. Final Rule 1. Pursuant to section 215 of the Federal Power Act (FPA), 1 the Commission approves eight Critical Infrastructure Protection
(CIP)Reliability Standards submitted to the Commission for approval by the North American Electric Reliability Corporation (NERC). The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. 2 In addition, pursuant to section 215(d)(5) of the FPA, the Commission directs NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. 1 16 U.S.C. 824o (2000 & Supp. V 2005). 2 In the context of the CIP Reliability Standards, cyber assets are programmable electronic devices and communication networks including hardware, software, and data. *See Mandatory Reliability Standards for Critical Infrastructure Protection,* Notice of Proposed Rulemaking, 72 FR 43970 (Aug. 6, 2007), FERC Stats & Regs. ¶ 32,620 at P 1 (Jul. 20, 2007) (CIP NOPR). I. Background 2. Section 215 of the FPA requires a Commission-certified Electric Reliability Organization
(ERO)to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight, or the Commission can independently enforce Reliability Standards. 3 3 16 U.S.C. 824o(e)(3) (2000 & Supp. V 2005). 3. Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO 4 and, subsequently, certified NERC as the ERO. 5 On April 4, 2006, as modified on August 28, 2006, NERC submitted to the Commission a petition seeking approval of 107 proposed Reliability Standards. On March 16, 2007, the Commission issued a Final Rule, Order No. 693, approving 83 of these 107 Reliability Standards and directing other related actions. 6 In addition, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC to develop modifications to 56 of the 83 approved Reliability Standards. 7 4 *Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards,* Order No. 672, FERC Stats. & Regs. ¶ 31,204 (2006), *order on reh'g,* Order No. 672-A, FERC Stats. & Regs. ¶ 31,212 (2006). 5 *North American Electric Reliability Corp.,* 116 FERC ¶ 61,062 (ERO Certification Order), *order on reh'g & compliance,* 117 FERC ¶ 61,126 (ERO Rehearing Order) (2006), *appeal docket sub nom. Alcoa, Inc.* v. *FERC,* No. 06-1426 (D.C. Cir. Dec. 29, 2006). 6 *Mandatory Reliability Standards for the Bulk-Power System,* Order No. 693, FERC Stats. & Regs. ¶ 31,242 (2007); Order No. 693-A, *reh'g denied,* 120 FERC ¶ 61,053 (2007). 7 Section 215(d)(5) provides “The Commission . . . may order the Electric Reliability Organization to submit to the Commission a proposed reliability standard or a modification to a reliability standard that addresses a specific matter if the Commission considers such a new or modified reliability standard appropriate to carry out this section.” 4. In April 2007, the Commission approved delegation agreements between NERC and each of the eight Regional Entities. 8 Pursuant to the delegation agreements, the ERO has delegated responsibility to the Regional Entities to carry out compliance monitoring and enforcement of the mandatory Reliability Standards. 8 *See North American Electric Reliability Corp.,* 119 FERC ¶ 61,060, *order on reh'g,* 120 FERC ¶ 61,260 (2007). 5. Prior to being certified by the Commission as the ERO, NERC had developed a cyber security standard for the electric industry on a voluntary basis. This voluntary standard, Urgent Action 1200, was adopted in 2003, and remained in effect on a voluntary basis until June 1, 2006, at which time the eight CIP Reliability Standards that are the subject of the current rulemaking replaced the Urgent Action 1200 standard. 6. On August 28, 2006, NERC submitted to the Commission for approval the following eight CIP Reliability Standards: 9 9 The CIP Reliability Standards are not codified in the CFR and are not attached to the Final Rule. They are, however, available on the Commission's eLibrary document retrieval system in Docket No. RM06-22-000 and are available on the ERO's Web site, *http://www.nerc.com.* *CIP-002-1—Cyber Security—Critical Cyber Asset Identification:* Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology. *CIP-003-1—Cyber Security—Security Management Controls:* Requires a responsible entity to develop and implement security management controls to protect critical cyber assets identified pursuant to CIP-002-1. *CIP-004-1—Cyber Security—Personnel & Training:* Requires personnel with access to critical cyber assets to have identity verification and a criminal check. It also requires employee training. *CIP-005-1—Cyber Security—Electronic Security Perimeters:* Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1. *CIP-006-1—Cyber Security—Physical Security of Critical Cyber Assets:* Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter. *CIP-007-1—Cyber Security—Systems Security Management:* Requires a responsible entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within an electronic security perimeter. *CIP-008-1—Cyber Security—Incident Reporting and Response Planning:* Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets. *CIP-009-1—Cyber Security—Recovery Plans for Critical Cyber Assets:* Requires the establishment of recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices. 7. NERC states that these CIP Reliability Standards provide a comprehensive set of requirements to protect the Bulk-Power System from malicious cyber attacks. They require Bulk-Power System users, owners, and operators to establish a risk-based vulnerability assessment methodology to identify and prioritize critical assets and critical cyber assets. Once the critical cyber assets are identified, the CIP Reliability Standards require, among other things, that the responsible entities establish plans, protocols, and controls to safeguard physical and electronic access, to train personnel on security matters, to report security incidents, and to be prepared for recovery actions. Further, NERC developed an implementation plan that provides for a three-year phase-in to achieve full compliance with all requirements. 8. Each CIP Reliability Standard uses a common organizational format that includes five sections, as follows:
(A)Introduction, which includes “Purpose” and “Applicability” sub-sections;
(B)Requirements;
(C)Measures;
(D)Compliance; and
(E)Regional Differences. In this Final Rule, these section titles are capitalized when referencing a designated provision of a Reliability Standard. 9. In a separate filing, NERC submitted 162 Violation Risk Factors that correspond to Requirements of the proposed CIP Reliability Standards. 10 Violation Risk Factors delineate the relative risk to the Bulk-Power System associated with the violation of each Requirement and are used by NERC and the Regional Entities to determine financial penalties for violating a Reliability Standard. 10 *See* NERC's March 23, 2007 filing in Docket No. RR07-10-000, Exh. A. 10. On December 11, 2006, the Commission released a “Staff Preliminary Assessment of the North American Electric Reliability Corporation's Proposed Mandatory Reliability Standards on Critical Infrastructure Protection” prepared by the Commission's staff (CIP Assessment). The CIP Assessment identified staff's preliminary observations and concerns regarding the eight proposed CIP Reliability Standards, describing issues common to a number of the proposed CIP Reliability Standards, and discussing various issues raised by individual CIP Reliability Standards. While discussing the issues, the CIP Assessment did not make specific recommendations on the appropriate action to be taken by the Commission on particular proposals. 11 11 The CIP Assessment is available on the Commission's webpage at *http://www.ferc.fed.us/industries/electric/indus-act/reliability.asp.* 11. On July 20, 2007, the Commission issued the CIP NOPR, which proposed to approve the eight CIP Reliability Standards submitted to the Commission for approval by NERC. In addition, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. 12. In response to the CIP NOPR, comments were filed by about 70 interested persons. In the discussion below, we will address the issues raised by these comments. Appendix A to this Final Rule lists the entities that filed comments on the CIP NOPR. Five comments were filed after the time prescribed in the CIP NOPR. Nevertheless, the Commission will consider these comments, as they will neither prejudice the other commenters, nor delay the proceeding. II. Discussion A. Overview 13. In the Final Rule, the Commission approves the eight CIP Reliability Standards, finding that they are just and reasonable, not unduly discriminatory or preferential and in the public interest. Further, the Commission approves NERC's implementation plan that sets milestones for responsible entities to achieve full compliance with the CIP Reliability Standards. The Commission also directs NERC to develop modifications to the CIP Reliability Standards through its Reliability Standards development process to address specific concerns identified by the Commission. Similar to our approach in Order No. 693, we view such directives as a separate action from approval, consistent with our authority in section 215(d)(5) of the FPA to direct the ERO to develop a modification to a Reliability Standard. As discussed below, such modification should not affect the current implementation plan. Rather, NERC is directed to develop a timetable for development of the modifications to the CIP Reliability Standards and, if warranted, to develop and file with the Commission for approval, a second implementation plan. 14. Other determinations in the Final Rule include: A directive that the ERO must develop modifications to the CIP Reliability Standards to remove the “reasonable business judgment” language. The ERO must also develop modifications to remove “acceptance of risk” exceptions from the CIP Reliability Standards. The ERO is directed to develop specific conditions that a responsible entity must satisfy to invoke the “technical feasibility” exception. This structure for use of the technical feasibility exception allows flexibility and customization of implementation of the CIP Reliability Standards in a controlled manner. The Commission directs the ERO to provide additional guidance regarding the development of a risk-based assessment methodology for the identification of critical assets pursuant to CIP-002-1. Further, external review of critical asset lists is required. The Commission directs the ERO to make specific revisions to its Violation Risk Factor designations. B. Approval of NERC's Proposed CIP Reliability Standards 1. NOPR Proposal 15. In the CIP NOPR, the Commission proposed to approve NERC's eight proposed CIP Reliability Standards as mandatory and enforceable. As a separate action, pursuant to section 215(d)(5) of the FPA, the Commission proposed to direct NERC to modify certain provisions of the CIP Reliability Standards. 2. Comments 16. Most commenters strongly support the Commission's proposal to approve the CIP Reliability Standards as mandatory and enforceable. 12 For example, EEI states that the CIP Reliability Standards are technically sound and well designed to achieve the specified reliability goal, namely cyber security for electric industry critical assets. EEI adds that the CIP Reliability Standards are designed to serve the interest of preserving grid reliability by seeking to prevent unauthorized access to control systems and other critical cyber assets, whether by physical or electronic means. EEI believes that the CIP Reliability Standards strike the appropriate balance in providing reasonable flexibility in an environment where systems vary greatly in architecture, technology, and risk profile. 13 12 *E.g.,* Alliant, Arizona Public Service, Bonneville, California Commission, Duke, EEI, Idaho Power, ISO/RTO Council, Juniper, KCPL, Luminant, Manitoba, NERC, New York Commission, Northeast Utilities, Ontario IESO, Ontario Power, PG&E, PSEG Companies, Progress, Puget Sound, ReliabilityFirst, SDG&E, Southern, Tampa Electric, Teltone and Xcel. 13 Alliant, KCPL, PG&E, Puget Sound, PSEG Companies and Southern support EEI's views. 17. By contrast, ABB argues that the Commission should defer action so that equipment vendors and the standard-setting organizations such as the Institute of Electrical and Electronics Engineers can coordinate electric power system cyber security initiatives. Applied Control Solutions argues that the proposals in the CIP NOPR do not go far enough, and that the Commission should go further and immediately adopt the National Institute of Standards and Technology
(NIST)Security Risk Management Framework in place of the CIP Reliability Standards. 18. NIST itself argues that the Commission should adopt the NERC proposed CIP Reliability Standards, as appropriately enhanced based on the Commission's proposed directives in the CIP NOPR, as an interim measure. NIST advocates that the Commission prescribe plans for a two to three year transition to cyber security standards that are identical to, consistent with, or based on SP 800-53 and related NIST standards and guidelines. 19. WIRAB supports NERC's CIP Reliability Standards and states that they represent a significant advancement for cyber security and Bulk-Power System reliability. Yet, WIRAB recommends that the Commission remand the CIP Reliability Standards to NERC with guidance as to the types of changes the Commission would like to see, but without direction to make any specific change. WIRAB expresses concern that the CIP NOPR proposes numerous detailed directives to modify the CIP Reliability Standards and goes beyond providing guidance to NERC. WIRAB states that a remand would allow the Reliability Standards development process to work as anticipated and, in doing so, would avoid problems with different Reliability Standards or different levels of enforcement on different sides of the international border. 20. In response to our proposal to modify certain CIP Reliability Standards, some commenters maintain that the Commission's proposals were overly prescriptive. 14 Others state that any prescriptive elements of the CIP NOPR should be replaced with directions that NERC use its Commission-approved Reliability Standards development process to address any necessary changes identified by the Commission. 15 PG&E adds that the measures agreed on in the NERC stakeholder process and included in the CIP Reliability Standards represent a reasonable balance between aggressive Reliability Standards and measures that are feasible and sustainable. EEI argues that the Commission needs to be careful when it provides guidance that it does not usurp NERC's authority as ERO by dictating a specific or exclusive outcome from this process. 14 *E.g.,* CEA, EEI, FirstEnergy, PSEG Companies, SDG&E and Tampa Electric. 15 *E.g.,* Georgia Operators, Idaho Power, Muscatine Power, NERC, Northern California, NRECA, TAPS and Xcel. 21. Commenters also express concern that the Commission might intend to sidestep the NERC stakeholder process and have NERC simply revise the CIP Reliability Standards in accordance with the Commission's proposals without providing NERC stakeholders an opportunity to participate in this process. 16 In this regard, EEI urges that the Final Rule make clear that any improvements to the CIP Reliability Standards should be considered in the NERC Reliability Standards development process before being mandated. 16 *See,* *e.g.* , Allegheny, Alliant, Arizona Public Service, Duke, EEI, Entergy, FirstEnergy, FPL Group, Iowa Municipals, KCPL, Luminant, PG&E, Progress, PSEG Companies, Tampa Electric and TAPS. 22. KCPL supports the Commission's proposal to direct NERC to develop modifications to the CIP Reliability Standards to address potential improvements using the Reliability Standards development process. KCPL believes that the Commission has authority to direct the ERO to modify the CIP Reliability Standards and to provide sufficient guidance to the direction that grid reliability should take so as to fulfill its obligations under the Energy Policy Act of 2005. However, KCPL too is concerned that several of the Commission's proposed requirement directives are overly prescriptive. 23. The New York Commission opposes the Commission placing any conditions on its approval of the CIP Reliability Standards, such as requiring NERC to rewrite them as a condition for their approval. 3. Commission Determination 24. The Commission approves the eight CIP Reliability Standards pursuant to section 215(d) of the FPA, as discussed below. In approving the CIP Reliability Standards, the Commission concludes that they are just, reasonable, not unduly discriminatory or preferential, and in the public interest. These CIP Reliability Standards, together, provide baseline requirements for the protection of critical cyber assets that support the nation's Bulk-Power System. Thus, the CIP Reliability Standards serve an important reliability goal. 17 Further, as discussed below, the CIP Reliability Standards clearly identify the entities to which they apply, apply throughout the interconnected Bulk-Power System, and provide a reasonable timetable for implementation. 18 17 *See* Order No. 672 at P 321. 18 *Id* . P 322-35. 25. The Commission believes that the NIST standards may provide valuable guidance when NERC develops future iterations of the CIP Reliability Standards. Thus, as discussed below, we direct NERC to address revisions to the CIP Reliability Standards CIP-002-1 through CIP-009-1 considering applicable features of the NIST framework. However, in response to Applied Control Solutions, we will not delay the effectiveness of the CIP Reliability Standards by directing the replacement of the current CIP Reliability Standards with others based on the NIST framework. 26. With regard to WIRAB's recommendation, we share the ongoing concern of promoting coordinated action on Reliability Standards on an international basis. However, in this instance, we do not believe a remand to NERC, which would result in significant delays in having mandatory and enforceable cyber security requirements in effect in the United States, is justified or would further such coordination. The implementation schedule provided by NERC, which applies continent-wide, requires applicable entities to achieve “auditable compliance” no earlier than mid-2009. This should provide adequate time for entities responsible for compliance with the CIP Reliability Standards in the United States, Canada and Mexico to achieve compliance on a common timetable. As discussed later, future modifications to the CIP Reliability Standards developed pursuant to the direction provided in the Final Rule would not overlap with the NERC implementation plan. Accordingly, the Commission concludes that this is not a satisfactory reason for remanding the CIP Reliability Standards. 27. In approving the CIP Reliability Standards and directing the ERO to modify them, the Commission is taking two independent actions and does not condition our approval on the ERO modifying the CIP Reliability Standards. First, we are exercising our authority to approve a proposed Reliability Standard. Second, we are directing the ERO to submit a modification of the Reliability Standards to address specific issues or concerns. 19 Accordingly, New York Commission's concerns about the Commission placing any conditions on its approval of the CIP Reliability Standards are unnecessary. 19 16 U.S.C. 824o(d)(5) (“[t]he Commission . . . may order the Electric Reliability Organization to submit to the Commission a proposed Reliability Standard or modification to a Reliability Standard that addresses a specific matter if the Commission considers such a new or modified Reliability Standard appropriate to carry out this section.”). 28. With regard to the concerns raised by some commenters about the prescriptive nature of the Commission's proposed modifications, the Commission agrees that a direction for modification should not be so overly prescriptive as to preclude the consideration of viable alternatives in the ERO's Reliability Standards development process. However, in identifying a specific matter to be addressed in a modification to a CIP Reliability Standard, it is important that the Commission provide sufficient guidance so that the ERO has an understanding of the Commission's concerns and an appropriate, but not necessarily exclusive, outcome to address those concerns. Without such direction and guidance, a Commission proposal to modify a CIP Reliability Standard might be so vague that the ERO would not know how to adequately respond. 20 20 *See* Order No. 693 at P 185-87. 29. Thus, in some instances, while we provide specific details regarding the Commission's expectations, we intend by doing so to provide useful guidance to assist in the Reliability Standards development process, not to impede it. We find that this is consistent with statutory language that authorizes the Commission to order the ERO to submit a modification “that addresses a specific matter” if the Commission considers it appropriate to carry out section 215 of the FPA. In the Final Rule, we have considered commenters' concerns and, where a directive for modification appears to be determinative of the outcome, the Commission provides flexibility by directing the ERO to address the underlying issue through the Reliability Standards development process without mandating a specific change to the CIP Reliability Standard. Further, the Commission clarifies that, where the Final Rule identifies a concern and offers a specific approach to address that concern, we will consider an equivalent alternative approach provided that the ERO demonstrates that the alternative will adequately address the Commission's underlying concern or goal as efficiently and effectively as the Commission's proposal. 30. Consistent with section 215 of the FPA, our regulations, and Order No. 693, any modification to a Reliability Standard, including a modification that addresses a Commission directive, must be developed and fully vetted through NERC's Reliability Standard development process. Until the Commission approves NERC's proposed modification to a Reliability Standard, the preexisting Reliability Standard will remain in effect. C. Applicability 31. The Applicability section of each proposed CIP Reliability Standard identifies the following 11 categories of responsible entities that must comply with the CIP Reliability Standard: Reliability coordinators, balancing authorities, interchange authorities, 21 transmission service providers, transmission owners, transmission operators, generator owners, generator operators, load serving entities, NERC, and Regional Reliability Organizations. 21 *See* Docket No. RR08-3-000 wherein, on November 11, 2007, NERC filed an amendment to its Statement of Compliance Registry Criteria to add Interchange Authority to the list of functional entities that are required to comply with certain Reliability Standards. 1. NOPR Proposal 32. The CIP NOPR explained that, with regard to the applicability of the CIP Reliability Standards to the ERO, NERC has modified its Rules of Procedure to provide that the ERO will comply with each Reliability Standard that identifies the ERO as an applicable entity. 22 Further, the delegation agreements between NERC and each of the eight Regional Entities expressly state that the Regional Entity is committed to comply with approved Reliability Standards. The Commission stated its belief that, while it is likely that NERC and the Regional Entities are not directly subject to mandatory Reliability Standards as users, owners or operators of the Bulk-Power System, their adherence to the CIP Reliability Standards pursuant to the NERC Rules of Procedure and the delegation agreements suffices. 22 *See* CIP NOPR at P 21-31; NERC Rules of Procedure, section 100. 33. The Commission also indicated in the CIP NOPR that it would rely on the NERC registration process to determine applicability with the CIP Reliability Standards. 23 While expressing concern about small entities becoming a gateway for cyber attacks, the Commission indicated that it was prepared to rely on the registration process based in part on the expectation that industry will use the “mutual distrust” posture. 24 The Commission also explained that it would rely on the NERC registration process to include all critical assets and associated critical cyber assets, and listed examples. Further, we noted that because, as an initial compliance step, each entity that is responsible for compliance with the CIP Reliability Standards must first identify critical assets through the application of a risk-based assessment, CIP-002-1 acts as a filter, determining a subset of entities that must comply with the remaining CIP requirements (i.e., CIP-003-1 through CIP-009-1). 23 *Id.* P 27. The CIP NOPR also affirmed the statement in Order No. 693 that the Commission intends to further examine applicability issues under section 215 of the FPA in a future proceeding. Order No. 693 at P 77. 24 *Id.* P 28. The term “mutual distrust ” is used to denote how “outside world” systems are treated by those inside the control system. A mutual distrust posture requires each responsible entity that has identified critical cyber assets to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates. This concept is discussed further in the context of CIP-003-1. 34. The Commission also raised concerns regarding operation of critical cyber assets by out-sourced entities. 25 The CIP NOPR noted that, on occasion, NERC negotiates contracts with third-party vendors, and the products developed by the vendors are then used by responsible entities that, as owners of the critical cyber assets, are ultimately responsible for their cyber security protection under the CIP Reliability Standards. The Commission solicited comment on whether and how out-sourced entities should be contractually obligated to comply with the CIP Reliability Standards while satisfying their other contractual obligations. 25 CIP NOPR at P 31. 2. Comments 35. Most commenters that address the issue support the Commission's approach to assuring NERC and Regional Entity compliance with the CIP Reliability Standards. Commenters also support the Commission's reliance on the NERC registration process to identify appropriate entities. Numerous commenters address the issue of third-party vendors, indicating that such third parties are not subject to mandatory Reliability Standards and that responsible entities need to address the matter through contractual provisions with their vendors. a. Applicability to NERC and Regional Entities 36. EEI supports the Commission's conclusion that NERC's modifications to its Rules of Procedure and the delegation agreements between NERC and each of the eight Regional Entities with respect to compliance with approved Reliability Standards is sufficient and does not require any additional measures or revisions at this time. EEI expects that the Commission will provide oversight with respect to compliance by NERC and a Regional Entity. However, unlike responsible entities, the ERO and Regional Entities are not subject to penalties under the FPA. Therefore, in considering what level of oversight to provide for these entities, EEI urges the Commission to consider that these entities do not have the same incentive as responsible entities to comply with the CIP Reliability Standards. 37. Progress believes that the CIP Reliability Standards must apply to the ERO and the Regional Entities since they have access to critical data of many electric systems and may be perceived as more strategic targets than other registered entities. California Commission, Northern Indiana and Northeast Utilities also assert that the CIP Reliability Standards should apply to NERC and the Regional Entities. Northern Indiana states that subjecting NERC to the CIP Reliability Standards would obviate Northern Indiana's concern with providing NERC personnel with access to information they may need when reviewing and evaluating Northern Indiana's compliance measures. 38. California Commission comments that the CIP NOPR properly recognized the ERO as an applicable entity. It also states that the delegation agreements between NERC and the Regional Entities mandate that the Regional Entities will be subject to the CIP Reliability Standards. California Commission states that, if the ERO or Regional Entities do not adhere to the CIP Reliability Standards, they could become the weak link whose failure could harm the Bulk-Power System. b. Reliance on NERC Registration Process 39. NRECA, MEAG Power and other commenters support the Commission's reliance on the NERC registration process to identify appropriate entities and also share the concern that entities not registered could become a weakness in the security of the Bulk-Power System. 26 NRECA states that the Commission's proposed approach is appropriate and consistent with the Commission's prior orders, the statute, and the ERO's Statement of Registry Criteria. EEI suggests that proper registration, combined with a strong ERO audit program, would assure that all critical assets are covered by the CIP Reliability Standards. EEI also asks the Commission to clarify that the NERC registration process would identify responsible entities, but not critical assets. 26 *E.g.* , Duke, EEI, Energy Producers, Northeast Utilities and Reliant. 40. EEI and ISO/RTO Council agree with the statement in the CIP NOPR that demand side aggregators might also need to be included in the NERC registration process if their load shedding capacity would affect the reliability or operability of the Bulk-Power System. EEI comments that demand side aggregators do not fit into any of the current registry categories and their inclusion would likely require the development of a definition of “demand response” and “direct load control,” as well as size thresholds, which are best addressed in the NERC Reliability Standards development process. 41. California Commission comments that small entities can become a weak link whose failure could harm Bulk-Power System reliability. It is concerned that an entity that should be registered may slip through the identification process. Accordingly, California Commission suggests that any entity connected to the Bulk-Power System, regardless of size, must comply with the CIP Reliability Standards irrespective of their registration status. c. Third-Party Vendors 42. The majority of commenters contend that neither the ERO, nor the Commission, have authority to extend the applicability of the CIP Reliability Standards to third-party vendors. 27 NRECA, for example, argues that this conclusion is dictated by statute, as section 215 of the FPA only applies to users, owners and operators of the Bulk-Power System and does not confer jurisdiction over third-party vendors. Accordingly, commenters claim that the relationship between registered entities and their outsourced providers is necessarily one of contract, and the regulatory compliance obligation falls solely on the registered entity. 27 *See* , *e.g.* , Alliant, Mr. Brown, Duke, EEI, ISO/RTO Council, NRECA, PG&E, SDG&E and Tampa Electric. 43. EEI agrees with the CIP NOPR statement that responsible entities, as owners of critical assets, are ultimately accountable for their cyber security protection under the Reliability Standards. EEI also comments that it is reasonable that responsible entities may wish to provide their vendors with incentives to comply with CIP Reliability Standards while satisfying their other contractual obligations. 28 According to ReliabilityFirst, out-sourced products developed for the exchange of data integral to reliability must be developed in compliance with the CIP Reliability Standards. It believes the responsible entity should contractually obligate vendors of such products to comply with appropriate requirements of the CIP Reliability Standards. 28 Alliant, Mr. Brown, PG&E, SDG&E and Tampa Electric agree with EEI's position. 44. ISO/RTO Council comments that, when an application is developed and maintained by an outsourced provider, that provider manages access to the environment on which the application runs and therefore must be contractually obligated by the responsible entity to comply with the CIP Reliability Standards. While not in NERC's registry, such third parties must perform the services and operate the applications in a manner consistent with the CIP Reliability Standards. According to ISO/RTO Council, the responsible entity should be charged with incorporating contractual terms and conditions into its agreements with the third-party provider that obligates the provider to comply with the requirements of the CIP Reliability Standards. Responsibility for non-compliance by the third-party vendor should be borne by the responsible entity that made the business decision to outsource the application. 45. Other commenters contend that the CIP Reliability Standards must apply to vendors and contractors as well as responsible entities. For example, California Commission suggests that the CIP Reliability Standards should apply to every entity that has a cyber connection to the Bulk-Power System. However, in California Commission's view, some special rules must be developed on CIP Reliability Standards applicability for entities that are not responsible entities but that have entered contracts obligating them to comply with the CIP Reliability Standards. Consumers claims that vendors and contactors with access (remote and on-site) to the critical cyber assets should be required to comply with the CIP Reliability Standards' personnel risk assessment guidelines. Consumers also advocates that vendor companies should have a personnel risk assessment policy, i.e., background check, for all new personnel and all systems (software applications and hardware devices) should be tested for quality and reliability. 46. Northern Indiana comments that third-party vendors working for NERC must comply with the CIP Reliability Standards, e.g., background checks, just as Northern Indiana's third-party vendors must. Otherwise, NERC's vendors should not be given access to critical cyber assets. 3. Commission Determination 47. The Commission adopts the CIP NOPR approach regarding NERC and Regional Entity compliance with the CIP Reliability Standards. The Commission maintains its belief that NERC's compliance is necessary in light of its interconnectivity with other entities that own and operate critical assets. Further, we conclude that NERC's Rules of Procedure, which state that the ERO will comply with each Reliability Standard that identifies the ERO as an applicable entity, provide an adequate means to assure that NERC is obligated to comply with the CIP Reliability Standards. Likewise, the delegation agreements between NERC and each Regional Entity expressly state that the Regional Entity is committed to comply with approved Reliability Standards. 29 Based on these provisions, we find that the Commission has authority to oversee the compliance of NERC and the Regional Entities with the CIP Reliability Standards. 29 In Order No. 693, at P 157, the Commission directed NERC to remove each reference to the Regional Reliability Organization and replace it with a reference to the Regional Entity. This directive applies to the CIP Reliability Standards as well. 48. With regard to EEI's concerns about NERC's incentives to comply with the CIP Reliability Standards, we believe that NERC's position as overseer of Bulk-Power System reliability provides a level of assurance that it will take compliance seriously. Moreover, section 215(e)(5) of the FPA provides that the Commission may take such action as is necessary or appropriate against the ERO or a Regional Entity to ensure compliance with a Reliability Standard or Commission order. 30 30 Section 39.9 of the Commission's regulations provides similar language to that of the statute. In Order No. 672, the Commission discussed its authority to take action against the ERO or a Regional Entity and the types of actions that are available. *See* Order No. 672 at P 761-62. 49. The Commission also adopts its CIP NOPR approach and concludes that reliance on the NERC registration process at this time is an appropriate means of identifying the entities that must comply with the CIP Reliability Standards. 31 We are concerned, like the California Commission, that some small entities that are not identified in the NERC registry may become gateways for cyber attacks. However, we are not prepared to adopt California Commission's suggested approach of requiring that any entity connected to the Bulk-Power System, regardless of size, must comply with the CIP Reliability Standards irrespective of the NERC registry. We believe this approach is overly-expansive and may raise jurisdictional issues. Rather, we rely on NERC and the Regional Entities to be vigilant in assuring that all appropriate entities are registered to ensure the security of the Bulk-Power System. 31 CIP NOPR at P 26-30. 50. With regard to EEI's request for clarification, the NERC registry process is designed to identify and register entities for compliance with Reliability Standards, and not identify lists of assets. In the CIP NOPR, the Commission explained that it would expect NERC to register the owner or operator of an important asset, such as a blackstart unit, even though the facility may be relatively small or connected at low voltage. 32 While the facility would not be registered or listed through the registration process, NERC's or a Regional Entity's awareness of the critical asset may reasonably result in the registration of the owner or operator of the facility. 32 *Id.* P 29. 51. Likewise, we believe that NERC should register demand side aggregators if the loss of their load shedding capability, for reasons such as a cyber incident, would affect the reliability or operability of the Bulk-Power System. EEI and ISO/RTO Council concur that the need for the registration of demand side aggregators may arise, but state that it is not clear whether aggregators fit any of the current registration categories defined by NERC. We agree with EEI and ISO/RTO Council that NERC should consider whether there is a current need to register demand side aggregators and, if so, to address any related issues and develop criteria for their registration. 52. The Commission agrees with the many commenters that suggest that the responsibility of a third-party vendor for compliance with the CIP Reliability Standards is a matter that should be addressed in contracts between the registered entity that is responsible for mandatory compliance with the Standards and its vendor. To the extent that the responsible entity makes a business decision to hire an outside contractor to perform services for it, the responsible entity remains responsible for compliance with the relevant Reliability Standards. Thus, it is incumbent upon the responsible entity to assure that its third-party vendor acts in compliance with the CIP Reliability Standards. We agree with ISO/RTO Council's characterization of the matter: . . . when an application is developed and maintained by an outsourced provider, that outsourced provider manages physical and cyber access to the environment on which the application runs and therefore must be contractually obligated to the Responsible Entity to comply with the Reliability Standards. While such providers are not registered entities subject to the Reliability Standards, they must perform the services and operate the applications in a manner consistent with the Reliability Standards . . . the Responsible Entity should be charged with incorporating contractual terms and conditions into agreements with third-party service providers that obligate the providers to comply with the requirements of the Reliability Standards. In that regard, if a Responsible Entity determines that it is necessary to outsource a service that is essential to the reliable operation of a Critical Asset, Critical Cyber Asset, or the bulk electric system, it is clear that the Responsible Entity must be held responsible and accountable for compliance with the Reliability Standards.[ 33 ] 33 ISO/RTO Council comments at 21-22. 53. Further, it is incumbent upon a responsible entity to conduct vigorous oversight of the activities and procedures followed by the vendors they employ. Thus, we expect a responsible entity to address in its security policy under CIP-003-1 its policies regarding its oversight of third-party vendors. D. Compliance Measured by Outcome 1. Performance-Based Standards a. NOPR Proposal 54. The CIP NOPR expressed concern that the lack of specificity within the proposed CIP Reliability Standards could result in inadequate implementation efforts and inconsistent results. 34 In addressing the appropriate amount of specificity, the Commission stated that “performance-based standards may not always be appropriate, for example, in situations where the `how' may be inextricably linked to the Reliability Standard and may need to be specified to ensure the enforceability of the standard.” 35 Thus, the Commission indicated that it may be appropriate to direct NERC in specific instances to develop modifications to the CIP Reliability Standards to address the “how.” 34 CIP NOPR at P 32, citing CIP Assessment at 3. 35 *Id.* at P 33, quoting Order No. 672 at P 260. 55. The CIP NOPR also noted that the CIP Reliability Standards do not provide a mechanism to measure performance. The Commission identified three strategies for monitoring performance:
(1)Internal and external oversight of a responsible entity's activities;
(2)documenting, monitoring and revisiting a responsible entity's exercise of flexibility in a way that excepts it from a Requirement; and
(3)reporting certain wide-area information and analysis to the Commission. b. Comments 56. NERC and others comment that the CIP Reliability Standards should prescribe what outcome must be accomplished, but should not prescribe how that outcome is accomplished. 36 These commenters contend that discussion on how to implement a Requirement should be provided in a separate reference document such as guidelines or white papers, but not included in the CIP Reliability Standards themselves. This approach would allow responsible entities to retain the flexibility to implement a solution that best meets their needs. 37 According to NERC, including “how” language in the CIP Reliability Standards would dictate the only acceptable manner of implementation and thwart other acceptable, and possibly superior, methods of satisfying the Reliability Standards. In contrast, a guidance document allows more flexibility and is more easily updated as technology advances. 36 *E.g.* , EEI, Alliant, Arizona Public Service, Mr. Brown, FirstEnergy, ISO/RTO Council, Luminant, Northeast Utilities, Ontario Power, PSEG Companies, Puget Sound and Southern. 37 *E.g.* , NERC, ReliabilityFirst and Mr. Brown. 57. In addition, NERC expresses concern that including acceptable solutions as part of the CIP Reliability Standards could introduce common vulnerabilities based on all industry participants using a nearly identical solution to a given vulnerability. 38 PSEG Companies share this concern, adding that identifying the technology to be used to combat vulnerabilities creates vulnerabilities and allows hackers to focus their efforts on disrupting those systems. NERC and ReliabilityFirst also argue that guidance to address every contingency would be voluminous and difficult to write. 38 Ontario Power and ReliabilityFirst raise similar concerns. 58. A number of commenters also provide comment regarding performance measurement and the Commission's proposal for internal and external oversight. NERC contends that much of the proposed additional oversight is in place in the existing ERO and regional compliance and audit programs. NERC explains that these programs are being updated based on the Requirements of the CIP Reliability Standards. 59. Other commenters, such as EEI, ISO/RTO Council and Puget Sound, suggest that the determination of whether a responsible entity meets or fails to meet the requirements of a CIP Reliability Standard should be determined in an audit based on the specific facts and circumstances of its use, ownership or operation of the Bulk-Power System. EEI argues that a strong auditing requirement serves to ensure quality control, and will result in consistency in the implementation of the CIP Reliability Standards. KCPL states that the information technology associated with cyber security provides a unique challenge for the audit function and auditors must have a significant amount of experience with both the industry and the cyber security needs to ensure that the obligations to the CIP Reliability Standards are properly evaluated during an audit. SERC-CIPC adds that the distinction between mandatory requirements and non-binding guidance should be made clear to auditors, noting that these differences could be subtle. 60. With regard to external oversight, Northern Indiana believes that certain independent entities' employees “such as [those performing] the internal audit function” can provide a wide-area view. Northern Indiana requests clarification on what the Commission means by the term “external oversight.” c. Commission Determination 61. The Commission received comments on both sides of the issue of specificity. Some commenters caution against the CIP Reliability Standards being too specific, while others request more guidance to help them comply. In general, the Commission believes it is appropriate to provide sufficient guidance to explain Requirements so that responsible entities have a high degree of certainty that they understand what is necessary to comply with a Requirement. More guidance will allow responsible entities to implement measures adapted to their specific situations more consistently and effectively. Additional guidance need not be included in a specific Requirement, but could be in the form of examples. The Commission is not directing that the ERO establish a specific end result. Our concern is simply that responsible entities have guidance on how to achieve an appropriate result in individual cases, which can vary on a case-by-case basis. Therefore, in several instances throughout this Final Rule, the Commission gives the ERO direction to provide additional guidance. In some cases, we require that the guidance be placed in modifications to the CIP Reliability Standards. In other cases, we note that some or all of the additional guidance could be placed in a reference document separate from the CIP Reliability Standards. 62. Some of the more specific directives in this Final Rule pertain to issues that the Commission considers necessary to carry out its statutory responsibilities. Examples of this include areas of oversight, exceptions to Requirements, and reports to the Commission. In developing these directives, we have tried to strike a balance between our needs to implement the statute and the concerns expressed by commenters. 63. We agree in general with commenters who point out that compliance issues should be determined in audits and that a strong auditing process will help to ensure quality control and consistency in the implementation of the CIP Reliability Standards. However, we point out that audits are only one aspect of the ERO's compliance monitoring and enforcement process. All aspects of that process must function well. In addition, we note compliance audits are conducted after-the-fact and do not diminish the necessity for internal and external reviews of compliance efforts, including the identification of critical assets and critical cyber assets. 64. In response to Northern Indiana, we explain “external oversight” in our discussions and determinations of specific Requirements in the Final Rule. 2. Adequacy of Outcomes a. NOPR Proposal 65. The CIP NOPR noted that many of the Requirements of the CIP Reliability Standards consist of broad directives, with corresponding Measures and Compliance provisions focusing largely on proper documentation. 39 The Commission asserted that documentation by itself does not satisfy the Requirements of a Reliability Standard and, rather, implementation of the substance of the Requirements is most important in determining compliance. 39 CIP NOPR at P 35-41. 66. The Commission also noted that, while certain Requirements of the CIP Reliability Standards obligate a responsible entity to develop and maintain a plan, policy or procedure, the Requirements do not always explicitly require implementation of the plan, policy or procedure. The Commission proposed to interpret such provisions to include an implicit implementation requirement. b. Comments i. Documentation 67. SPP and ReliabilityFirst agree with the Commission that adequate documentation does not substitute for substantive compliance with the responsibilities set forth in the requirements of the CIP Reliability Standards. However, they express concern that not relying on objective documentation requirements to demonstrate compliance could result in subjective variations in the audit process and uneven application of the Requirements of a Reliability Standard. ReliabilityFirst states that, while it is reasonable to apply subjective reasoning as part of a readiness assessment, any audit that could result in financial sanctions for non-compliance must rely solely upon clearly defined objective measures. To remedy the concern that documentation may not assure compliance with a CIP Reliability Standard, SPP suggests that the Requirements and Measures prescribed in a CIP Reliability Standard be enhanced to define the minimum acceptable documentation content. 68. In the context of measuring performance, Northern Indiana states that it generally supports the Commission's desire to clarify the CIP Reliability Standards but cautions the Commission from prescribing modifications that would limit a responsible entity's discretion. Northern Indiana comments that, while in some instances (such as testing vulnerabilities on a real-time, active system basis) documentation should suffice to demonstrate compliance, in other situations documentation does not suffice. In these instances, even though the responsible entity's documentation may comply with the CIP Reliability Standards, the responsible entity must nevertheless demonstrate actual compliance. In these cases, Northern Indiana suggests that compliance can be verified in a subsequent audit. 69. Xcel notes that, in the CIP NOPR, the Commission indicated that “compliance will in all cases be measured by whether a party met or failed to meet the Requirement given the specific facts and circumstances.” 40 Xcel agrees that the Requirements contain the substantive obligations of a CIP Reliability Standard. Xcel asks the Commission to clarify whether an entity that complies with the substance of the Requirements but violates the documentation provisions of the Measures or Levels of Non-Compliance may be assessed a penalty. Xcel suggests that penalties are not warranted in this circumstance. 40 Xcel comments at 5, quoting CIP NOPR at P 39 (in turn quoting Order No. 693 at P 253). ii. Obligation to Implement Plans, Policies and Procedures 70. EEI, FirstEnergy, ISO/RTO Council, Northeast Utilities and PG&E agree that certain CIP requirements do not explicitly require implementation of a plan, policy or procedure that the responsible entity is required to develop and maintain. Thus, they support directing NERC, in the course of its scheduled industry Reliability Standards development process, to consider making explicit that a responsible entity must implement a plan, policy or procedure that it is required to develop. 71. Xcel asks the Commission to clarify what it means to implement a plan, policy or procedure. Specifically, Xcel asks the Commission to clarify that “this does not mean that an entity has to follow every aspect of its plans, policies or procedures to the letter or be in violation * * *.” 41 Xcel comments that following every feature of a plan in all cases would hinder the flexibility that an entity needs to respond effectively to a particular situation. Further, according to Xcel, the Commission's proposal would make each plan, policy and procedure tantamount to an enforceable Reliability Standard. Xcel claims that this would give entities an incentive to include fewer details in their plans, policies and procedures. 41 Xcel comments at 7. c. Commission Determination i. Documentation 72. While the Commission agrees with commenters that relying on an objective determination such as whether a document exists would facilitate the compliance audit process, we do not believe such a cursory approach is the best way to ensure the protection of the Bulk-Power System. We adopt our proposal in the CIP NOPR that responsible entities must comply with the substance of a Requirement. In this way we affirm the Commission's position established in Order No. 693 that, “while Measures and Levels of Non-Compliance provide useful guidance to the industry, compliance will in all cases be measured by determining whether a party met or failed to meet the Requirement given the specific facts and circumstance of its use, ownership or operation of the Bulk-Power System.” 42 While we agree with Northern Indiana that, depending on the Requirement in question, in some instances (such as active system testing) documentation would suffice to demonstrate compliance, even in these cases auditors should look at the content of the documentation to determine if the substance of the Requirement has been met. 42 Order No. 693 at P 253. 73. Xcel seeks clarification regarding responsible entities that comply with the substance of a Requirement but violate the documentation provisions. In Order No. 693, in response to a similar request by Xcel, the Commission explained that, “[w]hile the Commission generally agrees that it is a violation of the Requirements that is subject to a penalty, we recognize that because Measures are intended to gauge or document compliance, failure to meet a Measure is almost always going to result in a violation of a Requirement.” 43 We add that a responsible entity's failure to maintain documentation (as set forth in a Measure) that obstructs the ability of the ERO, Regional Entity or Commission to determine compliance with the substance of a Requirement may warrant a penalty. 43 *Id.* P 256. ii. Obligation To Implement Plans, Policies and Procedures 74. In the CIP NOPR, the Commission also noted that, while certain Requirements of the CIP Reliability Standards obligate a responsible entity to develop and maintain a plan, policy or procedure, the Requirements do not always explicitly require implementation of the plan, policy or procedure. The Commission proposed to interpret such provisions to include an implicit implementation requirement. 75. Consistent with that proposal, the Commission concludes that, where the CIP Reliability Standards obligate a responsible entity to develop and maintain a plan, policy or procedure, there should be a corresponding obligation to implement the plan, policy or procedure. However, while the CIP NOPR proposed to interpret the CIP Reliability Standards as including an implicit obligation to implement plans, policies and procedures, we are persuaded by the commenters that a better approach is for the ERO to develop modifications to the CIP Reliability Standards that contain appropriate implementation language. Accordingly, we direct the ERO to develop modifications to the CIP Reliability Standards that require a responsible entity to implement plans, policies and procedure that it must develop pursuant to the CIP Reliability Standards. 76. As to Xcel's argument that, at times, the proper course is to deviate from a plan, we agree that the details of such plans are not equivalent to Requirements of a CIP Reliability Standard. However, the responsible entity's plan should be followed unless a deliberate decision is made for good reason not to follow it. Such reason should be documented and available for compliance auditors to review. Merely ignoring plan provisions is equivalent to not having a plan. For clarity, we note that a decision not to follow a particular plan provision due to circumstances will not except a responsible entity from a related Requirement in a CIP Reliability Standard. As discussed below, we find that any exception to a CIP Reliability Standard must comply with the required conditions for a technical feasibility exception. E. Implementation Plan 77. In the CIP NOPR, the Commission explained that, because the CIP Reliability Standards are new and require applicable entities in many cases to develop new cyber security systems and procedures, NERC developed an implementation plan based on a schedule that provides for implementation of the CIP Reliability Standards over a three-year period. 44 The implementation plan sets out a proposed schedule for accomplishing the various tasks associated with compliance with the CIP Reliability Standards. The schedule gives a timeline by calendar quarters for completing various tasks and prescribes milestones for when a responsible entity must:
(1)“Begin work”;
(2)“be substantially compliant” with a Requirement;
(3)“be compliant” with a Requirement; and
(4)“be auditably compliant” with a Requirement. According to the implementation plan, “auditably compliant” must be achieved in 2009 for certain Requirements by certain responsible entities, and in 2010 for others. 44 CIP NOPR at P 42. *See also* NERC August 28, 2006 Filing, Exhibit B “Implementation Plan for Cyber Security Standards” (implementation plan). 1. Commission Approval of Implementation Plan a. NOPR Proposal 78. The Commission proposed to approve NERC's implementation plan, including the proposed timelines for achieving compliance. 45 The Commission stated its belief that the timetable proposed by NERC sets reasonable deadlines for industry compliance, recognizing the broad industry input to its development, and the tasks that many responsible entities face to purchase and install new equipment and software to achieve compliance. 45 *Id.* P 47. b. Comments 79. Numerous commenters urge the Commission to accept NERC's proposed implementation plan and the proposed timeline for achieving compliance with the CIP Reliability Standards. 46 For example, Applied Control Solutions comments that, due to real cyber vulnerabilities to the grid, there is an urgent need to move forward with the effective dates without delay and not allow any extension of those dates. KCPL states that the implementation plan has been developed based on input from industry stakeholders and the timetables and processes agreed upon in that process represent prudent steps toward the implementation of the CIP Reliability Standards. 46 *E.g.,* NERC, Applied Control Solutions, EEI, FirstEnergy, KCPL, PG&E and Progress. 80. Many of these same commenters express concern about how the Commission's proposal in the CIP NOPR to direct that NERC develop certain modifications to the CIP Reliability Standards would affect the implementation schedule. NERC explains that the implementation plan and time frame are for the existing CIP Reliability Standards as submitted to the Commission. NERC states that any changes to the CIP Reliability Standards resulting from the Final Rule will potentially impact the implementation plan and time frame, and a new schedule will need to be developed during the Reliability Standards development process associated with those changes. 47 47 *See also* Allegheny, Alliant, Detroit Edison, Duke, EEI, Entergy, FPL Group, Idaho Power, KCPL, Manitoba Hydro, MidAmerican, National Grid, OGE, Ontario IESO, PG&E, PSEG Companies, Southern, Teltone and Xcel. 81. Similarly, EEI and Entergy advocate that the Final Rule make clear that modifications developed pursuant to the Reliability Standards development process should not be implemented until the conclusion of the NERC implementation plan. 48 PSEG Companies add that responsible entities have already developed budgets and implementation plans in reliance on the existing CIP Reliability Standards. PSEG Companies indicate that, although they may ultimately support some of the changes proposed in the CIP NOPR, they cannot support modifying the current CIP Reliability Standards before the 2009 compliance deadline. EEI and Alliant claim that, if the Commission directs the NERC Reliability Standards development process to consider potential changes to the CIP Reliability Standards before the conclusion of the implementation plan, responsible entities will be significantly discouraged from performing any further work until these changes are finalized. Thus, implementation work may slow or come to a stop because responsible entities will have an incentive to wait for the final outcome of this Commission-imposed revision process. 48 EEI at 6. Elsewhere, EEI states that the Commission should not direct NERC to consider changes to the CIP Reliability Standards before the conclusion of the NERC implementation plan. EEI at 7-8. 82. Manitoba Hydro comments that the Commission should reject NERC's proposed implementation schedule because it is based on the unrealistic expectation that the CIP Reliability Standards would be approved without the need for any revisions. Muscatine Power & Water argues that if the Commission requires utilities to base their risk-based assessments on formal guidelines provided by NERC, then the implementation schedule must be extended to allow additional time for compliance. 83. APPA/LPPC suggest the implementation plan may need adjustment if the Regional Entities or some other region-wide institutions supplement a responsible entity's list of critical assets. In such cases, APPA/LPPC request that the Commission direct NERC to develop a reasonable schedule for determining the timeline for being auditably compliant with respect to the newly designated assets. 84. Entergy characterizes the CIP NOPR as proposing to “remand” CIP-002-1, which according to Energy would leave unresolved the basic issue of which assets are subject to the CIP Reliability Standards. Entergy contends that without knowledge of which assets the CIP Reliability Standards apply, the proposed timeline is unworkable. 85. SPP maintains that there is no table prescribing a schedule in which an existing registered entity can bring a newly identified critical asset and its critical cyber assets into compliance. While not expected to change frequently, the critical asset list can change for any number of valid reasons, and the registered entity needs an appropriate period of time in which to achieve compliance for that asset. In the absence of a compliance schedule, no guidance is available to either the registered entity or the auditor. SPP recommends that a new table be developed defining a compliance schedule for newly identified critical assets and based upon the date of the risk-based assessment. SPP argues that the table should include milestones for tasks already completed and milestones for tasks yet to be done that will require additional resources and time to comply. c. Commission Determination 86. The Commission adopts its CIP NOPR proposal and approves NERC's implementation plan and time frames for responsible entities to achieve auditable compliance. Responsible entities require a reasonable period of time to purchase and install new cyber software and equipment and develop new programs and procedures to achieve compliance. Commenters indicate that the implementation plan provides that reasonable period of time. Further, we agree with commenters that there is an urgent need to move forward without any delays. Accordingly, we approve NERC's implementation plan. 87. Commenters raise concerns regarding the impact on the implementation plan of the Commission's directives for modifications to the CIP Reliability Standards. As explained above, the Commission is not modifying the CIP Reliability Standards in this Final Rule. Rather, pursuant to section 215(d)(5) of the FPA, the Commission in the Final Rule directs the ERO to develop certain modifications to the CIP Reliability Standards pursuant to the NERC Reliability Standards development process. Even though the development of such modifications will take time, this does not present a reason for delay or revision to the NERC implementation plan for implementing the CIP Reliability Standards approved in this Final Rule. 88. The Commission believes that the modifications to the CIP Reliability Standards developed by the NERC Reliability Standards development process should not be audited prior to the conclusion of the approved implementation plan. EEI and other commenters claim that commencing the development of such modifications prior to the conclusion of the implementation plan would be discouraging to industry. The Commission, however, finds that it is unacceptable to delay the development of the modifications directed in this Final Rule until after the conclusion of the implementation plan. Since it is uncertain how long it will take to develop revised CIP Reliability Standards, we believe it is not reasonable to wait until the 2009-2010 time period for the process to start. Features such as enhanced conditions on technical feasibility exceptions and oversight of critical asset determinations are too important to the protection of the Bulk-Power System to wait that long. 89. While we are both sympathetic and concerned about straining industry resources, the Commission and the electric industry must do their best to protect the electric infrastructure that is essential to the health and safety of the nation. Therefore, we direct the ERO to submit a work plan for Commission approval for developing and filing for approval the modifications to the CIP Reliability Standards that we are directing in this Final Rule. As suggested by NERC, the Commission will consider a second implementation plan for achieving compliance with the forthcoming revised CIP Reliability Standards. 90. The Commission did not propose to remand CIP-002-1 as argued by Entergy. Nonetheless, Entergy raises a valid concern since the Commission's directive, discussed below, that the ERO develop modifications to CIP-002-1 could affect a responsible entity's identification of critical assets. We share Entergy's concern that there are threshold issues regarding CIP-002-1 that must be addressed before responsible entities can have certainty regarding which assets must be protected according to the CIP Reliability Standards. We also believe that responsible entities need certainty regarding the conditions for a technical feasibility exception to inform their decisions about how to comply with the CIP Reliability Standards, even in their current form. Therefore, we direct the ERO, in its development of a work plan, to consider developing modifications to CIP-002-1 and the provisions regarding technical feasibility exceptions as a first priority, before developing other modifications required by the Final Rule. 2. Self-Certification a. NOPR Proposal 91. In the CIP NOPR, the Commission expressed concern over whether responsible entities will be fully prepared for compliance upon reaching the implementation deadline and will take reasonable action to protect the Bulk-Power System during the interim period. 49 The Commission stated that NERC's plans to require self-certification during the interim period are helpful and proposed that, to allow adequate monitoring of progress, the ERO develop a self-certification process with certifications more frequent than once per year. The CIP NOPR suggested that self-certification be tied either to target dates in the schedule or perhaps quarterly or semi-annual certifications. The Commission indicated that, while an entity should not be subject to a monetary penalty if it is unable to certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the Regional Entities should then work with such an entity either informally or, if appropriate, by requiring a remedial plan, to assist such an entity in achieving full compliance in a timely manner. We also stated that the ERO and the Regional Entities should provide informational guidance, upon request, to assist a responsible entity in assessing its progress in reaching “auditably compliant” status. 49 CIP NOPR at P 48. b. Comments 92. Many commenters oppose directing NERC to consider a self-certification process with more frequent self-certifications than on an annual basis. 50 In this regard, EEI argues that a more frequent self-certification requirement is likely to impose undue burdens without commensurate benefits. KCPL claims that there are sufficient processes already in place in order to evaluate and monitor CIP Reliability Standards compliance and additional requirements for self-certification provide no significant support or benefit to tracking a Responsible Entity's obligations to the CIP Reliability Standards and are unneeded. 50 *E.g.* , Alliant, Bonneville, Entergy, EEI, ISO-NE, KCPL, National Grid, Northeast Utilities, PG&E, Portland General, Progress, Puget Sound and Southern. 93. Other commenters, such as APPA/LPPC, MidAmerican, Northern Indiana and SDG&E either support or do not object to more frequent self-certifications. APPA/LPPC support NERC's proposed self-certification process as a reasonable means of tracking the progress made by responsible entities toward full, auditable compliance. Nor do they object to the Commission's proposal that such certification be rendered quarterly or semi-annually. Northern Indiana supports semi-annual self-certification during the transition until the implementation plan is completed. Northern Indiana contends that more frequent self-certification would be unduly burdensome. 94. METC-ITC also support quarterly or semi-annual self-certifications because the certifications will properly pressure entities to take timely steps to achieve compliance by the deadline for auditable compliance. METC-ITC are concerned, however, that having NERC monitor progress toward compliance with the CIP Reliability Standards via self-certifications, may place a burden on the ERO and the Regional Entities that their current staffs may be unable to properly administer. Thus, METC-ITC propose that the Commission require the ERO to file plans addressing how it will satisfy the new requirements for providing assistance to responsible entities and further assessing CIP implementation as part of its readiness reviews. 95. SDG&E supports semi-annual certifications, but comments that quarterly certifications would be distracting to the main goal, as well as burdensome, time consuming and paper intensive. It agrees with the Commission that an entity should not be penalized if it cannot certify that it is on schedule. SDG&E does not object to the Commission's proposal that the ERO and the Regional Entities should work with such an entity to achieving full compliance, provided that the Commission clarify that this means “getting back” on schedule and not accelerating compliance. c. Commission Determination 96. While the Commission is sensitive to concerns that more frequent self-certifications may be burdensome, it is important that the ERO and the Commission know whether industry, or segments of industry, are having difficulty implementing the CIP Reliability Standards. Therefore, we direct the ERO to require more frequent, semi-annual, self-certifications prior to the date by which full compliance is required. Such additional self-certifications may be a “stream-lined” version, but must be useful for the ERO and the Commission to assess industry's progress toward achieving compliance with the CIP Reliability Standards. 97. Further, we adopt our CIP NOPR proposals that, while an entity should not be subject to a monetary penalty if it is unable to certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the Regional Entities should then work with such an entity either informally or, if appropriate, by requiring a remedial plan to assist such an entity in achieving full compliance in a timely manner. Further, we expect the ERO and the Regional Entities to provide informational guidance, upon request, to assist a responsible entity in assessing its progress in reaching “auditably compliant” status. 98. With regard to METC-ITC's comment, we will not require NERC and the Regional Entities to submit plans describing how it will undertake these responsibilities. Rather, the ERO and Regional Entities can address any need for additional resources in the ERO's annual budget filing. If necessary to fulfill their statutory obligations, the ERO and Regional Entities may file a request for additional funding to supplement their Commission approved budgets. 99. With regard to SDG&E's comment, we clarify that the goal of a Regional Entity working with a responsible entity that is unable to self-certify is to assist the entity in meeting the NERC time frames for auditable compliance, and not to accelerate compliance ahead of schedule. 3. Adding a Cyber Security Assessment to NERC's Readiness Reviews a. NOPR Proposal 100. To further address the Commission's concerns about the period prior to when responsible entities achieve full compliance with the CIP Reliability Standards, the CIP NOPR also proposed that the ERO add a cyber security assessment to NERC's existing readiness reviews. 51 The Commission explained that the assessment should identify best practices and deficiencies of the reviewed entities to assist them in preparing for implementation of the CIP Reliability Standards and help the Commission evaluate the potential effectiveness of the Standards before full implementation. 51 CIP NOPR at P 49. b. Comments 101. NERC and other commenters oppose the addition of a cyber security assessment to NERC's existing readiness reviews. 52 NERC requests that the Commission allow the existing oversight framework to work without adding new or different requirements specific to the CIP Reliability Standards. EEI points out that, because readiness reviews are not conducted on an annual basis, the review would not occur early enough in the implementation process to assist responsible entities' implementation of the CIP Reliability Standards or assist the Commission in assessing the status of compliance efforts. EEI also asserts that the most likely result of adding a cyber security assessment to NERC's readiness reviews would be to unnecessarily distract responsible entities from performing the actual implementation of the CIP Reliability Standards. Southern adds that such assessments would merely duplicate the self-certifications. 52 *E.g.,* Alliant, Bonneville, EEI, ISO-NE, Luminant, Northeast Utilities, Southern and Tampa Electric. 102. Northeast Utilities asks the Commission to reconsider its proposal prior to the 2009 deadline for full compliance with the CIP Reliability Standards. According to Northeast Utilities, readiness reviews are performed by industry peer volunteers under Regional Entity guidance to identify best practices and ensure that system operators have the tools, processes and procedures in place to operate reliably. It contends that, given the limited industry experience with cyber security, the readiness review process will not produce the benefits the Commission expects. 103. In contrast, MidAmerican and SDG&E agree with the Commission that adding a cyber component to the readiness audit process would be beneficial, provided an exception is made for publication of any weaknesses found during a typical readiness audit. They submit that any areas of concern uncovered by the audit should be considered sensitive and confidential with appropriate safeguards developed and in place to protect this information. MidAmerican also recommends that the Commission consider including a cyber security assessment within the ERO's existing readiness reviews. 104. Xcel asks the Commission to clarify that the CIP NOPR, in proposing that NERC add cyber security assessments to its existing schedule of reliability readiness reviews, did not intend for NERC to revise its schedule of reviews but, rather, add a new element to the previously-scheduled reviews. c. Commission Determination 105. The Commission is persuaded by comments regarding the limited reach of readiness reviews and the questionable utility of such reviews prior to the date by which entities are to be compliant; thus, adding the CIP Reliability Standards to the readiness reviews at this time will delay industry's compliance efforts. Therefore, the Commission will not require that the CIP Reliability Standards be added to the readiness reviews at this time. F. Issues Presented by Terminology 106. The CIP NOPR discussed specific terminology used in the CIP Reliability Standards that, while providing flexibility for a responsible entity in achieving compliance, also raise concerns regarding enforceability of the Standards. Specifically, the Commission raised concerns regarding the terms “reasonable business judgment,” “acceptance of risk,” and “technical feasibility.” As discussed below, the Commission adopts the CIP NOPR proposals and directs NERC to modify the CIP Reliability Standards through the Reliability Standards development process to remove the first two terms, and develop specific conditions that a responsible entity must satisfy to invoke the “technical feasibility” exception. Moreover, in response to concerns raised by commenters, the Commission has changed certain conditions for invoking the technical feasibility exception. 1. Reasonable Business Judgment a. NOPR Proposal 107. As we stated in the CIP NOPR, 53 each of the proposed CIP Reliability Standards incorporates the concept of “reasonable business judgment” as a guide for determining what constitutes appropriate compliance with those Reliability Standards. The Purpose statement of Reliability Standard CIP-002-1 provides that: 53 CIP NOPR at P 50. These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed. Responsible entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment. 108. In addition, each of the subsequent CIP Reliability Standards ( *i.e.* , CIP Reliability Standards CIP-003-1 through CIP-009-1) includes a statement that “Responsible Entities should interpret and apply the Reliability Standard using reasonable business judgment.” 109. The Commission pointed out in the CIP NOPR that NERC's Glossary of Terms Used in Reliability Standards (NERC Glossary) does not define reasonable business judgment, and the CIP Reliability Standards do not otherwise suggest how the term is to be interpreted. NERC's Frequently Asked Questions
(FAQ)document that accompanies the CIP Reliability Standards provides the only available guidance on the issue. 54 It states that the phrase is meant “to reflect—and to inform—any regulatory body or ultimate judicial arbiter of disputes regarding interpretation of these Standards—that responsible entities have a significant degree of flexibility in implementing these Standards.” The FAQ document notes that there is a long history of judicial interpretation of the business judgment rule and states that “[c]ourts generally hold that the phrase indicates reviewing tribunals should not substitute their own judgment for that of the entity under review other than in extreme circumstances.” 54 NERC included the FAQ document in its August 28, 2006 filing. The FAQ document is also available at *ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Revised_CIP-002-009_FAQs_06Mar06.pdf* . 110. The Commission proposed, in the CIP NOPR, to direct the ERO to modify the CIP Reliability Standards to remove references to the “reasonable business judgment” language before compliance audits start in 2009. 55 In the CIP NOPR, the Commission discussed the history of the reasonable business judgment concept and the meaning attached to that concept by the courts in the corporate context. 56 The Commission pointed out that, if this term is applied to the CIP Reliability Standards, it could easily be understood to have the same meaning as in the corporate context. 55 CIP NORP at P 58. 56 *Id.* P 59, 61. 111. The Commission noted that flexibility and discretion are essential in implementing the CIP Reliability Standards and that implementing those Reliability Standards must be done on the basis of the specific facts and circumstances applicable in the individual case at hand. Cyber security problems do not lend themselves to one-size-fits-all solutions. In addition, the Commission acknowledged that cost can be a valid consideration in implementing the CIP Reliability Standards. However, the Commission concluded that the traditional concept of reasonable business judgment is ill suited to the task of implementing an appropriate program of cyber security pursuant to section 215 of the FPA. 112. That concept was developed specifically to address the issue of how courts should approach business decisions made by a company's officers or directors, and the answer it provides is based on certain assumptions about how our economic system operates and who is most likely to have the knowledge and expertise needed to make appropriate business decisions. However, the concept of reasonable business judgment takes on a very different meaning when removed from its original context and applied to a different factual situation where very different assumptions apply. 113. The Commission noted in the CIP NOPR that cyber security standards are essential to protecting the Bulk-Power System against attacks by terrorists and others seeking to damage the grid. Because of the interconnected nature of the grid, an attack on one system can affect the entire grid. It is therefore unreasonable to allow each user, owner or operator to determine compliance with the CIP Reliability Standards based on its own “business interests.” Business convenience cannot excuse compliance with mandatory Reliability Standards. The Commission also noted that the explanation of reasonable business judgment found in the FAQ document closely tracks the treatment of the concept in the corporate law context. 114. The Commission stated that this test is fundamentally incompatible with Congress' decision to adopt a regime of mandatory Reliability Standards. The Commission explained that the issue under section 215 of the FPA is not whether the management of a business is acting in the interest of its own shareholders, but rather whether an entity is taking appropriate action to avert risks that could threaten the entire grid. Finally, the Commission noted that in the corporate governance context, the business judgment rule is invoked only in extreme circumstances, generally when an officer or director is found to have acted fraudulently, in bad faith, or with gross or culpable negligence. For all these reasons, the Commission proposed in the CIP NOPR that the ERO remove references to the “reasonable business judgment” language from the CIP Reliability Standards. b. Comments 115. NERC and numerous parties, including California Commission, Texas Commission, ISO-NE and ReliabilityFirst, agree that references to reasonable business judgment should be removed from the CIP Reliability Standards. National Grid concurs to the extent that this language adds confusion by incorporating a business law concept into the CIP Reliability Standards or could be construed to allow responsible entities to avoid liability for violations unilaterally and subjectively. APPA/LPPC state that use of reasonable business judgment overstates the appropriate amount of discretion to the extent that term was intended to incorporate a body of law developed in the corporate governance context. NRECA agrees that the term would give responsible entities too much latitude in essence to exempt themselves from the CIP Reliability Standards. Xcel states that reasonable business judgment has developed an exculpatory meaning in corporate law that is not applicable to compliance with the CIP Reliability Standards. ISO-NE states that the term provides no measurable value to any of the Requirements and appears to be an open-ended caveat that is susceptible to abuse. 116. Texas Commission states that, in reviewing costs associated with upgrades for physical and cyber security for prudence, it applies a more rigorous criterion than reasonable business judgment. It argues that a looser criterion in the CIP Reliability Standards could require a company to purchase more equipment or software than would later be compensated for in their rates. Texas Commission states that reasonable business judgment does not relieve an entity from showing that any expenditures it made were just and reasonable as required in Texas Commission rate cases. Texas Commission concludes that it is in the best interest of regulated entities either to remove the term or to replace it with a more narrowly focused term with a clearly defined statutory basis. 117. Numerous commenters argue that use of the term reasonable business judgment was never intended to import corporate law concepts into the CIP Reliability Standards but rather to ensure that Responsible Entities have sufficient flexibility when implementing them. 57 EEI states that the term was intended to allow flexible but objective decision-making in determining an approach to compliance. It was not intended to provide flexibility on whether to comply, only on how to comply. 57 *E.g.* , Alliant, Arizona Public Service, EEI, PSE&G, SoCal Edison and Xcel. 118. Mr. Brown states that neither the CIP Reliability Standards nor the FAQ document state that the use of reasonable business judgment would have the effects that the Commission suggests and that the Commission's description of the language and its potential effect is an effort to set up a “straw man” rather than address the clear intent of the language. He maintains that the Commission's analysis of the language is speculative and hyper-legalistic. 119. A number of commenters either oppose removal of reasonable business judgment from the CIP Reliability Standards or express serious concern about removing it. Tampa Electric argues that the term should be retained or at the very least replaced with language that ensures flexibility. SDG&E disagrees with wholesale elimination of the business judgment rule and instead urges that parameters or guidelines be adopted that determine when and how to apply the concept. MidAmerican suggests that it can be retained if accompanied by a mitigation plan with a sunset clause. Northern Indiana supports retaining the language, explaining that the CIP Reliability Standards are new, and the development of best practices regarding them continues to evolve. Responsible entities thus must have the flexibility to exercise discretion and make the appropriate strategic decisions when implementing the Reliability Standards. 120. A number of commenters argue that use of reasonable business judgment makes it clear that cost is a relevant factor. EEI states that a responsible entity is expected to weigh cyber security options in light of the risk to reliability in the same manner as similarly situated entities. Reasonable business judgment does not imply that it is acceptable to make purely economic choices to avoid protecting a critical cyber asset and thus to jeopardize grid reliability. Evaluating whether an asset is critical requires considering the asset's role, its cost, and the impact of the asset being compromised, as well as the costs of potential protection strategies, consistent with good business practice in the electric industry. EEI states that even with the inclusion of this language, the other requirements in the CIP Reliability Standards, such as documentation of decision-making and rigorous auditing, will prevent unfettered discretion in identifying and securing critical cyber assets. 121. Ontario Power states that outright removal will render the CIP Reliability Standards too rigid and that removal could be interpreted by some to mean that compliance is required regardless of the cost, the impact on production systems, or the risk to the Bulk-Power System. Tampa Electric argues that without the leeway afforded by reasonable business judgment, responsible entities could be forced into cost-prohibitive controls that do not add value in terms of security simply to satisfy an external requirement that is ill-fitted to the particular circumstances. SDG&E states that because the cost should not exceed the security benefit, certain security investments require business judgment. There must be latitude to develop a reasonable business case for determining the costs and benefits of investing in or implementing a security control based on key risk and investment factors specific to an entity. 122. A number of commenters defend the use of reasonable business judgment in terms that focus more on the issue of liability than simple flexibility or economic considerations. AMP-Ohio states that the plain language of the proposed CIP Reliability Standards could create a strict liability environment if there is no exception for “good faith” or “reasonable judgment.” Mr. Brown states that the proposal to remove the reasonable business judgment language appears to hold utilities, and perhaps individual managers, officers and directors, directly responsible for any adverse impact of decisions based upon their inherently imperfect knowledge and information regardless of whether they acted in good faith and made reasonably well-informed decisions. Entergy states that the industry must have reasonable assurance that the actions they are implementing meet the CIP Reliability Standards and Requirements if they acted in good faith, performed the proper evaluation, and took actions consistent with their evaluation. 123. Mr. Brown maintains that there are 200 years of legal precedent for determining what constitutes prudent behavior, and nothing in the legislative history of section 215 of the FPA suggests that Congress intended to depart from that precedent in this case. He states that the Commission should proceed with great caution when it proposes to depart from this precedent for determining prudent behavior without a clear, express mandate from Congress to do so. 124. EEI and other commenters argue that if the reasonable business judgment language is removed from the CIP Reliability Standards, it should be replaced with alternative language developed in the Reliability Standards development process. 58 They argue that such language is necessary to ensure necessary flexibility. National Grid states that the Commission should allow the ERO to develop suitable replacement language to allow for the reasonable flexibility that the Commission acknowledges that the industry requires in addressing critical infrastructure protection issues. 58 *E.g.* , Arizona Public Service, Mr. Brown, Georgia Operators, KCPL, NRECA, Northern California, NIPSCO, Northeast Utilities, OGE, PG&E, SoCal Edison, Tampa Electric and Xcel. 125. APPA/LPPC suggest that phrases such as “reasonable judgment” or “judgment consistent with Good Utility Practice” as substitutes for reasonable business judgment. A number of commenters, including NIPSCO and Georgia Operators, point to the phrase “good utility practice” in the pro forma OATT as a model or starting point for alternative language. 126. A number of commenters, including Manitoba Hydro and NRECA, criticize the proposal to remove references to reasonable business judgment as overly prescriptive. Manitoba Hydro states that the proposal appears to preclude the consideration of alternative wording. These commenters stress the importance of reliance on the Reliability Standards development process. 127. Southwest TDUs state that, while the Commission correctly proposes to eliminate the so-called business judgment rule, the CIP NOPR does not address the dichotomy in application of the CIP Reliability Standards between public and private entities. While the Commission correctly concludes that flexibility and discretion in implementation are necessary, there is no discussion of what that means for a public body, nor is there any recognition that a public body may be governed by state requirements and possibly by local ordinances. c. Commission Determination 128. Consistent with the CIP NOPR, the Commission concludes that the concept of reasonable business judgment is inappropriate in the context of mandatory CIP Reliability Standards. Accordingly, the Commission directs the ERO to develop modifications to the CIP Reliability Standards that do not include this term. We note that many commenters, including NERC, agree that the reasonable business judgment language should be removed based largely on the rationale articulated by the Commission in the CIP NOPR. 129. While there may have been no intention to import corporate law concepts into the CIP Reliability Standards, it is difficult to draw any other conclusion on the basis of the documents provided. We note that the only guidance on reasonable business judgment that emerged from the Reliability Standards development process and that was supplied to the Commission is found in the FAQ document, and that document appears to invoke the traditional corporate law business judgment rule. The FAQ document specifically references existing court precedent on the rule, and it sets forth the elements of reasonable business judgment in what is essentially a restatement of classic formulations of the business judgment rule. 59 Moreover, the FAQ document specifically references one of the most objectionable aspects of the business judgment rule in the cyber security context, the requirement that the courts defer to the decisions of company officers and directors in all but the most extreme circumstances. 59 * See* , *e.g.* , *Cramer* v. *General Telephone and Electronics Corp.* , 582 F.2d 259 (3d Cir. 1978); *Joy* v. *North* , 692 F.2d 880 (2d Cir. 1982); *In Re Bal Harbour Club, Inc.* , 316 F.3d 1192 (11th Cir. 2003); *Froelich* v. *Senior Campus Living LLC* , 355 F.3d 802 (4th Cir. 2004); *Poth* v. *Rassey* , 281 F. Supp. 2d (E.D. Va. 2003). 130. In short, the only explanation of reasonable business judgment in the documentation responsible entities would rely on focuses on corporate law concepts. We thus reject Mr. Brown's claim what we are being hyper-legalistic and constructing straw men rather than addressing the clear intent of the language. Mr. Brown fails to identify where some intent other than to adopt the traditional business judgment rule is clearly stated, and his references to 200 years of legal precedent only serve to reinforce our conclusion. We are unaware of any such extensive body of precedent on reasonable business judgment other than that developed in the corporate law context. 131. The most common argument raised in favor of reasonable business judgment is that it ensures flexibility. The Commission, however, acknowledged the importance of flexibility and discretion in the CIP NOPR. 60 The CIP Reliability Standards consist for the most part of quite general Requirements that must be implemented in a wide variety of circumstances. As drafted, they do not provide one-size-fits-all solutions and, rather, require responsible entities to assess their individual situations and devise solutions appropriate to their circumstances. We therefore disagree with Ontario Power that outright removal of all references to reasonable business judgment would render the CIP Reliability Standards too rigid. It will still be necessary for responsible entities to choose between available alternatives to arrive at cyber security solutions that best fit their situation. In short, the CIP Reliability Standards do not simply allow flexibility, they require it. 60 *See* CIP NOPR at P 17, 59. 132. Many commenters suggest that the issue is not simply flexibility, but rather the flexibility to balance costs against other factors when implementing the CIP Reliability Standards. Many of the arguments about cost have been raised in connection with the problem of technical feasibility as it relates to long-life legacy equipment. We will address that issue below and note here simply that cost is a relevant consideration for those purposes, and recourse to reasonable business judgment is unnecessary to confirm that or to address the problem appropriately. Beyond that we disagree that deleting references to reasonable business judgment will lead to overly burdensome requirements or counterproductive results. For example, we disagree with Tampa Electric that without the leeway afforded by reasonable business judgment responsible entities would be forced into cost-prohibitive controls that do not add value in terms of security. No explanation was provided as to how this might occur. The Commission acknowledged the validity of cost considerations in the CIP NOPR and reaffirms that position here. The funds available for cyber security will not be infinite and, therefore, a responsible entity will need to make careful judgments to ensure that available funds are spent effectively. We do not see how the absence of references to reasonable business judgment will prevent this from happening. 133. Finally, some commenters link the need for flexibility with the problem of liability. We are keenly aware that unlike many other aspects of Bulk-Power System operations, cyber security represents a new and rapidly developing field. In other areas, the substance of appropriate practices is well established and well understood, but there can be considerably more uncertainty in the cyber security realm. Responsible entities therefore quite understandably wish to have, in Entergy's words, assurances that their actions meet the CIP Reliability Standards and Requirements if they act in good faith, perform the proper evaluation, and act consistent with their evaluation. We agree that they should have such assurances, but we disagree that references to reasonable business judgment are an appropriate way to provide such assurances. The real issue is whether responsible entities take reasonable and prudent actions based on an informed understanding of the current state of cyber security practice and how it applies to their situation. The Commission, therefore, disagrees with AMP-Ohio and Mr. Brown that the absence of references to reasonable business judgment will lead to a strict liability enforcement regime. 134. We disagree with Mr. Brown's claim that removal of reasonable business judgment could lead to liability for individual managers under section 215 of the FPA. That section applies to users, owners, and operators of the Bulk-Power System, and any liability arising under section 215 applies to them, not their employees. 135. Although we disagree with National Grid and others that alternative language is necessary to ensure necessary flexibility, we agree that the ERO and the participants in the Reliability Standards development process may choose to develop alternative language to replace reasonable business judgment and propose it for Commission approval. Such language would need to be adapted to the issues involved in forming judgments on proper cyber security measures and embody an objective standard focused on conduct that promotes the interests of Bulk-Power System security and reliability. Such language would also need to take into consideration our finding discussed below that a responsible entity cannot excuse itself from compliance with a requirement of the CIP Reliability Standards. 136. In response to the Southwest TDUs, we note that the CIP Reliability Standards apply in the same way to both public and private users, owners, and operators of the Bulk-Power System. Any specific issues that Southwest TDUs have with the Reliability Standards should be raised in the Reliability Standards development process. 137. Finally, we reject arguments that we are being overly prescriptive in directing the ERO to remove all references to reasonable business judgment from the CIP Reliability Standards. We discuss that general issue elsewhere in this Final Rule and will not repeat that discussion here. It is, however, important to note that such objections are inapposite in this instance for an additional reason that involves the specific nature of the issue raised. The concept of reasonable business judgment speaks to a general legal standard of conduct proposed to apply under a statute that Congress has directed the Commission to administer. It does not involve matters specific to reliability but rather is bound up with the problem of legal enforceability. The Commission has a particular duty to see that the laws it administers can be enforced effectively. We are not being overly prescriptive when acting to ensure that this will be the case. 138. Based on the above discussion, as well as our lengthy analysis in the CIP NOPR, the Commission directs the ERO to modify the CIP Reliability Standards through its Reliability Standards development process to remove references to reasonable business judgment before compliance audits begin. 2. Acceptance of Risk a. NOPR Proposal 139. The Commission explained in the CIP NOPR that some Requirements in the CIP Reliability Standards permit an entity not to take the actions specified in the Requirement if they “document compensating measures applied to mitigate risk exposure or an acceptance of risk.” 61 The CIP NOPR explained that the CIP Reliability Standards do not provide explicit guidance on the circumstances in which it is appropriate to accept the risk of non-compliance. The Commission further explained that the phrase “acceptance of risk” essentially allows a Responsible Entity to opt out of certain provisions of a mandatory Reliability Standard at its discretion. 62 The Commission stated its belief that the acceptance of risk language does not serve any justifiable purpose and proposed to direct that the ERO remove this language from the CIP Reliability Standards. 61 *Id.* P 70. *See also* CIP-007-1, Requirements R2.3, R3.2, and R4.1. 62 *Id.* P 83. b. Comments 140. Numerous commenters, including NERC, support the removal of acceptance of risk language, provided that this is accomplished using NERC's Reliability Standards development process. 63 Texas Commission believes that removing the term is warranted and states that one entity's acceptance of risk may have an adverse impact on the Bulk-Power System. ISO-NE argues that the term provides no measurable value to any of the Requirements and appears to be an open-ended caveat that is susceptible to abuse. 63 *See also* California Commission, CEA, Texas Commission, ISO-NE and ReliabilityFirst. 141. EEI, FirstEnergy, Manitoba Hydro and others contend that the proposal to remove the acceptance of risk language from the CIP Reliability Standards mandates a specific outcome and fails to allow for consideration of alternatives to address the Commission's concerns in the NERC Reliability Standards development process. FPL recommends directing the ERO to consider the issue and either
(1)make the appropriate modifications based on the Commission's concerns or
(2)provide justification for an acceptance of risk provision. EEI states that the Commission's concerns regarding this language are valid, but should be reasonably tempered by the Commission's expectation that industry will use the mutual distrust posture. 142. Some commenters suggest alternate language to replace the term “acceptance of risk.” 64 SDG&E states it does not disagree with the Commission's rationale but proposes, rather than eliminating the concept entirely, to substitute the term “risk-based.” Similarly, Xcel acknowledges that acceptance of risk may be a poor choice of words, but that alternate language should be considered. Xcel explains that the phrase “acceptance of risk” recognizes that an exception may be appropriate under some circumstances. For example, Requirement R2.3 of CIP-007-1 allows an entity to determine that an unused port does not need to be disabled and accept the risk of not doing so if it determines that the port is insignificant. METC-ITC state that the Commission should consider alternate language that promotes the quantification, documentation and justification of the risk that an entity proposes to accept. 64 *E.g.* , METC-ITC, SDG&E and Xcel. 143. A number of other commenters, including Tampa Electric, note that it is not possible to eliminate all risks and state that the goal should be to minimize risks to an acceptable level that still allows business processes to function. Idaho Power states that all businesses carry and accept some level of risk, and it is not appropriate to shift the burden to the company, ratepayer or shareholder to develop systems that may remove all risk. A company can perform an analysis of risk to determine a risk level that delivers an adequate level of security for the company, neighboring utilities and consumers, while remaining manageable to the company from a cost standpoint. 144. APPA/LPPC agree that the CIP Reliability Standards cannot be ignored simply because a company deems a risk acceptable, but believe that the intent of this language was to provide a degree of discretion where compliance is perceived to pose a greater risk to critical asset availability than non-compliance. They envision situations where it is reasonable to conclude that compliance poses a significant risk in the specific instances where acceptance of risk language appears. For example, with respect to Requirement R3.2 of CIP 007-1 (security patch management), inadequately tested patches can pose a risk of system failure, and an entity must weigh the risk of using software with a known flaw against the risk that the vendor's patch will introduce even greater risk. 145. Tampa Electric maintains that the impact of risk to the grid should be weighed before disallowing acceptance of risk. References to acceptance of risk should not be removed because, when a measure is not technically feasible, an effective compensatory control or mitigation, short of replacing the system, is not always possible. In addition, acceptance of risk is not always based on cost reasons. A compensatory step could cause safety issues or some other process problem that makes it highly undesirable. 146. Mr. Brown states that acceptance of risk does not permit an entity simply to decline compliance. The intent was to require explanation, mitigation efforts, evaluation of the potential ramifications of accepting the risk, or other accountability to demonstrate how the CIP Reliability Standards are being complied with in essence. Mr. Brown states that greater transparency is welcome, but removing the language does not mean that such decisions will no longer be made. Rather it will result in such decisions being kept out of sight. 147. FPL Group states that the CIP Reliability Standards provide guidance that allows documentation of measures taken to mitigate risk exposure or an acceptance of risk. This guidance is reasonable and based on control system best practices. It allows responsible entities to evaluate the value of the mitigation with regard to operability and reliability of the Bulk-Power System in comparison to overall feasibility. Responsible entities should not have to bear unreasonable burdens for mitigation that yields only limited benefit. Responsible entities can make the determination to accept the risk-based on reasonable technical judgment insofar as there is no material negative impact to the Bulk-Power System. 148. Entergy opposes eliminating acceptance of risk. It argues that acceptance of risk by senior management is a long-established practice and predates the CIP Reliability Standards. Because of legacy technology, removing this option would require expenditure of significant additional time and money to secure equipment. Associated countermeasures would in many cases be of limited relevance and effectiveness due to the vintage of these legacy controls. 149. With regard to CIP-007-1, MidAmerican supports the proposal to eliminate acceptance of risk from Requirement R2.3 but believes the term should remain in Requirement R3 if accompanied by a mitigation plan and sunset provision. MidAmerican argues that, by requiring a mitigation plan and a time frame for compliance, the CIP Reliability Standard would provide needed flexibility while maintaining the certainty of a committed end-date. c. Commission Determination 150. The Commission continues to view the term “acceptance of risk” as representing an uncontrolled exception from compliance that creates unnecessary uncertainty about the existence of potential vulnerabilities. Responsible entities should not be able to opt out of compliance with mandatory Reliability Standards. The Commission, therefore, directs the ERO to remove acceptance of risk language from the CIP Reliability Standards. 151. In response to concerns raised by NERC, EEI and others, we agree that this action should occur through the Reliability Standards development process. In response to the concerns of many commenters who argue that it should be possible to propose alternative language, we note that this is consistent with the Reliability Standards development process. However, any alternative language that provides a similar opportunity for a responsible entity to opt out of compliance would be subject to remand. Rather, the Commission believes that alternative language that deals with such issues in terms of technical feasibility is preferable. To that end, we have adapted the concept of technical exceptions to encompass a broader range of valid justifications. Elsewhere in this Final Rule we address the criticism that our actions are overly prescriptive and those remarks apply equally here. 152. Expanding the use of the technical feasibility conditions would address the desire for flexibility expressed by some commenters while providing the control that the Commission finds to be necessary. It would provide for documentation, reporting and approval of how responsible entities have elected to comply with the CIP Reliability Standards and thus would permit the ERO and Regional Entities to assess the significance of any possible vulnerability. As to the argument by METC-ITC that a technical feasibility exception may not be possible in all cases, we note that we have found that technical feasibility should not be limited simply to whether something is technically possible but also whether it is technically safe and operationally reasonable. Thus, this approach addresses the issue of inadequately tested patches raised by APPA/LPPC, and similar general concerns raised by Tampa Electric. 153. In response to Entergy, we note that a long-established practice of risk acceptance by senior management does not mean that a continuation of this practice is appropriate under a new system of mandatory cyber security Reliability Standards. We have addressed Entergy's concerns about costs-related legacy equipment in connection with technical feasibility. 154. Many commenters defend retention of the acceptance of risk language by pointing out that it is impossible to eliminate all risk. While likely true, it is beside the point. The acceptance of risk language in the CIP Reliability Standards fails to acknowledge that the real issue is whether the nature and level of inevitable risk is acceptable from a system-wide perspective. Within a system of CIP Reliability Standards intended to protect the Bulk-Power System as a whole, that problem can be addressed by a system that documents and reports the risks in question and ultimately subjects them to approval by the ERO or Regional Entities. The Commission's concern in the CIP NOPR was with the lack of appropriate controls, and eliminating references to acceptance of risk does not imply that all risk can be eliminated. 155. We disagree with Mr. Brown that mutual distrust means that risks accepted by one entity do not affect others on an interconnected control system. A mutual distrust approach is a good security posture. However, its value depends on how well it is implemented. There will likely be a variety of levels of sophistication applied to implementing mutual distrust. It is not a basis for allowing other responsible entities to ignore their obligations under mandatory CIP Reliability Standards. 156. Accordingly, the Commission directs the ERO to develop through its Reliability Standards development process revised CIP Reliability Standards that eliminate references to acceptance of risk. 3. Technical Feasibility a. NOPR Proposal 157. As the Commission explained in the CIP NOPR, two proposed CIP Reliability Standards provide exceptions from compliance with Requirements based on “technical feasibility.” 65 The NERC Glossary does not define the term “technically feasible,” nor do the CIP Reliability Standards themselves specify how an entity is to determine whether an action is technically feasible. NERC's FAQ document provides the following guidance on the meaning of the phrase “where technically feasible: ” 65 CIP NOPR at P 68-69. The “technically feasible” phrase is found in CIP-005-1, Requirements R2.4, R2.6, R3.1, R3.2 and CIP-007-1, Requirements R4, R5.3, R6, R6.3. Additionally, CIP-007, Requirement R2.3 uses “technical limitations” to similar effect. Technical feasibility refers only to engineering possibility and is expected to be a “can/cannot” determination in every circumstance. It is also intended to be determined in light of the equipment and facilities already owned by the responsible entity. The responsible entity is not required to replace any equipment in order to achieve compliance with the Cyber Security Standards. When existing equipment is replaced, however, the responsible entity is expected to use reasonable business judgment to evaluate the need to upgrade the equipment so that the new equipment can perform a particular specified technical function in order to meet the requirements of these standards. 66 66 FAQ document at 1. 158. Based on these concerns, the Commission proposed in the CIP NOPR to allow, in the near term, exceptions from compliance based on the concept of “technical feasibility” in a limited set of circumstances, but also stated that responsible entities should not be permitted to invoke technical feasibility on the basis of “reasonable business judgment.” In addition, a responsible entity should not be able to except itself unilaterally from a Requirement of a mandatory CIP Reliability Standard with no oversight. 159. Thus, the Commission proposed in the CIP NOPR to direct that the ERO establish a structure to require accountability from those who rely on “technical feasibility” as the basis for an exception. The CIP NOPR described such a structure as requiring a responsible entity to:
(1)Develop and implement interim mitigation steps to address the vulnerabilities associated with each exception;
(2)develop and implement a remediation plan to eliminate the exception, including interim milestones and a reasonable completion date; and
(3)obtain written approval of these steps by the senior manager assigned with overall responsibility for leading and managing the entity's implementation of, and adherence to, the CIP Reliability Standards as provided in CIP-003-1, Requirement R2. 67 67 CIP NOPR at P 79. 160. The Commission stated in the CIP NOPR that this proposed structure should include a review by senior management of the expediency and effectiveness of the manner in which a responsible entity has addressed each of these three proposed conditions. In addition, the Commission proposed to require a responsible entity to report and justify to the ERO and the Regional Entity for approval each exception and its expected duration. In situations where any of the proposed conditions are not satisfied, the Commission proposed that the ERO or the Regional Entity would inform the responsible entity that its claim to an exception based on technical feasibility is insufficient and therefore not approved. Failure to timely rectify the deficiency would invalidate the exception for compliance purposes. 161. The Commission stated its belief that it is important that the ERO, Regional Entities and the Commission understand the circumstances and manner in which responsible entities invoke the technical feasibility provision as well as other provisions that function as exceptions to the CIP Reliability Standards. The Commission, therefore, proposed to direct the ERO to submit an annual report that would include, at a minimum, the frequency of the use of such provisions, the circumstances or justifications that prompt their use, the interim mitigation measures used to address the vulnerabilities, and the milestone schedule to eliminate them and to bring the entities into compliance to eliminate future reliance on the exception. 162. The Commission sought comment on additional categories of information that should be included in the content of this report that would be useful for the Commission, as well as the ERO and Regional Entities, in evaluating the invocation of technical feasibility and similar provisions, and the impact on protection of critical assets. 163. Finally, the Commission proposed to direct the ERO to consider making “technically feasible,” and derivative forms of that phrase as used in the CIP Reliability Standards, defined terms in the NERC Glossary, pursuant to the prior clarifications, without any reference to reasonable business judgment. 164. Below, we first address issues related to the general rationale underlying technical feasibility exceptions. We then address issues connected with documentation of exceptions and their remediation and mitigation. Finally, we address the approval of these exceptions. b. Technical Feasibility Generally i. Comments 165. Numerous commenters focused on the need for technical feasibility exceptions generally and their underlying rationale. Most support technical feasibility exceptions in some form. 166. Texas Commission expresses concern that technical feasibility could be used to justify inaction. It states that flexibility can be achieved by other means, but if reference to technical feasibility is retained, responsible entities should not be allowed to use it to avoid taking necessary action. Texas Commission comments that it is reasonable to develop a process under which entities with known vulnerabilities self-report to NERC and the Regional Entity and provide a timeline for correcting these deficiencies. 167. NERC states that the Commission properly recognized the appropriateness of an exception based on technical feasibility and suggests that it be designated an “exemption for reliability.” 68 NERC supports clarification of the Reliability Standards to ensure that an exemption is documented and justified in terms of its impact on Bulk-Power System reliability. ReliabilityFirst makes similar proposals. 68 NERC comments at 20-22. 168. NERC and others believe that the appropriate way to address the Commission's specific proposed directives is through the Commission-approved Reliability Standards development process. 69 Northern California supports the Commission's recommendation that the ERO re-examine and clarify the meaning of technical feasibility and provide guidance on the appropriate procedures for claiming an exemption based on it. Ontario IESO comments that, if the term reasonable business judgment is removed from the CIP Reliability Standards, industry and the ERO may find other areas where the concept of technical feasibility is applicable when revising the CIP Reliability Standards. NRECA states that technical feasibility is a matter on which the Commission should defer to the ERO's technical expertise and not adhere to a one-size-fits-all approach. 69 *E.g.,* Alliant, Manitoba Hydro, Northern California and NRECA. 169. NERC explains that the CIP Reliability Standards include references to technical feasibility to recognize that, in many cases, equipment in place in substation and generating plant environments was implemented with operational functions paramount to all other considerations, including security. This equipment is not at the end of its useful life and historically has not been designed with ready access to software updates and patches. Such software upgrades that could increase functionality without directly contributing to reliability generally have not been made. NERC states that modern replacement equipment is more readily compatible with an environment where updates and patches are more commonplace and security functionality is an understood necessity. Securable equipment will be used when equipment is replaced due to natural end-of-life or failure, but this modern equipment represents a very small percentage of the installed base of all cyber equipment in substations and generating plants. 170. Many commenters, including APPA/LPPC, Duke, Entergy, NRECA and ReliabilityFirst, concur with this explanation of rationale for the references to technical feasibility. Duke agrees that technical feasibility exceptions should be controlled, but it argues that replacing legacy equipment on an accelerated schedule could create industry-wide logistical problems and unwarranted ratepayer impacts. NRECA maintains that rapid replacement of equipment would mean costs for customers, could overwhelm the supply chain, and could lead to premature obsolescence of replacement equipment as security technology continues to improve. Consumers Energy states that technical feasibility exceptions are proposed as a last resort that is forced by the limitations of available technology, support and service limitations of existing technology, and as-built limitations. 171. Entergy maintains that the older equipment in question generally cannot be compromised through typical hacker techniques, and physical access to it is often required. This presents greater challenges for attackers and means that only local impact will result from a successful attack. Entergy recommends allowing industry three to five years to upgrade critical assets with modern cyber controls that will provide the needed operational efficiency improvements and that would be properly secured as a matter of course. 172. ReliabilityFirst notes that a very small percentage of the installed base of all cyber equipment in substations and power plants incorporates security functionality. Consumers Energy explains that older control systems can still be very reliable, but many assets identified as critical cyber assets do not have malware and virus protection, in some cases due to technology conflicts with virus and malware protection systems. In addition, managing updates on devices that are continuously online is a difficult task. Consumers Energy states that there are adequate alternate measures in such cases such as firewalls with content security functions that restrict any options for infecting systems with viruses and that implement intrusion detection for the perimeter with advanced content security services. 173. NERC states that the drafting team believed that cyber security standards should not unnecessarily impede the primary mission of maintaining reliable Bulk-Power System operations. NERC and ReliabilityFirst argue that changes must be carefully planned and tested to ensure that no unintended consequences occur. Technologies are constantly evolving, and it is impractical to think that equipment always can maintain a leading-edge cyber security posture without introducing operating issues. 174. Manitoba Hydro states that industry attempted to strike a balance for security at the various types of facilities while recognizing the large base of legacy systems at remote locations. The security framework focused on routable protocols and dial up access. The Commission's proposals to limit technical feasibility exceptions and implement a defense in depth measure in front of legacy systems would have a nominal impact on control centers but a significant impact on other facilities, systems and equipment, forcing unjustified early equipment replacement or installation of technology to provide mitigating controls. Manitoba Hydro argues that modifying the Reliability Standards on this point could add considerable work for responsible entities and require modifications to the implementation period. 175. Northern Indiana, Ontario Power and SoCal Edison support retaining the term technical feasibility. Ontario Power maintains that removing references to technical feasibility could be interpreted by some to mean that mandatory compliance is required, regardless of the cost, the impact on production systems, or the risk to the Bulk-Power System. Northern Indiana concurs with the Commission's proposal to treat instances of technical infeasibility as exceptions that require reporting and certain alternative courses of action. However, it disagrees with what it describes as the Commission's restrictive interpretation of the term and urges the Commission to acknowledge that technical infeasibility may apply to future assets as well. Northern Indiana advocates that the Commission instead direct NERC to interpret technical feasibility narrowly with regard to the technical characteristics of both existing and future assets. Northern Indiana states that the Commission should not assume technical infeasibility will exist only during the transition period and not afterwards, nor should it assume only one single means will exist, on a going forward basis, to comply with the Reliability Standards. 176. Mr. Brown states that technical feasibility has less to do with whether to comply than with how to comply. Whether or not something is technically feasible is purely an engineering issue. On the other hand, whether or when to replace equipment that cannot do something due to technical feasibility with equipment that can do so is purely a managerial decision. Mr. Brown states that in light of his interpretation of reasonable business judgment, the Commission should have much less concern about the interplay between technical feasibility and reasonable business judgment. 177. Teltone states that it is now easy to incorporate CIP-related features such as two-factor authentication (with unique user names and passwords) to both dial-up and Internet protocol devices without replacing them, upgrading their software, or taking them offline. Access and usage logging of legacy devices at substations is easily accomplished, something Teltone maintains should quell the problem of technical feasibility. ii. Commission Determination 178. The Commission adopts the CIP NOPR proposal and directs the ERO to develop a set of conditions or criteria that a responsible entity must follow when relying on the technical feasibility exception contained in specific Requirements of the CIP Reliability Standards. We will modify some of our proposed criteria for that framework of accountability further below. We are persuaded by commenters that the proposed conditions for invoking the technical feasibility exception should allow for operational considerations. In response to Northern Indiana and other commenters, we note that the Commission did not propose to eliminate references to technical feasibility from the CIP Reliability Standards, only that the term be interpreted narrowly and without reference to considerations of business judgment. 179. In response to those commenters who argue that the Commission's concerns and directives should be addressed through the Reliability Standards development process, we agree that to the degree revisions to the Reliability Standards are necessary to address our concerns, they would be made through that process. We disagree, however, with the arguments that claim we are rewriting the CIP Reliability Standards or adhering to a one-size-fits-all approach. With respect to the latter point, we note that technical feasibility issues are by their nature something that must be dealt with on a case-by-case basis, as they only arise in specific circumstances. Our concern here is primarily with the framework within which decisions on technical feasibility are made and ensuring that this framework promotes sound decisions that lead to effective results. The oversight provisions we describe below are essential elements of such a framework. 180. We agree with NERC and other commenters on the underlying rationale for a technical feasibility exception, i.e., that there is long-life equipment in place that is not readily compatible with a modern environment where cyber security issues are an acknowledged concern. While equipment replacement will often be appropriate to comply with the CIP Reliability Standards, such as in instances where equipment is near the end of its useful life or when alternative or supplemental security measures are not possible, we acknowledge that the possibility of being required to replace equipment before the end of its useful life is a valid concern. 181. The Commission, however, disagrees with Northern Indiana that technical feasibility should be interpreted to apply to future assets also. The justification presented for technical feasibility exceptions is rooted in the problem of long-life legacy equipment and the economic considerations involved in the replacement of such equipment before the end of its useful life. We recognize that these considerations can be valid in some cases, but Northern Indiana has not explained why technical feasibility exceptions should apply to replacement equipment. The Commission neither assumes that technical infeasibility issues will be present only during the transition period, nor does it assume that on a going forward basis there will be only one single means to comply with the CIP Reliability Standards. It does assume, however, that all responsible entities eventually will be able to achieve full compliance with the CIP Reliability Standards when the legacy equipment that creates the need for the exception is supplemented, upgraded or replaced. 182. The Commission agrees with various commenters that the implementation of the CIP Reliability Standards should not be permitted to have an adverse effect on reliability and that proper implementation requires that care be taken to avoid unintended consequences. We thus believe it is important to clarify that the meaning of “technical feasibility” should not be limited simply to whether something is technically possible but also whether it is technically safe and operationally reasonable. 183. We disagree with Mr. Brown's view that whether or when to replace equipment that cannot do something due to technical feasibility with equipment that can do so is purely a managerial decision, especially since he intertwines this proposition with the concept of reasonable business judgment. While we accept NERC's rationale for technical feasibility exceptions, as discussed below, an integral issue in individual cases where legacy equipment presents a technical feasibility issue is whether an alternative course of action protects the reliability of the Bulk-Power System to an equal or greater degree than compliance would. This is not a purely managerial decision involving reasonable business judgment, regardless of what meaning one imparts to that term. 184. While a number of commenters agree that it is important to clarify the meaning of technical feasibility, none appear to support defining the term in the NERC Glossary. Therefore, in light of the comments received generally and the specific guidance that we are providing to the ERO in connection with technical feasibility, we conclude that a definition of this type is unnecessary. A definition cannot substitute for a framework of conditions or criteria to provide accountability, and if those conditions or criteria are implemented, a definition is not needed. We do not agree with NERC that replacing the term technical feasibility with “exemption for reliability” would be helpful. We note, in particular, that an “exemption” normally is understood to be a release from an obligation whereas what is under discussion here is an exception that forms an alternative obligation. 185. While the Commission will not address the merits of any particular technology, we note that Teltone's comments raise an important general consideration when developing policy on technical feasibility. While technical limitations present real issues, and while one should not be overly optimistic that technological developments will resolve them sooner than expected, one should not be overly pessimistic either. Indeed, high standards should, if anything, encourage the development of technical solutions. 186. Based on the above considerations, the Commission adopts its proposal in the CIP NOPR that technical feasibility exceptions may be permitted if appropriate conditions are in place. The term technical feasibility should be interpreted narrowly to not include considerations of business judgment, but we agree with commenters that it should include operational and safety considerations. c. Technical Feasibility Exception Mitigation and Remediation 187. As mentioned above, in the CIP NOPR, the Commission proposed a three step structure to require accountability when a responsible entity relies on technical feasibility as the basis for an exception. This proposed structure would require a responsible entity to:
(1)Develop and implement interim mitigation steps to address the vulnerabilities associated with each exception;
(2)develop and implement a remediation plan to eliminate the exception, including interim milestones and a reasonable completion date; and
(3)obtain written approval of these steps by the senior manager assigned with overall responsibility for leading and managing the entity's implementation of, and adherence to, the CIP Reliability Standards, along with regional approval through the ERO. i. Comments 188. NERC supports clarification of the CIP Reliability Standards to ensure that the use of a technical feasibility exemption must be documented and justified in terms of its impact on Bulk-Power System reliability. Duke also agrees with the proposal to require documentation, including appropriate mitigation and a senior management-approved remediation plan. 189. National Grid states that the Commission's mitigation proposal is reasonable and appropriate, but it maintains that the Commission should clarify that acceptable mitigation for older assets entails measures short of replacement, upgrades, or retrofits. A mitigation requirement otherwise would undermine any relief associated with an exception. Mitigation measures for vulnerabilities associated with older assets will need to be in place as long as those assets remain in service. National Grid states that the Commission's references to “interim” mitigation and remediation implementation milestones could suggest that older assets must be replaced before the end of their useful lives or that the mitigation measures would not be as effective as the solutions codified in the Reliability Standards. National Grid argues that mitigation measures should be as or more effective than compliance, and in the case of minor technical or administrative requirements, replacement of certain assets before the end of their useful lives would be wasteful and inefficient. 190. SPP believes it is reasonable to treat technical feasibility as a documented exception. Such exceptions should be reviewed and approved annually, but identifying a reasonable completion date for remediation may not always be possible. SPP states that to require remediation of a technical feasibility exception by a date certain is contrary to the Commission's acknowledgement that cost can be a prohibiting factor. Technical limitations may prohibit compliance with a requirement. The appropriate response in such cases is to mitigate the risk by implementing compensating measures. SPP questions the need for remediation where compensating measures are equally effective in reducing risk. It recommends that responsible entities be required initially to mitigate the risk and then evaluate and document whether further remediation is required and technically feasible as part of the exception approval process. 191. Northern Indiana believes a remediation plan should seek to eliminate the exception to the extent possible, but complete elimination may not be possible in all cases. Northern Indiana states that the Commission should consider the development and implementation of a remediation plan to eliminate the exception to the extent possible. Tampa Electric submits that it is unreasonable to require a remediation plan in every case. Sometimes there is no technology that would permit compliance with the letter of the CIP Reliability Standard. ii. Commission Determination 192. With some minor refinements discussed below, the Commission adopts the CIP NOPR proposal for a three step structure to require accountability when a responsible entity relies on technical feasibility as the basis for an exception. We address mitigation and remediation in this section and direct the ERO to develop:
(1)A requirement that the responsible entity must develop, document and implement a mitigation plan that achieves a comparable level of security to the Requirement; and
(2)a requirement that use of the technical feasibility exception by a responsible entity must be accompanied by a remediation plan and timeline for eliminating the use of the technical feasibility exception. While the CIP NOPR proposed that each remediation plan contain a reasonable completion date, the Commission is persuaded by the comments of National Grid and SPP that a date certain for remediation may not be possible in some instances. While we expect remediation by a date certain to be the norm, we will not require a date certain for remediation in every instance that a responsible entity invokes the technical feasibility exception. An entity must provide an explanation when it believes that it is not possible for a remediation plan to provide a reasonable completion date. 193. We also agree with Northern Indiana that in some instances remediation can be required only to the extent possible. For example, in some cases it may never be possible to enclose certain critical cyber assets within a six-sided physical boundary as required under CIP-006-1. However, such cases need to be sufficiently justified, the mitigation strategies must be ongoing and effective, and the justification must be subject to periodic review. We also are mindful that accelerated replacement of equipment can be economically wasteful where security is not otherwise compromised. We thus agree with National Grid that where mitigation measures are as or more effective than compliance, and in the case of minor technical or administrative requirements, replacement of certain assets before the end of their useful lives can be wasteful and inefficient. We also agree with SPP that remediation might not be necessary where compensating measures are equally effective in reducing risk. However, such cases must be subject to clear criteria and periodic review and, where necessary, updates. 194. However, in adopting this approach, we do not intend to suggest that it would never be necessary to replace equipment before the end of its useful life to achieve cyber security goals. Where equipment is near the end of its useful life or if insufficient mitigation measures are available, the equipment should be replaced. However, such situations must be dealt with on a case-by-case basis. We emphasize that responsible entities must protect assets that are critical to the reliable operation of the Bulk-Power System. d. Approval and Control of Specific Exceptions 195. This section discusses the Commission's directions with regard to approval of a technical feasibility exception, the third component of our framework for allowing technical feasibility exceptions. As described above, the CIP NOPR proposed that NERC develop a requirement that a responsible entity relying on the technical feasibility exception must obtain written approval of a remediation plan by a senior manager. 70 The Commission also proposed that the responsible entity report and justify to the ERO and the Regional Entity for approval of each exception. In addition, the Commission proposed to direct that the ERO submit an annual report regarding industry use of the technical feasibility exception. 70 CIP NOPR at P 79. i. Comments 196. California Commission states that approval of technical feasibility exceptions by the ERO and the relevant Regional Entity is critical because it prevents attempts to manipulate the system and induces responsible action. 197. National Grid supports providing Regional Entities with notice of technical feasibility exceptions and audits of exceptions by Regional Entities. It states that a central clearinghouse that catalogs all technical feasibility exceptions would be helpful because of the interdependencies among the Bulk-Power System assets. This clearinghouse could verify whether reliance on exceptions (or the associated mitigation measures) adequately maintains reliability and does not create reliability issues for neighboring systems. ISO-NE states that reporting exceptions to Regional Entities would be useful in identifying CIP Reliability Standards and Requirements with frequent implementation issues that call for modifications. 198. In contrast, ISO/RTO Council, EEI and others do not believe that reporting and approval of technical feasibility exceptions is appropriate. 71 EEI states it does not believe that NERC or the Regional Entities have the technical expertise to make these types of determinations. ISO-NE states it is unlikely that either Regional Entities or the ERO will have the necessary skills to evaluate the broad spectrum of situations that the industry presents. MidAmerican states that requiring ERO and Regional Entity approval would burden those entities, create delays, and divert resources away from more urgent cyber security concerns. Tampa Electric states that the Commission should ensure that delays do not interfere with timely compliance by responsible entities. Idaho Power believes that the Commission's proposals on technical feasibility would place administrative burdens on both company and the Regional Entities that outweigh the benefits. Idaho Power sees little value in policing the use of the technical feasibility exception with such a burdensome administrative process that may, in the end, delay the resolution of legitimate technical feasibility issues. 71 *E.g.,* FirstEnergy, ISO-NE, KCPL, SERC-CIPC and SoCal Edison. 199. ReliabilityFirst argues that a responsible entity's senior manager must already approve any exceptions, making reporting and approval unnecessary, and it will be very difficult for the ERO or Regional Entity staff to review a responsible entity's exceptions effectively and assess them realistically. SERC-CIPC recommends that the requirement to authorize and document exceptions remain with the entity's designated senior manager. 200. ISO/RTO Council argues that granting the Regional Entities authority to adjudicate exceptions along with the ability to apply sanctions for non-compliance creates a conflict of interest. Auditors should be independent, and an assessor should not be involved with review and approval of policy exceptions. ISO/RTO Council argues that instead of requiring that exceptions be reported and justified, the Commission should consider directing the ERO to detail the type of justifications and considerations that must be documented when invoking a technical feasibility exemption. Responsible entities would then be required to incorporate them into their analysis of possible exemptions. 201. EEI, OGE and SoCal Edison question how the ERO and Regional Entities would determine what is technically feasible for a particular model of equipment in a specific context. If there is to be external review and approval, there should be an appeals process, and that would delay implementation of future revisions to the CIP Reliability Standards. Alliant, EEI and Tampa Electric believe that NERC should require that decisions on technically feasible be subject to audits that are ultimately reported to the Commission. Duke, KCPL and SoCal Edison maintain that evaluation of technical feasibility issues should be left to compliance audits. 202. Northern Indiana seeks clarification of the information that will be needed to justify an exception. It suggests that, similar to the Commission's proposed approach regarding self-certification, a responsible entity should have the opportunity to consult with the ERO and Regional Entities. Northern Indiana also advocates the waiver of monetary penalties during this time as well as within the timeframe of any remediation plan. 203. APPA/LPPC state that the Commission should clarify that when a Regional Entity or the ERO rejects a technical feasibility exception request, the responsible entity may rely on the exception until it has been ruled upon. In addition, the organization should be allowed a reasonable time to come into compliance. 204. Entergy states that there is no indication that the benefits of reporting exceptions would outweigh the detriments, but if further reporting is required, it recommends a single annual report from each registered entity that includes a summary description of the exceptions and actions taken or to be taken. The ERO could use this report to satisfy its annual reporting requirement. 205. A number of other commenters emphasize the sensitivity of information about technical feasibility exceptions. SPP states that an annual report must contain information that qualifies as Critical Energy Infrastructure Information
(CEII)to be of any value. SERC-CIPC also recommends CEII treatment for this information. SPP is concerned that if the report is not treated as CEII, sensitive data could be inadvertently made public. To protect against disclosure, SPP proposes that the ERO could make exception documentation available for Commission staff inspection in the ERO offices as a possible alternative to a report. National Grid states that information about exceptions should be subject to adequate information protection controls to avoid disclosure and misuse. 206. Duke opposes an annual report by the ERO to the Commission because, even if it does not contain CEII, it will compromise security by publicly identifying problem areas for the industry and the mitigation measures being employed. If a report must be submitted, there must be stringent and enforceable confidentiality measures to prevent inadvertent or unauthorized disclosure. OGE believes reporting and approval for all exceptions is contrary to the purpose of the CIP Reliability Standards because information on exceptions sent to the ERO or Regional Entity could indicate weaknesses in security that could be compromised and exposed. These same concerns lead Xcel to urge that Regional Entities develop confidentiality protocols for such communications. 207. ISO-NE states that detailed technical descriptions of exceptions should not be passed to the Regional Entities or the ERO because the information would be potential vulnerability information that the responsible entity should protect as critical cyber asset information under CIP-003-1, Requirement R4. Tampa Electric states that, if the Commission decides to require ERO or Regional Entity review, it should also prescribe controls to ensure the confidentiality and security of the information under review. 208. Although not commenting specifically on reporting of technical feasibility issues, Bonneville notes that under the Freedom of Information Act (FOIA), release of information to an external party generally waives any privileges against disclosure with respect to subsequent requests to the federal agency for that same information. Bonneville is concerned that submission of critical asset information to the Regional Entity, particularly the vulnerability-related rationales for including and excluding various facilities on the critical asset list, may act as such a waiver. ii. Commission Determination 209. For the reasons discussed below, the Commission concludes that technical feasibility exceptions should be reported and justified and subject to approval by the ERO or the relevant Regional Entity. The Commission thus adopts its CIP NOPR proposal that use and implementation of technical feasibility exceptions must be governed by a clear set of criteria. However, because we are persuaded by the commenters, we have modified certain elements of our original proposal, as discussed below. 210. Most objections to the CIP NOPR proposal regarding the review and approval of technical feasibility exceptions are not objections in principle but rather focus on practical issues of implementation, such as limited ERO and Regional Entity resources and sensitivity of the information in question. To the extent that objections in principle have been raised, we disagree. Thus, we disagree with ReliabilityFirst's argument that senior manager approval of exceptions is unnecessary because of the responsibilities already assigned to the senior manager by CIP-003-1. These technical feasibility exceptions implicate matters that go beyond the purview of individual responsible entities and must be subject to review and approval by those with a wider-area view and general responsibility for system reliability. We also disagree with the ISO/RTO Council that the Commission should simply direct the ERO to detail the type of justifications and considerations that must be documented when invoking a technical feasibility exemption. While such guidance could be useful, it cannot substitute for reporting, review, and approval, which is necessary to address concerns that extend beyond the reach of an individual responsible entity. 211. With regard to the senior management approval, we continue to believe that internal approval is an important component of an overall framework of accountability with regard to use of the technical feasibility exception. Therefore, we adopt this aspect of our CIP NIPR proposal and direct the ERO to include approval of the mitigation and remediation steps by the senior manager (identified pursuant to CIP-003-1) in the course of developing this framework of accountability. 212. However, the practical considerations pointed out by a number of the comments have convinced us to adopt an approach to the issue of external oversight different from the one originally proposed. We agree, in particular, with those commenters who argue that pre-approval could tax ERO and Regional Entity resources, delay implementation, and possibly create undue risks that sensitive information will be disclosed. 213. The Commission agrees with National Grid that Regional Entities should, in the first instance, receive and catalogue notices of technical feasibility exceptions that are claimed. Such notices must include estimates of the degree to which mitigation measures achieve the goals set by a CIP Reliability Standard and be in sufficient detail to allow verification of whether reliance on exceptions (or the associated mitigation measures) adequately maintains reliability and does not create reliability issues for neighboring systems. Initial submission of notices should be provided by responsible entities at least by the “Compliant” stage of implementation in order to allow Regional Entities to plan for auditing exceptions, as described in more detail below. 214. The Commission also agrees with National Grid, EEI and others that actual evaluation and approval of technical feasibility exceptions should be performed in the first instance in the audit process. This would allow assessment of exceptions within their specific context and thus facilitate greater understanding in evaluating individual exceptions, as well as related mitigation steps and remediation plans. This also would increase the amount of sensitive information that remains on-site and reduces the risk of improper disclosure. In addition, it will allow the ERO and Regional Entities, informed by the initial notices discussed above, to include personnel in audit teams with sufficient expertise to judge the need for a technical feasibility exception and the sufficiency of preferred mitigation measures. 72 72 General reliance on the audit process does not preclude the Commission, the ERO or a Regional Entity from exercising its authority to review a claimed exception, whether resulting from a complaint, an incident or on its own initiative outside of the audit process. 215. Given the significance of technical feasibility exceptions, the Commission believes that initial audits of technical feasibility exceptions should be expedited, i.e., performed earlier than otherwise, including moving the audit to an earlier year. Also, in general, responsible entities claiming such exceptions should receive higher priority when determining which entities to audit, and the more exceptions an entity has, the higher the priority for audit should be. Further, NERC may provide an appeals process for the review of technical feasibility exceptions, if it determines that this is appropriate. 216. However, the Commission notes that the audit process is a Regional Entity and ERO process, and audit team findings regarding exceptions are subject to Regional Entity and ERO review. The Commission believes that the audit report should form the basis for ERO or Regional Entity approval of individual exceptions. Approval thus represents a determination on compliance with the applicable CIP Reliability Standards, and we disagree with the ISO/RTO Council that approval of technical feasibility exceptions raises any conflict of interest or due process concerns. The proposed procedures raise no special issues in this respect. 217. We agree with EEI and others that approvals and potential appeals should not be allowed to delay implementation, but we believe our revised proposal resolves this problem. We also agree with APPA/LPPC that responsible entities should be able to rely on a technical feasibility exception prior to formal approval. However, we disagree with Northern Indiana that penalties should be waived within the time when an approved remediation plan is being implemented, as proper implementation of the plan itself constitutes a necessary element of compliance. 218. In summary, on the issues pertaining to external approval of a responsible entity's use of the technical feasibility exception, rather than a pre-approval process, we direct the ERO to design and conduct an approval process through the Regional Entities and the compliance audit process. This process should require the ERO or a Regional Entity to approve any technical feasibility exception, taking into account whether the technical feasibility exception is needed and whether the mitigation and remediation steps are adequate to the circumstance. 219. We agree with comments emphasizing the importance of protecting sensitive information relating to technical feasibility exceptions. We agree with SPP and others that CEII treatment should be available for any such information. In response to Bonneville, we agree that a governmental entity subject to FOIA requirements should not be required to submit sensitive information about critical assets or critical cyber assets that could be deemed a waiver of FOIA protection that is otherwise available. Nonetheless, a governmental entity's decision to rely on a technical feasibility exception should also be subject to appropriate oversight and accountability. Thus, we direct NERC, in developing the accountability structure for the technical feasibility exception, to include appropriate provisions to assure that governmental entities that are subject to Reliability Standards as users, owners or operators of the Bulk-Power System can safeguard sensitive information. 220. As stated in the CIP NOPR, the Commission believes that it is important that the ERO, Regional Entities and the Commission understand the circumstances and manner in which responsible entities invoke the technical feasibility exception. 73 Accordingly, we direct the ERO to submit an annual report to the Commission that provides a wide-area analysis regarding use of the technical feasibility exception and the effect on Bulk-Power System reliability. The annual report must address, at a minimum, the frequency of the use of such provisions, the circumstances or justifications that prompt their use, the interim mitigation measures used to address vulnerabilities, and efforts to eliminate future reliance on the exception. 74 73 CIP NOPR at P 80. 74 Responsible entities must cooperate with the ERO and the Regional Entities in providing information deemed necessary for the ERO to fulfill its reporting obligation to the Commission. 221. While we agree with commenters that the compilation of data for the annual report must not compromise the security of the Bulk-Power System, we disagree that this is a reason not to require the report. Rather, as we indicated in the CIP NOPR, the report should not provide a level of detail that divulges CEII data. Rather, the report should contain aggregated data with sufficient detail for the Commission to understand the frequency with which specific provisions are being invoked as well as high level data regarding mitigation and remediation plans over time and by region. Further, we direct the ERO to control and protect the data analysis to the extent necessary to ensure that sensitive information is not jeopardized by the act of submitting the report to the Commission. e. Conclusion 222. In conclusion, pursuant to section 215(d)(5) of the FPA, we direct the ERO to develop a set of criteria to provide accountability when a responsible entity relies on the technical feasibility exceptions in specific Requirements of the CIP Reliability Standards. As discussed above, structural elements of this framework include mitigation steps, a remediation plan, a timeline for eliminating use of the technical feasibility exception unless appropriate justification otherwise is provided, regular review of whether it continues to be necessary to invoke the exception, internal approval by the senior manager, wide-area approval through the ERO's audit process, and cooperation with the ERO to provide the Commission with high-level, wide-area analysis regarding the effects the technical feasibility exception on the reliability of the Bulk-Power System. We direct the ERO to develop appropriate modifications, as discussed above. G. Use of National Institute of Standards and Technology
(NIST)Standards in Developing Future Revisions to the CIP Reliability Standards 1. NOPR Proposal 223. In the CIP NOPR, the Commission stated that it expects NERC to monitor the development and implementation of the NIST standards to determine if they contain provisions that will better protect the Bulk-Power System. 75 The CIP NOPR also stated that it expects the ERO to consult with federal entities that are subject to both the CIP Reliability Standards and NIST standards on the effectiveness of the latter. While the Commission declined to propose that NERC incorporate specific provisions of NIST into the CIP Reliability Standards, it indicated that it may revisit the issue in the future. 75 CIP NOPR at P 88. 2. Comments 224. Congressional Representatives filed comments expressing their support for the Commission's efforts to require NERC to develop modifications to the CIP Reliability Standards. However, they believe that Bulk-Power System reliability will be better protected by cyber security standards that incorporate the security measures set forth in NIST Special Publication
(SP)800-53 as applied to industrial control systems. Congressional Representatives state that NIST research prepared a technical report comparing the proposed CIP Reliability Standards with SP 800-53. This technical report found that an organization conforming to the baseline set of security controls in SP 800-53 will also comply with the management, operational and technical security requirements of the CIP Reliability Standards, though the converse may not be true. The technical report concluded that the CIP Reliability Standards are both “inadequate for protecting critical national infrastructure,” and “inadequate for all electric energy systems when the impact of regional and national power outages is considered.” 76 76 Congressional Representatives comments at 9, citing Marshall D. Abrams, “Addressing Industrial Control Systems in NIST Special Publication 800-53,” MITRE Technical Report (March 2007). 225. Further, Congressional Representatives point out that federal government-owned elements of the Bulk-Power System must comply with both CIP Reliability Standards and NIST SP 800-53, while privately owned elements must comply only with the former. They express concern that “inconsistent regulatory structures create weak links and potential vulnerabilities in the entire system.” 77 Congressional Representatives, therefore, urge the Commission to modify the CIP Reliability Standards to incorporate aspects of SP 800-53 and the related NIST standards. 77 *Id.* at 9. 226. NIST itself compliments the Commission for proposing a derivative of the CIP Reliability Standards that is an improvement over the original NERC CIP Reliability Standards. However, according to NIST, the CIP NOPR proposal still falls short of meeting the federal mandatory minimum security measures set forth in NIST Special Publication
(SP)800-53 as applied to industrial control systems. In NIST's view, the CIP Reliability Standards, if modified pursuant to the proposals in the CIP NOPR, will leave information systems that support private sector bulk electric power systems less protected than comparable federal information systems. NIST suggests that the Commission consider strengthening the minimum controls currently required by the CIP Reliability Standards. 227. NIST recommends that the Commission adopt the CIP Reliability Standards with the enhancements proposed by the Commission as an interim measure. Additionally, NIST advocates that the Commission prescribe plans for a two to three year transition to cyber security Reliability Standards that are identical to, consistent with, or based on SP 800-53 and related NIST standards and guidelines. NIST argues that this approach would strengthen the CIP Reliability Standards. 228. Although Entergy states that it generally disagrees with the Commission's approach of dictating specific revisions that the ERO must adopt, if the Commission determines that the CIP Reliability Standards require further development, Entergy argues that the Commission should modify its approach to the NIST Framework and require the ERO to consider it as a resource in developing revisions to the CIP Reliability Standards. Entergy argues that the industry needs immediate, clear direction and there already exists guidance that the Commission can rely on to provide such direction. Entergy notes that the NIST “Security Risk Management Framework” has been developed over many years by the U.S. Department of Commerce. The NIST Framework is devoid of conflicts of interest and has been broadly vetted, both domestically and internationally. 229. SDG&E states that, while it welcomes the use of industry standards in NERC CIP compliance, it cautions that NIST standards provide many controls that are considered best practices. It also explains that NIST was developed for government and some NIST standards that work well for government may be cost-prohibitive in the private sector. 230. Bonneville understands the Commission's directive that NERC consider NIST standards in the further development of the CIP Reliability Standards to apply to CIP-003-1. Bonneville suggests that existing guidelines, such as the NIST Special Publications, should be incorporated to the extent practicable. Bonneville argues that creating another set of directives describing how the standards are to be met without incorporating, or at least considering, existing guidelines could create considerable confusion and conflict. 231. Applied Control Solutions urges the immediate adoption of the NIST “Security Risk Management” framework in place of the CIP Reliability Standards. It explains that the NIST framework provides a hierarchical three-tiered set of countermeasure and controls requirement-sets for application as appropriate and related guidance documents. According to Applied Control Solutions, the NIST framework has been broadly vetted, is not onerous, provides guidance on how to address older in-service cyber assets, and allows flexibility for organizations to tune their cyber security programs for their specific operating scenarios. It also contends that NIST addresses the major concerns raised by the Commission regarding the CIP Reliability Standards, for example, by providing additional granularity and requiring compensating measures where technical feasibility becomes an issue. Applied Control Solutions also comments that the ISA-99 standards process has expertise, and NERC should be directed to work with ISA in revising the CIP Reliability Standards. 3. Commission Determination 232. As proposed in the CIP NOPR, the Commission will not at this time direct NERC to incorporate specific provisions of the NIST standards into the CIP Reliability Standards. While commenters provide compelling information that suggests that the NIST standards may provide superior measures for cyber security protection, the Commission is concerned that the immediate adoption of the NIST standards would result in unacceptable delays in having any mandatory and enforceable Reliability Standards that relate to cyber security. 233. The Commission continues to believe—and is further persuaded by the comments—that NERC should monitor the development and implementation of the NIST standards to determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability Standards. Moreover, we direct the ERO to consult with federal entities that are required to comply with both CIP Reliability Standards and NIST standards on the effectiveness of the NIST standards and on implementation issues and report these findings to the Commission. Consistent with the CIP NOPR, any provisions that will better protect the Bulk-Power System should be addressed in NERC's Reliability Standards development process. The Commission may revisit this issue in future proceedings as part of an evaluation of existing Reliability Standards or the need for new CIP Reliability Standards, or as part of an assessment of NERC's performance of its responsibilities as the ERO. 78 78 *See* Order No. 672 at P 186-91. H. Discussion of Each CIP Reliability Standard 1. CIP-002-1—Critical Cyber Asset Identification 234. Reliability Standard CIP-002-1 deals with the identification of critical cyber assets. The NERC Glossary defines “cyber assets” as “programmable electronic devices and communication networks including hardware, software, and data.” It defines “critical cyber assets” as “cyber assets essential to the reliable operation of critical assets.” NERC defines “critical assets” as “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” 79 The accurate identification of critical assets and critical cyber assets pursuant to CIP-002-1 is the cornerstone of the CIP Reliability Standards because it acts as a filter, determining whether a responsible entity must comply with the remaining CIP requirements in CIP-003-1 through CIP-009-1. 79 “The term ‘Reliable Operation’ means operating the elements of the Bulk-Power System within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a suddent disturbance, including a cyber security incident, or unanticipated failure of system elements.” 16 U.S.C. 824o(a)(4). 235. As the first step in identifying critical cyber assets, CIP-002-1 requires each responsible entity to develop a risk-based assessment methodology to use in identifying its critical assets. Requirement R1 specifies certain types of assets that an assessment must consider for critical asset status and also allows the consideration of additional assets that the responsible entity deems appropriate. Requirement R2 requires the responsible entity to develop a list of critical assets based on an annual application of the risk-based assessment methodology. Requirement R3 provides that the responsible entity must use the list of critical assets to develop a list of associated critical cyber assets that are essential to the operation of the critical assets. CIP-002-1 requires an annual re-evaluation and approval by senior management of the lists of critical assets and critical cyber assets. 236. Pursuant to section 215 of the FPA, the Commission approves Standard CIP-002-1 as mandatory and enforceable. In addition, pursuant to section 215(d)(5) of the FPA, the Commission directs the ERO to develop modifications to Standard CIP-002-1. The required modifications are discussed below in the following topics regarding CIP-002-1:
(1)Need for ERO guidance regarding the risk-based assessment methodology;
(2)scope of critical assets and critical cyber assets;
(3)internal, management, approval of the risk-based assessment;
(4)external review of critical assets identification; and
(5)interdependency analysis. a. Guidance on Risk-Based Assessment Methodology 237. Requirement R1 of CIP-002-1 requires each responsible entity to develop a risk-based assessment methodology to identify critical assets. A responsible entity must maintain documentation describing its methodology that includes procedures and evaluation criteria. Requirement R1 identifies specific assets that the methodology must “consider,” including control centers, facilities critical to system restoration and automatic load shedding, and substations and generation resources that support reliable operation of the Bulk-Power System—as well as any other assets that support reliable operations and the responsible entity deems appropriate to include in its assessment. i. NOPR Proposal 238. In the CIP NOPR, the Commission expressed concern that responsible entities have enough guidance to devise an assessment methodology that is adequate to identify the types of assets necessary to protect Bulk-Power System reliability. 80 The Commission stated that responsible entities would benefit from NERC providing some common understanding regarding the scope, purpose and basic direction of the assessment methodology. As an example, the Commission indicated that a proper methodology should examine
(1)the consequences of the loss of the asset to the Bulk-Power System and
(2)the consequences to the Bulk-Power System if an adversary gains control of the asset for intentional misuse. Accordingly, the Commission proposed to direct the ERO to develop modifications to provide additional guidance as to the features and functionality of an adequate risk-based assessment methodology. 80 *See* CIP NOPR at P 100-05. 239. The CIP NOPR also noted that smaller entities may have difficulty in determining whether a particular asset is “critical” since the impact of the asset may be dependent on their connection with a transmission owner or operator. Thus, the Commission proposed that the ERO and Regional Entities provide reasonable technical support to relatively smaller registered entities to assist them in determining whether their assets are critical to the Bulk-Power System. ii. Comments
(a)Need for Additional Guidance 240. Many commenters, including NERC, agree with the Commission that there is a need for further guidance regarding the risk-based assessment methodology. Other commenters do not oppose the development of general guidance on what would constitute an acceptable risk-based assessment methodology, provided that this guidance does not rule out other approaches. Commenters also identify specific concerns that they believe would benefit from further guidance. 241. While first reiterating that the CIP Reliability Standards contain the appropriate specificity as performance based standards, NERC agrees that it could provide further guidance in the form of a “supplemental guideline” on performing risk-based assessments to be used to determine critical assets. NERC states that its Critical Infrastructure Protection Committee's Risk Assessment Working Group has begun development of such a guideline. NERC asserts that this guideline, when completed, will address the Commission's fundamental concern by providing guidance to responsible entities on how to perform the required risk-based assessments. 242. Numerous commenters agree that additional guidance is needed regarding a risk-based assessment methodology. 81 For example, Energy Producers and California Cogeneration comment that, without such guidance, responsible entities will not know whether they are complying with the Requirement until they are audited. Arizona Public Service is also concerned that CIP-002-1 lacks sufficient detail and needs to provide further guidance so that responsible entities are not placed in the position of not knowing whether their risk-based methodologies will adequately identify all critical assets in a way that fully satisfies NERC's requirements. Arkansas Electric comments that without needed guidance, a responsible entity could invest large amounts of effort into the assessment, only to be found non-compliant later. Reliant comments that ERO guidance would benefit users of the Bulk-Power System, such as generators, that may not have sufficient information to properly determine whether their assets are critical. 81 *E.g.,* California Cogeneration California Commission, Congressional Representatives, Duke, Energy Producers, FirstEnergy, ISA99 Team, KCPL, MidAmerican, National Grid, ReliabilityFirst, Reliant, SDG&E and U.S. Power. 243. While EEI opposes any modification to Requirement R1 of CIP-002-1 to provide additional specificity regarding the assessment methodology, it agrees that responsible entities would benefit from “some basic guidance” provided that it is non-prescriptive. 82 EEI supports guidance regarding the common understanding of the scope, purpose and basic direction of the methodology. EEI also urges that the process for developing this guidance should be open and transparent. Similarly, APPA/LPPC comment that they do not object to the proposal that NERC provide some basic guidance on the content of the methodology, provided that it allows needed flexibility to take account of the individual circumstances of a responsible entity. 82 *See also* Alliant, Arizona Public Service, ISO/RTO Council, Luminant, Northern California, OGE, Portland General and Southern. 244. A number of commenters identify specific topics that would benefit from further guidance. For example, NRC comments that the risk-based assessment should identify transmission lines, substations and generators that are relied on to operate or shut down nuclear generating stations as critical assets. U.S. Power maintains that additional guidance is needed as to when generating facilities and their related systems will be deemed “critical” to the Bulk Electric System. U.S. Power explains that, given the built-in reserve margin for generation in New England, absent a known local reliability need, any generator in New England could logically assume that none of its individual generating assets would be regarded “critical.” U.S. Power states that without additional guidance as to what the Commission and NERC intend, however, there is no way of knowing if this is an appropriate assumption. Further, it seeks additional guidance regarding blackstart units, noting that a generating unit that has blackstart capability but is not part of a system restoration plan may not be deemed critical to Bulk-Power System reliability. 245. Luminant comments that significant regional differences, such as geography, climate, demographics, electric system structure and demands, affect the identification of critical cyber assets and how the particular asset would be protected. 246. Several commenters agree with the Commission's statement that a risk-based assessment methodology should examine the consequences of the loss of the asset to the Bulk-Power System as well as the consequences if an adversary gains control of the asset. For example, Applied Control Solutions states that a proper risk-based assessment methodology should examine the consequences of the loss or improper operation of the assets to the Bulk-Power System. It also comments that the methodology should define “risk” as a formula (i.e., risk=frequency multiplied by consequence). Because there is insufficient data available to determine frequency, it should be assumed that an event will occur. Luminant also states that the risk-based assessment methodology should focus on the consequences of an outage, not the likelihood of an outage. 247. ISA99 Team suggests that the guidance to be developed by NERC should be written in a manner that assures that a larger portion of critical infrastructure assets, and associated cyber assets are included within the scope of the standards. In this regard, ISA99 Team states that the results of the current requirements, which are based on an unspecified “risk-based” approach, and which place no limits on what constitutes an acceptable risk, may or may not include sufficient assets to provide adequate protection for the bulk power grid. Thus, ISA99 Team argues that a more definitive means of assuring adequate scope needs to be established. 248. A number of entities commented on the Commission's proposal that the ERO and Regional Entities provide reasonable technical support to relatively smaller entities that may have difficulty determining whether a particular asset is critical because, for example, the impact of the facility may be dependent on their connection with a transmission owner or operator. NERC and ReliabilityFirst oppose this proposal, stating that such a “consulting service” would place an undue burden on the ERO and Regional Entities. 83 NERC and ReliabilityFirst believe that this creates a serious conflict to impartially assess compliance with the standards and suggest that, if such an external assistance is deemed necessary, it should be the obligation of the responsible entity's reliability coordinator or regional transmission organization. According to NERC, its reliability readiness program is in an ideal position to assess the effectiveness of an entity's risk-based assessment methodology, thus, no additional consulting role by NERC is needed. 83 *See also* Entergy and ISO/RTO Council. 249. In contrast, FirstEnergy agrees that NERC should provide guidance to entities without a wide-area view, such as a generation owner or a partial generation owner, on how to approach a risk-based assessment. Likewise, Northern California suggests that NERC establish a process for informal, case-by-case consultations with responsible entities that need assistance in complying with CIP-002-1. In addition, as part of the re-examination of CIP-002-1, Northern California encourages the incorporation of a formalized “feedback loop” to assist the industry in developing policies and procedures. 250. Xcel seeks clarification of CIP-002-1, Requirement R1.2.4, which provides that a risk-based assessment methodology consider “systems and facilities critical to system restoration, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration.” Xcel asks that either the Commission clarify or direct NERC to clarify the meaning of the phrase “used for initial system restoration” and specify whether it refers to facilities on the primary transmission restoration path or on all potential alternative transmission restoration paths. 251. MidAmerican seeks Commission clarification of the appropriateness of an N minus 1 criterion when applying a risk-based assessment methodology to critical assets. It states that NERC's CIP Reliability Standards require all affected entities to withstand the loss of one element without affecting the reliability of the Bulk-Power System. Yet, MidAmerican notes, the Commission's discussion uses the singular term “asset” in the first sentence when describing what a proper risk-based assessment methodology should examine. MidAmerican is concerned that this implies that a risk-based assessment methodology should be based on the loss of a single critical asset (transformer, line or generating unit) one at a time. MidAmerican submits that the term “asset” should be revised to make clear that a broad-based cyber attack should essentially be assumed to affect several of an entity's critical facilities simultaneously. 252. Entergy suggests, as an alternative approach to critical asset identification, that the ERO provide a Design-Basis Threat (DBT)—a profile of the type, composition, and capabilities of an adversary—that would assist the industry as a technical baseline against which to establish the proper designs, controls and processes. Entergy claims that a DBT approach would address many of the Commission's concerns regarding the risk-based methodology. For example, a DBT would focus the appropriate emphasis on the potential consequences from an outage of a critical asset. In addition, a DBT would address the Commission's concern that responsible entities will not have enough guidance in developing a risk-based methodology and not know how to identify a “critical asset.” Entergy contends that a DBT approach would provide the industry with more certainty in implementing the CIP Reliability Standards. iii. Commission Determination 253. The Commission believes that the comments affirm that responsible entities need additional guidance on the development of a risk-based assessment methodology to identify critical assets. While we adopt our CIP NOPR proposal, we recognize that the ERO has already initiated a process to develop such guidance. The CIP NOPR proposed to direct that NERC modify CIP-002-1 to incorporate the guidance. However, we are persuaded by commenters that stress the need for flexibility and the need to take account of the individual circumstances of a responsible entity. Thus, we modify our original proposal and in this Final Order leave to the ERO's discretion whether to incorporate such guidance into the CIP Reliability Standard, develop it as a separate guidance document, or some combination of the two. A responsible entity, however, remains responsible to identify the critical assets on its system. 254. Commenters raise a number of topics that they believe should be addressed in the NERC guidance, such as how to assess whether a generator or a blackstart unit is “critical” to Bulk-Power System reliability, the proper quantification of risk and frequency, facilities that are relied on to operate or shut down nuclear generating stations, and the consequences of asset failure and asset misuse by an adversary. We believe these are all appropriate topics to be addressed and direct the ERO to consider these commenter concerns when developing the guidance. 255. The Commission proposed in the CIP NOPR that the ERO and Regional Entities provide reasonable technical support to relatively smaller entities that may have difficulty determining whether a particular asset is critical because, for example, the impact of the facility may be dependent on their connection with a transmission owner or operator. While we believe that there is a need to assist entities that lack a wide-area view, we are mindful of the ERO's concern that it would place an undue burden on it and the Regional Entities. If the ERO believes that it and the Regional Entities do not have sufficient resources to take on this responsibility, it should designate another type of entity with a wide-area view, such as a reliability coordinator, to provide needed assistance. This approach is consistent with our determination (discussed later in this Final Rule) regarding the external review of critical asset lists. Accordingly, we direct either the ERO or its designees to provide reasonable technical support to assist entities in determining whether their assets are critical to the Bulk-Power System. 256. Regarding MidAmerican's comments on use of the N minus 1 criterion when applying a risk-based assessment methodology to the identification of critical assets, we agree with MidAmerican that an N minus 1 criterion is not an appropriate risk-based assessment methodology for identifying critical assets. While the N minus 1 criterion may be appropriate in transmission planning, use of an N minus 1 criterion for the risk-based assessment in CIP-002-1 would result in the nonsensical result that no substations or generating plants need to be protected from cyber events. A cyber attack can strike multiple assets simultaneously, and a cyber attack can cause damage to an asset for such a time period that other asset outages may occur before the damaged asset can be returned to service. Thus, the fact that the system was developed to withstand the loss of any single asset should not be the basis for not protecting that asset. Also, we note that the definition of “critical assets” is focused on the criticality of the asset, not the likelihood of an outage. Based on this reasoning, in response to U.S. Power, we clarify that a generator should not assume that none of its individual generating assets would be regarded “critical” to the Bulk-Power System. 84 84 Further, Requirement R.1.2.3 provides that the risk-based assessment must consider “generation resources that support the reliable operation” of the Bulk-Power System. This language indicates that certain generation facilities, and presumably some facilities within a region identified as critical, must be considered in an assessment. Beyond this, we leave it to the ERO to provide sufficient guidelines to inform generation owners and operators on how to determine whether it should identify a facility as a critical asset. As discussed later in the Final Rule, the Commission will monitor and evaluate the outcome of this endeavor—the list of critical assets. 257. With regard to Xcel's request for clarification regarding the meaning of the phrase “used for initial system restoration,” in CIP-002-1, Requirement R1.2.4, we direct the ERO to consider this clarification in its Reliability Standards development process. 258. As to Entergy's suggestion that the ERO provide a DBT profile of potential adversaries, the ERO should consider this issue in the Reliability Standards development process. Likewise, the ERO should consider Northern California's suggestion that the ERO establish a formal “feedback loop” to assist the industry in developing policies and procedures. 85 85 Consistent with our approach in Order No. 693, the ERO should address NOPR comments suggesting specific new improvements to the CIP Reliability Standards. The Commission, however, does not direct any outcome other than that the comments receive consideration. *See* Order No. 693 at P 188. b. Scope of Critical Assets and Critical Cyber Assets i. Data as a Critical Asset
(a)NOPR Proposal 259. In the CIP NOPR, the Commission noted that NERC's definition of “cyber assets” includes “data.” The Commission stated that “marketing or other data essential to the proper operation of a critical asset, and possibly the computer systems that produce or process the data, would be considered critical cyber assets” subject to the CIP Reliability Standards. 86 The Commission proposed to direct the ERO to develop guidance on the steps that would be required to apply the CIP Reliability Standards to such data and to include computer systems that produce the data. 86 CIP NOPR at P 114.
(b)Comments 260. NERC agrees with the Commission that critical cyber assets include “data,” as specified in the definition. NERC then states that the “data” provision only refers to data associated with the reliable operation of the Bulk-Power System, thereby excluding “marketing and other data” as well as data market systems that support the market function. NERC suggests that the Final Rule remove references to marketing and other data and supports referring, instead to “reliability data.” NERC adds that it is not arguing that these systems do not need protection, but merely that they are beyond the scope of the CIP Reliability Standards. NERC states that, only in cases where reliability functions and market functions are implemented within the same system, or are implemented on systems located within the electronic security perimeter, should they be protected by the CIP Reliability Standards, and then only as cyber assets located within the same electronic security perimeter as critical cyber assets. 261. Numerous other commenters contend that the Commission is mistaken to consider “marketing and other data” as a critical cyber asset. For example, NRECA comments that marketing data seldom performs a reliability-related function. Northeast Utilities states that only data pertaining to design or operating specifications necessary for the operation of cyber assets should be included in the definition of cyber assets. PG&E states that the Commission's proposal to include “marketing and other data” is unnecessary because the CIP Reliability Standards already apply to data that are housed and maintained within critical cyber assets and information about critical cyber assets. PG&E asserts that Requirement R4 of CIP-003-1 specifically protects critical cyber asset information, so no additional modifications are needed. 87 87 *See also* Alliant, EEI, ISO-NE, ISO/RTO Council, Luminant, National Grid, Ontario Power, ReliabilityFirst, SDG&E, SPP and WAPA. 262. Bonneville requests clarification whether the Commission's reference to marketing data and system data are intended to apply to data and systems related to power transactions to be delivered physically about which data are sent to grid operators (e.g., systems that generate E-tags) or all marketing data and systems even if the transactions are settled financially and never get to physical delivery. 263. MidAmerican agrees with the Commission on the need for additional guidance regarding the definition of “data” as critical cyber assets. It recommends deletion of the term “data” from the NERC definition of a “critical cyber asset” and, instead, its inclusion in the information protection standard. MidAmerican contends that access to data is of secondary importance when compared to access to a physical critical cyber asset and, thus, data should be protected as any other critical asset information would be protected. 264. ISO/RTO Council and Ontario Power argue that, although the computers and other devices that contain data may use a routable protocol or may be dial-up accessible, the data itself does not use a routable protocol, nor is it, in its own right, dial-up accessible. Therefore, they submit that Reliability Standard CIP-002-1 does not require that “data” be considered a critical cyber asset. In addition, ISO/RTO Council argues that, since every responsible entity's definitive list of critical cyber assets is developed pursuant to Reliability Standard CIP-002-1, Requirement R3, the “further qualified” reference in Requirement R3 applies to the use of the term “critical cyber asset” wherever the term is used in the CIP Reliability Standards. ISO/RTO Council believes that including data as a critical cyber asset would go beyond the scope and intent of any of the Reliability Standards. 265. ISO-NE and SPP agree with ISO/RTO Council that data by itself does not meet the definition of a critical cyber asset. ISO-NE states that the Commission is further viewing data as a potential critical asset. ISO-NE agrees with this view in concept, but believes that consideration of reliability data is already intrinsic to the process of evaluating assets to determine their criticality. Such reliability data are “real-time data” and are highly transient as they pass through, and are presented by, such supporting critical cyber assets. Given that protection of critical cyber assets is already addressed, the protection of the data component of a cyber asset during its instance of viability as useful reliability data is satisfied. To address a broader focus of data protection would expand the scope of the current CIP Reliability Standards. Such a focus deserves considerable review and discussion. If the Commission continues to have concern regarding data protection from a broader view, ISO-NE recommends this be considered in a future proceeding. 266. SoCalEdison is concerned that applying the CIP Reliability Standards to data that are essential to the proper operation of a critical asset and including computer systems that produce the data might greatly increase the scope of CIP-002-1 and will have a major impact on the industry's ability to meet the standards requirements schedule. SoCalEdison argues that, if the Commission directs these modifications to the standard, they should be handled through the NERC Reliability Standards development process which should consider any impact to the implementation schedule. 267. OGE also is concerned that a definition of “critical cyber assets” that could include computer systems that produce or process such sensitive data may encompass network servers and devices. If network servers and devices are considered critical cyber assets, OGE argues that additional controls will be necessary to isolate and protect these network servers and devices. These additional controls will provide only a minor increase in protection to the bulk electric system. 268. Idaho Power supports the protection of data that defines location, network topography, device descriptions, and similar information; however, Idaho Power cannot support the position that data originating or used in an Energy Management System, for instance, should be treated as “critical” after the fact. In Idaho Power's view, the actual data, upon transfer to data historian servers, fails to meet any definition of “critical.” 269. Juniper recommends that other enterprise databases, such as human resources data, be considered part of the critical assets. Juniper states that its concern applies to any data that can enable a hacker to gain access to cyber assets. Juniper comments that any essential data that could allow an attacker to weaken or defeat any cyber or physical security must be considered a critical cyber asset.
(c)Commission Determination 270. As discussed above, commenters that address the subject uniformly oppose the CIP NOPR statement that “marketing or other data essential to the proper operation of a critical asset, and possibly the computer systems that produce or process the data, would be considered critical cyber assets” subject to the CIP Reliability Standards. These commenters contend that marketing data typically does not qualify as a critical cyber asset and the Commission's proposal is beyond the current scope of the CIP Reliability Standards. Moreover, several commenters suggest that some data and support systems may fit the definition of *critical asset* and, thus, supporting critical cyber assets must comply with CIP-002-1. 271. The Commission remains concerned that, while not all marketing data or other data may be considered a critical cyber asset essential to the proper operation of a critical asset, there may be times where it is properly classified as such. For example, if a critical asset is configured such that it cannot operate and support the reliability and operability of the Bulk-Power System without a real-time stream of data, that data fits the definition of a critical cyber asset, and should be protected. Once a particular piece of data is no longer needed by the critical asset, it is no longer a critical cyber asset. On this point, we agree with commenters that there is a temporal characteristic to data as a critical asset. 272. Based on the range of comments received on this topic, the Commission is convinced that the consideration and designation of various types of data as a critical asset or critical cyber asset pursuant to CIP-002-1 is an area that could benefit from greater clarity and guidance from the ERO. Accordingly, the Commission directs the ERO, in developing the guidance discussed above regarding the identification of critical assets, to consider the designation of various types of data as a critical asset or critical cyber asset. In doing so, the ERO should consider Juniper's comments. Further, the Commission directs the ERO to develop guidance on the steps that would be required to apply the CIP Reliability Standards to such data and to consider whether this also covers the computer systems that produce the data. 273. The Commission also agrees with ISO-NE that experience in the implementation of the CIP Reliability Standards may indicate a need to further address this topic in a future proceeding. ii. Control Systems 274. In the CIP NOPR, the Commission expressed concern that sufficient rigor is applied in examining whether control systems are determined to be critical assets. 88 The Commission stated that, while it seems obvious that an evaluation of a control system for critical asset status would consider the potential loss of operability, the Commission also believes that such an evaluation should examine any misuse of the control system and the impact this misuse could have on any electric facilities that the responsible entity controls, and the combined impact of such facilities. 88 CIP NOPR at P 115.
(a)Comments 275. NERC and ReliabilityFirst comment that the Commission appears to have incorrectly concluded that “control systems” are critical assets. They explain that, in context, the control center, substations or power plant could be a critical asset. The “control system,” however, would be a critical cyber asset. 276. SPP concurs with the Commission's assertion that consideration of misuse of control systems should be part of the risk-based assessment. Compromise and misuse of a cyber asset often pose greater risks to the reliability of the Bulk-Power System than an induced total failure of the cyber asset. SPP comments that both insider and external threats should be considered as part of the risk-based assessment. In contrast, Entergy opposes the Commission's proposal to require an evaluation of the misuse of control systems. 277. Applied Control Solutions comments that there should be a formally accepted method for identifying critical cyber assets, explaining that existing methods are often reliability-based, not cyber-based, resulting in entities reporting too few assets. 278. ISA99 Team objects to the exclusion of communications links from CIP-002-1 and non-routable protocols from critical cyber assets, arguing that both are key elements of associated control systems, essential to proper operation of the critical cyber assets, and have been shown to be vulnerable—by testing and experience. In contrast, Energy Producers notes that CIP-002-1 as proposed by NERC provides that a critical cyber asset must have either routable protocols or a dial-up connection. Energy Producers states that this is a useful, objective criterion which will assist in the unambiguous identification of such assets and therefore should be retained.
(b)Commission Determination 279. The Commission accepts the explanation of the ERO and ReliabilityFirst that a control system could be a critical cyber asset, but not a critical asset. 89 89 As was stated in the CIP Assessment, a “ control system” is a device or set of devices to manage, command, direct or regulate the behavior of other devices or systems. It is typically a specialized computer system or programmable logic controller that manages, commands, directs or regulates the behavior of other devices or systems in a physical environment, *e.g.* , open or close switches or relays, start or stop motors, or control motor speed. In the case of the Bulk-Power System, control systems consist primarily of sophisticated computer hardware and software designed to process the mass of real-time data associated with the Bulk-Power System and enable its reliable operation by, among other things, monitoring the grid through remote sensors, sounding alarms when grid conditions warrant, and operating equipment in field locations. 280. The Commission has two concerns regarding the misuse of facilities, and clarifies those concerns here. First, Requirement R1.2.1 requires responsible entities to consider control centers and backup control centers as potential critical assets. In determining whether those control centers should be critical assets, we believe that responsible entities should examine the impact on reliability if the control centers are unavailable, due for example to power or communications failures, or denial of service attacks. Responsible entities should also examine the impact that misuse of those control centers could have on the electric facilities they control and what the combined impact of those electric facilities could be on the reliability of the Bulk-Power System. The Commission recognizes that, when these matters are taken into account, it is difficult to envision a scenario in which a reliability coordinator, transmission operator or transmission owner control center or backup control center would not properly be identified as a critical asset. 281. Second, the Commission is concerned about the misuse of a control system that controls more than one asset. The assets could be multiple generating units, multiple transmission breakers, or perhaps even multiple substations. All of the controlled assets could be taken out of service simultaneously due to a failure or misuse of the control system. Individually, perhaps none of the controlled assets would be considered as a critical asset. However, with a simultaneous outage due to the single point of control, the controlled assets might affect the reliability or operability of the Bulk-Power System and, therefore, should be considered as critical assets. In that case, the common control system should be considered a critical cyber asset. 282. Therefore, consistent with the discussion above, the Commission directs the ERO, through the Reliability Standards development process, to specifically require the consideration of misuse of control centers and control systems in the determination of critical assets. The clarification of our concern over misuse of control systems addresses Entergy's comment on this issue as well. 283. The Commission concurs with SPP that both insider and external threats should be considered as part of a risk-based assessment. 284. We share Applied Control Solutions' concern that too few assets may be identified as critical cyber assets. However, there is no evidence that will be the case, and there is no formally accepted method for identifying critical cyber assets before us at this time. Therefore, we decline to direct that such a method be incorporated into the CIP Reliability Standards at this time. The Commission may revisit this circumstance in a future proceeding. 285. As to the conflicting comments of ISA99 Team and Energy Producers, Requirement R2 of CIP-002-1 provides that a critical cyber asset must either have routable protocols or dial-up access. Energy Producers argues that Requirement R2 should be retained, while ISA99 Team argues that devices that use non-routable protocols should also be considered as possible critical cyber assets. We do not find sufficient justification to remove this provision at this time. However, we direct the ERO to consider the comment from ISA99 Team. We also do not find sufficient justification to order the inclusion of communication links in CIP-002-1 at this time. iii. Explanation Why an Asset Chosen or Not Chosen as Critical 286. In the CIP NOPR, at P 115, the Commission expressed concern that all critical assets be identified. To further this goal, the Commission interpreted the phrase, “[t]he risk-based assessment shall consider the following assets * * *” in Requirement R1.2 to mean that a responsible entity must be able to show why, based on the risk-based methodology, specific assets were chosen or not chosen. The Commission proposed to direct that the ERO modify Requirement R1.2 to make this obligation explicit.
(a)Comments 287. Most commenters addressing the subject oppose the Commission's proposal. 90 For example, MidAmerican comments that a requirement that a responsible entity provide reasons for selecting or not selecting a particular asset as critical is unreasonably burdensome and unnecessary because this should be adequately addressed when more direction is given for the assessment methodology and selection criteria for critical assets. Likewise, EEI and Entergy oppose the Commission's proposal as unnecessary, contending that responsible entities will identify critical assets based on the risk-based assessment methodology required by CIP-002-1, which will be subject to audit. EEI questions what further explanation an entity could provide beyond the assessment methodology. Entergy notes that many entities operate hundreds of substations and thousands of pieces of field equipment, and a requirement to defend the exclusion of specific equipment would be onerous. 91 90 *E.g.,* Alliant, EEI, ISO/RTO Council, KCPL, MidAmerican, National Grid, OGE and Tampa Electric. 91 *See also* ISO/RTO Council, National Grid, PG &E and Tampa Electric.
(b)Commission Determination 288. To clarify, the Commission did not propose to direct that the ERO develop a requirement for responsible entities to document why each specific asset was identified or not identified as “critical.” Rather, the Commission's intent was that a responsible entity must be able to explain such determinations, for example upon inquiry by an auditor, to confirm compliance with the Reliability Standard. Nonetheless, we are persuaded by the commenters that the documentation of a responsible entity's risk-based assessment methodology pursuant to Requirement R1.1 and the results of its annual application of the methodology pursuant to Requirement R2 should suffice to explain a responsible entity's asset determinations. Accordingly, the Commission will not direct the ERO to develop a modification to address this concern. However, if experience shows that responsible entities are failing to consider in their assessments specific types of assets that the Commission, ERO or others believe should be included in an assessment and therefore not in compliance with the Reliability Standard, there may be a need to revisit this matter in the future. c. Internal Approval of Risk-Based Assessment i. NOPR Proposal 289. Requirement R4 of CIP-002-1 requires that a senior manager “or delegate(s)” must approve annually the list of critical assets and critical cyber assets. In the CIP NOPR, the Commission proposed to direct that the ERO develop a modification to CIP-002-1 to include a requirement that a senior manager annually review and approve the risk-based assessment methodology. 92 The Commission stated that senior management approval of the risk-based assessment methodology helps to implement Blackout Report Recommendation 43, which calls for establishing clear authority and ownership for physical and cyber security. 93 92 *See* CIP NOPR at P 106-08 for the Commission's discussion and proposal on this topic. 93 *See* U.S.-Canada Power System Blackout Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations (April 2004) (Blackout Report). The Blackout Report is available on the Internet at *http://www.ferc.gov/industries/electric/indus-act/blackout.asp.* ii. Comments 290. Alliant, APPA/LPPC, Congressional Representatives, EEI, KCPL and Luminant agree with the Commission that it is important that there is internal oversight of the responsible entity's activities. EEI adds that, although senior manager review of the risk-based assessment methodology is implicit in the current CIP Reliability Standards, such a provision should be made explicit through the Reliability Standards development process to establish the “clear authority” recommended by the Blackout Report. Luminant adds that such a provision would provide a degree of certainty for a responsible entity's senior management to approve the risk-based assessment methodology the responsible entity adopts. KCPL also supports NERC's development of an “explicit” requirement that senior management review and approve a responsible entity's risk-based assessment methodology. 291. METC-ITC believe that the Commission can further strengthen the CIP Reliability Standards by raising the apparent level of responsibility of CIP compliance to a corporate officer level, replacing “senior manager” with “officer” in such instances throughout the CIP Reliability Standards. In contrast, Northern Indiana claims that senior management might not be the most knowledgeable about cyber security issues and urges the Commission to continue to allow a responsible entity to delegate this review to knowledgeable personnel. 292. ISO/RTO Council argues that the requirement for internal oversight already is an implicit requirement under the CIP Reliability Standards. In ISO/RTO Council's view, it is abundantly clear that the senior manager is fully accountable for both the thoroughness of the methodology used to establish the critical asset list as well as the completeness of the list itself. 293. Bonneville seeks clarification whether the intent of the Commission's proposal is to make senior managers personally accountable for a responsible entity's violation of the CIP Reliability Standards so that the senior manager is subject to civil penalties. Bonneville comments that, if this is the intended purpose or result, then the extent of such personal liability must be made clear so that affected senior managers can take necessary precautions, such as obtaining additional insurance coverage. NRECA raises similar concerns regarding a senior manager's penalty liability. iii. Commission Determination 294. The Commission adopts its CIP NOPR proposal and directs the ERO to develop, pursuant to its Reliability Standards development process, a modification to CIP-002-1 to explicitly require that a senior manager annually review and approve the risk-based assessment methodology. This determination is consistent with the Blackout Report's recommendation to establish clear authority and ownership for physical and cyber security. Further, regardless of whether the current Requirements implicitly require senior manager review of the assessment methodology, we believe the matter is too important to rely on inference. Accordingly, the Commission directs the ERO to develop a modification to CIP-002-1 to explicitly require that a senior manager annually review and approve the risk-based assessment methodology. 295. With regard to Northern Indiana's concerns, we are not directing a revision to the current language of Requirement R4 which provides for “the senior manager or delegate(s)'s approval” of the list of critical assets and list of critical cyber assets. As we understand the provision, the senior manager still retains ultimate responsibility for the determinations of his or her delegate(s). Otherwise, senior management could avoid responsibility by ‘delegating downward.’ 296. With regard to METC-ITC's comment, the ERO should consider in its Reliability Standards development process the suggestion that the CIP Reliability Standards require oversight by a corporate officer (or the equivalent, since some entities do not have corporate officers) rather than by a “senior manager.” 297. In response to comments by Bonneville and NRECA, the Commission clarifies that we do not intend that an individual employee of a user, owner or operator of the Bulk-Power System will be subject to a penalty pursuant to section 215 of the FPA because a responsible entity violates a CIP Reliability Standard. This matter is addressed in more detail in our discussion of CIP-003-1. d. External Oversight of Critical Assets Identification To Provide Regional Perspective i. NOPR Proposal 298. The CIP NOPR emphasized that the responsibility for identifying critical assets should be placed on the individual responsible entity as the asset owner or operator, and not shifted to Regional Entities or another organization. 94 In addition, the Commission expressed its belief that a systematic approach to external oversight of the identification of critical assets would assure a wide-area view and thereby better ensure that responsible entities are identifying appropriate assets as “critical.” The Commission explained that, without external oversight using a wide-area view, trends or deviations may not be identified prior to an incident or audit. The CIP NOPR also noted that a wide-area view would help to ensure that assets that have regional importance, such as for reactive power supply, are included as critical assets. Therefore, the Commission proposed that the ERO develop a modification to CIP-002-1 to include a mechanism for the external review and approval of critical asset lists based on a regional perspective by the Regional Entities, possibly among others. The Commission stated that, while proposing that the Regional Entities perform this review function, it did not exclude the possibility of a critical asset review process that allows for the participation of other organizations, such as transmission planners and reliability coordinators. 94 *See* CIP NOPR at P 111-13. ii. Comments
(a)Responsible Entity for Identifying Critical Assets 299. Several commenters, including ISO/RTO Council, EEI, FirstEnergy, National Grid and Northeast Utilities, agree with the Commission that responsibility for identifying critical assets should not be placed on the Regional Entities or any organization other than the categories of applicable entities currently identified in CIP-002-1. They believe that this responsibility rightfully rests with the asset owner or operator, and the Regional Entities would be overburdened by such a task. 300. In contrast, AMP Ohio advocates the revision of CIP-002-1 to make Regional Entities responsible for the identification of critical assets because they have an area-wide view of the grid—as opposed to small generation owners, generation operators and load serving entities that have a limited view of the Bulk-Power System. AMP Ohio also argues that making small generation owners, generation operators and load serving entities responsible for asset identification would place a burden on these small entities that they are ill-positioned to bear. AMP Ohio explains that it is not proposing that responsible entities abdicate responsibility but, rather, suggests that the Regional Entity take the first step to identify critical assets. The asset owner or operator, as a responsible entity, must then ensure that the critical cyber assets associated with the critical asset are identified and protected. AMP Ohio suggests that, if responsible entities remain responsible for identifying assets, the CIP Reliability Standard should include a safe harbor provision for good faith compliance, even if subsequent events demonstrate that critical assets may have been overlooked. 301. SPP and ReliabilityFirst suggest a modification to CIP-002-1 that would allow an entity to rely on the assessment of another entity with interest in the matter. For example, a merchant generator may through a legitimate assessment determine that its plant is not critical whereas the balancing authority's assessment indicates that it is. They suggest that in such a situation the merchant generator would accept the risk-based assessment of the balancing authority as a substitute for performing its own assessment with limited data.
(b)Need for External Review and Alternatives 302. While some commenters agree with the Commission that there is a need for external review and approval of a responsible entity's critical asset list, others believe that such a requirement is unnecessary. 303. Arkansas Electric, Juniper, MidAmerican, National Grid, Ontario IESO, and U.S. Power agree with the Commission that a process for regional review of an entity's critical asset list by either the ERO or the Regional Entity would be beneficial. According to Arkansas Electric, this would provide an entity with the opportunity for a review of its critical asset list prior to a full CIP audit. Arkansas Electric is concerned that, without such a review, entities could be subject to sanctions based on a critical asset list later deemed deficient by an auditor. MidAmerican finds that a regional perspective could add consistency to the critical asset determination. U.S. Power maintains that, in organized markets where a generator does not typically possess a “regional perspective” to objectively determine the criticality of an individual asset, external review could be helpful in assuring that a regionally consistent approach is followed; and that such determinations are based on the most relevant, available information. 304. FirstEnergy agrees with the Commission that a formal or systematic approach to external oversight of the identification of critical assets would better ensure that responsible entities are identifying similar assets. FirstEnergy comments that external review is crucial to the comprehensive application of the CIP Reliability Standards and such review should be conducted by an entity with a wide-area view. 305. National Grid comments that it would support the development of an appropriate mechanism for Regional Entities to collection documentation of each responsible entity's assessment methodology and list of critical assets. However, National Grid would not support a requirement for Regional Entity pre-approval of the methodology or list because the Regional Entity lacks the necessary expertise and resources. Similarly, Northern Indiana supports external review, particularly where lists of cyber security assets will not be shared and responsible entities must determine their asset lists based on mutual distrust. However, Northern Indiana opposes requiring approval of a responsible entity's list of critical assets by the entity conducting the external review. It also opposes granting Regional Entities or reliability coordinators the ability to supplement a critical asset list. This concern would be removed, however, if the regional entity approved the risk-based assessment methodology, rather than the list of critical assets. 306. In contrast, NERC and others oppose modifying CIP-002-1 to require external review and approval of critical asset lists. 95 NERC requests that the Commission allow the current oversight framework—which includes audits, readiness reviews and self-certification—to work without imposing new or different requirements from the current CIP Reliability Standards. Similarly, EEI comments that, while it understands the Commission's view that external oversight may have potential value by providing a wide-area view, it believes that NERC's Uniform Compliance Monitoring and Enforcement Program already provides effective tools that may provide such oversight. EEI does not, however, oppose voluntary random spot checking as a means to provide an “area-wide view” before the “auditably compliant” stage. 95 *E.g.,* Alliant, Mr. Brown, Duke, EEI, Entergy, Idaho Power, Luminant, OGE, Ontario Power, Puget Sound, SERC-CIPC and Southern. 307. Alliant objects to external approval of a critical asset list because the ERO auditing regime provides a “wide-area view” and external approval would require an appeals process that would delay implementation without accruing reasonable benefits. Duke claims that the ERO's guidance document should result in adequate consistency in the development of critical asset lists and suggests that any external review should be optional. Southern contends that a responsible entity is generally in the best position to determine which assets are critical to the Bulk-Power System and, if needed, industry experience can be shared through existing forums and through the voluntary exchange of information. Puget Sound and others propose that industry forums could be used to promote a wide-area view in developing critical asset lists. Idaho Power insists that regional concerns should be addressed before an entity develops its critical asset list. 308. Many of the commenters that oppose an external review and approval process believe that the Commission's objectives can be accomplished through a Regional Entity audit process. 96 SERC CIPC claims that the regions, if presented with a raw list of asset names, will have no basis on which to state whether the list is sufficient or not. According to SERC CIPC, during the audit process, the audit team will review the risk-based assessment methodology. 96 *E.g.,* Duke, EEI, Entergy, National Grid, OGE and SERC-CIPC.
(c)Appropriate Organization to Conduct External Review 309. Among the commenters that support the need for external oversight, some prefer that an organization other than a Regional Entity be made responsible for external oversight. For example, ISO/RTO Council believes that the reliability coordinator is in the best position to provide such oversight because it has a wide-area view that is focused on grid operation. ISO/RTO Council believes that Regional Entities need to remain independent to enforce the CIP Reliability Standards and should not be involved in CIP Reliability Standard implementation; and likewise, considers that transmission planners are not sufficiently focused on the operational aspects of the grid where cyber security is most critical. Further, ISO/RTO Council suggests that reliability coordinator oversight be limited to a review of the methodologies used to identify critical assets, since reliability coordinators have no special expertise in identifying critical *cyber* assets. 310. By contrast, Ontario IESO, Reliant, ReliabilityFirst and SPP advocate that reliability coordinators, not Regional Entities, should provide oversight of critical asset identification. Ontario IESO and SPP believe that the reliability coordinators are most suited for this task because they are directly involved in the daily activities of ensuring Bulk-Power System reliability. They comment that the reliability coordinators currently perform a wide-area function that includes studying power system dynamics and interrelationship of assets as well as coordination among neighboring systems. Reliant urges that the Commission require the reliability coordinator to play a major role in the external review of critical asset lists because it possesses a broad array of operating and system data. 311. Ontario IESO comments that, because Regional Entities perform a critical CIP Reliability Standards development and compliance role, Regional Entity approval of an entity's critical asset list creates a conflict of interest in the situation where a Regional Entity is required to investigate and enforce non-compliance of a CIP Reliability Standard. The Regional Entity may have approved the critical asset list and thus may be reluctant to subsequently find a deficiency in the list discovered during the course of a compliance investigation. Ontario IESO also respectfully suggests that Regional Entities lack the technical expertise and intimate knowledge of their members' power system equipment and behaviors to provide the necessary oversight in the determination of critical asset lists. 312. Ontario IESO suggests that, in the event an asset owner and the reliability coordinator disagree as to whether an asset should be listed as critical, the latter should prevail. APPA/LPPC ask that the Commission direct NERC to develop written procedures for a responsible entity to challenge an external, third-party decision to alter a responsible entity's list of critical assets. APPA/LPPC argue that, regardless of the reviewer, an appellate process akin to the process described in Rule 410 of the NERC Rules of Procedure, providing for appeals to the Commission, is needed. EEI and Alliant also believe that an appeal process would be needed if regional oversight occurs.
(d)Confidentiality Concerns 313. Many of the commenters that oppose an external review and approval process are concerned that an external review process will create new issues regarding the protection of sensitive information that inevitably is included in the critical asset lists. 97 These commenters believe that the review of critical asset lists during on-site audits would better protect this highly-sensitive information. 97 *E.g.,* Duke, EEI, Entergy, Manitoba Hydro, National Grid and SERC-CIPC. 314. EEI and Manitoba Hydro express concern that off-site, third party review of a critical asset list may conflict with an entity's responsibility to protect information such as a critical asset list in CIP-003-1, Requirement R4.1. EEI urges that the Final Rule clarify that this information should only be divulged in on-the-premise audits. 315. CEA is also concerned that the Commission's proposal to include a mechanism for the external review and approval of critical assets lists would involve the submission of sensitive information. CEA and Manitoba Hydro maintain that some Canadian utilities are prohibited from sharing security information with U.S. authorities. In addition, some utilities regard sharing sensitive security information externally or with a foreign entity as a security risk. Currently, sensitive information is kept on site and shared with external audit teams during visits and the information remains on-site following the audit. The Commission's proposed changes would require sensitive material to be shared on a regular basis and stored externally and perhaps in a foreign jurisdiction. Given the impact on Canadian utilities from such changes to the CIP Reliability Standards, CEA requests that the Commission exercise caution with respect to this issue. 316. Xcel asks, in a situation where an entity's risk-based assessment identifies a critical asset owned by another entity, how should this information properly be communicated while maintaining confidentiality? Xcel recommends that the Regional Entities develop confidentiality protocols to address such situations. 317. SDG&E requests clarification that information associated with the CIP Reliability Standards will be treated with confidentiality. Tampa Electric and SoCal Edison also urge that steps be taken to protect confidentiality if information is released to accomplish external reviews. SoCal Edison is concerned with the risks associated with storing critical information in a common place. 318. Bonneville agrees with the Commission's goal of providing a mechanism for the external review and approval of responsible entities' critical asset lists based on a regional perspective; however, it is concerned that the Commission's proposal could result in FOIA concerns for Bonneville and other federal entities. Under FOIA, the release of information to an external party generally waives any privileges against disclosure with respect to subsequent requests to the federal agency for that same information. Bonneville is concerned that submission of critical asset information to the Regional Entity, particularly disclosure of the vulnerability-related rationales for including and documentation of why it chose to exclude particular facilities from inclusion on the critical asset list, may act as such a waiver. In addition, Bonneville notes that external reviewers of critical federal security information may need to obtain federal security clearances before federal entities can allow such review. iii. Commission Determination
(a)Responsible Entity for Identifying Critical Assets 319. The Commission affirms its CIP NOPR determination that responsibility for identifying critical assets should not be shifted to the Regional Entity or another organization instead of the applicable responsible entities identified in the current CIP Reliability Standards. As we stated in the CIP NOPR, 98 and confirmed by commenters, such a shift would not improve the identification of critical assets, but would likely overburden the Regional Entities. While we are sympathetic to AMP Ohio's concerns regarding small generation owners, generation operators and load serving entities that have a limited view of the Bulk-Power System, we believe that NERC's development of guidance on the risk-based assessment methodology and our direction above to provide assistance to small entities should support the efforts of entities—both small and large—in performing a proper assessment. We do not believe that the lack of a wide-area view is sufficient reason to forego an assessment or taking responsibility. 98 CIP NOPR at P 111. 320. We will not allow a “safe harbor” for good faith compliance as requested by AMP Ohio. We do not believe that blanket waivers from an enforcement action are appropriate in this context and have previously denied other requests for safe harbors from enforcement. 99 Rather, we believe that demonstrable good faith compliance is a legitimate mitigating factor in an enforcement action. 99 *See, e.g., North American Electric Reliability Council,* 119 FERC ¶ 61,060 at P 133; *order on reh'g,* 120 FERC ¶ 61,260 at P 41 (2007). 321. SPP and ReliabilityFirst suggest modifying CIP-002-1 to allow an entity to rely upon the assessment of another entity with interest in the matter. We believe that this is a worthwhile suggestion for the ERO to pursue and the ERO should consider this proposal in the Reliability Standards development process. We note that, even without such a provision, an entity such as a small generator operator is not foreclosed from consulting with a balancing authority or other appropriate entity with a wide-area view of the transmission system.
(b)Need for External Review and Alternatives 322. The Commission adopts its CIP NOPR proposal to direct that the ERO develop through its Reliability Standards development process a mechanism for external review and approval of critical asset lists. The Commission finds that an external review of critical assets by an appropriate organization is needed to assure that such lists are considered from a wide-area view (i.e., from a regional perspective) and to identify trends in critical asset identification. Further, while we recognize that individual circumstances may likely vary, an external review will provide an appropriate level of consistency. 323. The Commission disagrees with the suggestion of Luminant and others that external review should be voluntary. The identification of critical assets pursuant to CIP-002-1 is crucial to cyber security protection because this determination controls whether a responsible entity must comply with the remaining CIP requirements in CIP-003-1 through CIP-009-1. External review will help ensure that responsible entities have an accurate and complete list of critical assets, which will in turn allow them to be appropriately protected to further the security of the nation's Bulk-Power System. Allowing external review as a voluntary measure is not adequate to ensure that responsible entities are prepared to address cyber vulnerabilities and cyber threats. Based on the same reasoning, we reject the suggestion of Northern Indiana and others that the external review should only address the assessment methodology, and not critical asset lists. 324. The Commission also disagrees with commenters who insist that the external review can be performed pursuant to the ERO's and Regional Entity's current compliance and enforcement programs, and the audit process in particular. While the Commission decided earlier in the Final Rule to rely on the ERO and regional audit processes to examine exceptions to compliance based on “technical feasibility,” the Commission does not believe that the audit process will provide timely feedback to a responsible entity regarding critical asset determinations. Review of critical asset lists through individual audits would span a significant period of time, measured in years, during which time such lists would not undergo review and possibly gaps in security could result. While EEI's suggestion of spot checks prior to the “auditably compliant” stage would provide more timely feedback it would, by design, not be comprehensive. The Commission concludes that a structured program for the formal, timely review of critical assets lists is a reasonable means to provide timely, comprehensive guidance to responsible entities on the adequacy of their critical asset lists. 325. The Commission agrees with Ontario IESO that in a dispute between a responsible entity and the external reviewer over whether to identify an additional asset as critical, the external reviewer should prevail. (However, an external reviewer's role should be limited to determining if additional assets should be added, and should not include making recommendations to remove an asset from the list of critical assets.) We recognize, however, that there may be a legitimate reason for a responsible entity to dispute such a determination, possibly through an appeal. We leave it to the ERO to determine the need for such an appeal mechanism and, if appropriate, the development of appropriate procedures (or reliance on appeal procedures currently provided in the NERC Rules of Procedure). While the ERO may determine that an appeals process is a necessary aspect of this program, we do not believe that the burden of such appeals outweighs the benefits of the external review of critical asset lists.
(c)Appropriate Organization To Conduct External Review 326. The Commission in the CIP NOPR proposed that the Regional Entities be responsible for the external review of critical asset lists, and also expressed a willingness to consider a review process that allows for the participation of other organizations such as reliability coordinators and transmission planners. As indicated above, a number of commenters question whether the Regional Entities have the expertise or resources to conduct the reviews. Rather, there was considerable support for reliability coordinators conducting the external review because of their technical expertise, their wide-area view and their role of coordinating among neighboring systems. 327. The Commission believes that the Regional Entities must have a role in the external review to assure that there is sufficient accountability in the process. Further, a Regional Entity role is necessary because the Regional Entities and ERO are ultimately responsible for ensuring compliance with Reliability Standards. For example, if the ERO determines that an appeals process is needed, this process cannot rest with an active owner or operator of the Bulk-Power System such as a reliability coordinator. Moreover, the ERO and the Commission have oversight authority of the Regional Entities' programs and procedures pursuant to section 215 of the FPA. 328. Beyond the direction that the Regional Entities maintain a role in the external review process to assure that there is sufficient accountability, we leave to the ERO to determine whether the Regional Entities have, or can timely develop, the resources to conduct the external reviews. 100 Alternatively, the ERO may determine that another entity such as reliability coordinators may be best equipped to conduct the reviews. While commenters have made what the Commission believes to be a strong case that reliability coordinators are the appropriate entity to perform the reviews, the ERO should decide the best approach with its understanding of the capabilities and limitations of the Regional Entities. Regardless of this determination, however, the Commission notes that the Regional Entities have the oversight responsibility. 101 100 The Commission does not believe that Regional Entity review creates a conflict of interest as claimed by some commenters because the Regional Entity has no pecuniary interest. The mere fact that a Regional Entity performs a development and compliance role is not a sufficient reason to find a conflict of interest. 101 The Commission notes that general reliance on Regional Entity oversight does not preclude the Commission, the ERO or a Regional Entity from exercising its authority to review critical asset lists, whether resulting from a complaint, an incident or on its own initiative. 329. Based on the above discussion, the Commission directs the ERO, using its Reliability Standards development process, to develop a process of external review and approval of critical asset lists based on a regional perspective. e. Confidentiality Concerns 330. The Commission agrees with commenters that critical asset lists contain sensitive information that needs to be protected from public dissemination. The Commission, however, does not believe that this concern is a persuasive rationale for not having an external review mechanism. Rather, adequate safeguards need to be developed to assure that the information contained in critical asset lists are not released during the external review process. While Requirement R4 of CIP-003-1 obligates a responsible entity to “implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets,” the Commission does not view this as inherently conflicting with an external review process that has adequate safeguards to prevent the release of sensitive information. 331. In developing an appropriate external review mechanism, the ERO should include features for the controlled delivery of critical assets to the entity performing the external review. Likewise, the ERO should identify minimum safeguards that the external reviewer must deploy to protect sensitive information from disclosure. We agree with commenters' concern that the external reviewer should not become a “central repository” for critical asset lists, and this information should be returned to the responsible entity once the review is complete. The ERO should develop any other safeguards that it believes to be appropriate to protect the disclosure of sensitive information during the external review process. 332. CEA and Manitoba Hydro comment that some Canadian utilities are prohibited from sharing security information with U.S. authorities. They also note that some Canadian utilities regard sharing sensitive security information externally or with a foreign entity as a security risk. In response, the Commission's Final Rule only addresses the obligations of users, owners and operators of the Bulk-Power System in the United States (excluding Hawaii and Alaska). Accordingly, the Commission's directives regarding the development of an external review mechanism applies only to entities subject to the Commission's jurisdiction pursuant to section 215 of the FPA. Whether a similar review process is appropriate or lawful in other jurisdictions is beyond the scope of this Final Rule. 333. Bonneville comments that external review could result in FOIA concerns for Bonneville and other federal entities. It also cautions that external reviewers of critical federal security information may need federal security clearances before being allowed access to classified information. In response to Bonneville, we agree that a governmental entity subject to FOIA requirements should not be required to share sensitive information about critical assets lists that could be deemed a waiver of FOIA protection that is otherwise available. Nonetheless, a governmental entity's identification of critical assets should be subject to appropriate oversight. Thus, we direct the ERO, in developing the accountability structure for the technical feasibility exception, to include appropriate provisions to assure that governmental entities can safeguard sensitive information. The ERO should consult with governmental entities that are subject to the CIP Reliability Standards in developing such appropriate provisions and we, likewise, encourage Bonneville and other governmental entities to participate in the development of such provisions. 334. Further, if a governmental entity has classified material regarding its critical assets, this information may not be disclosed except in accordance with controlling laws and regulations. The ERO's external review process must explicitly recognize this limitation. f. Interdependency i. NOPR Proposal 335. In the CIP NOPR, the Commission noted that, while CIP-002-1 pertains to the identification of assets critical to Bulk-Power System reliability, broader interdependency issues with other infrastructures cannot be ignored. 102 The Commission stated its intention to revisit this matter through future proceedings and in cooperation with other agencies to help to inform the electric sector and itself about the need for future CIP Reliability Standards, especially when the interdependent infrastructures affect generating capabilities, such as through fuel transportation. 102 CIP NOPR at P 118. ii. Comments 336. APPA/LPPC and other commenters support the Commission's proposed determination that the scope of reliability regulation is properly limited to assets critical to the Bulk-Power System, and does not extend to the management of assets that may be important to the operation of other (even if presumably critical) non-electric assets. MidAmerican comments that the expansion of CIP Reliability Standards beyond Bulk-Power System reliability should be approached with caution and only after the compliance effort is complete for the current CIP Reliability Standards. Luminant agrees with the Commission that issues pertaining to system interdependency are complicated and more appropriately addressed in a separate proceeding after the Commission completes its action approving the current NERC CIP Reliability Standards. 337. By contrast, Applied Control Solutions suggests that interdependencies should be included in risk-based assessments, as they can have direct (e.g., electronic connections between electric entities and major customers) and indirect impacts (e.g., loss of major fuel sources) on Bulk-Power System reliability. 338. Likewise, the Congressional Representatives find fault in the CIP Reliability Standards for failing to address interdependencies with other critical infrastructures. The Congressional Representatives state that the Bulk-Power System is an enormous, interconnected network that is both redundant and resilient, making the sole focus on “reliability” and “operability” of the grid as a whole inappropriate. They explain that every critical infrastructure in the country is dependent on the Bulk-Power System, including chemical plants, banks, refineries and military installations. Thus, according to the Congressional Representatives, “focusing on assets relative to the functioning of the grid misses the importance of each individual asset to the functions of our society.” 103 To address the shortcoming, the Congressional Representatives suggest that every electronically connected asset be considered “critical.” 103 Congressional Representatives comments at 7. 339. Related, the Congressional Representatives are critical of NERC's definition of critical assets as “facilities, systems, and equipment that would affect the reliability and operability” of the Bulk-Power System. The Congressional Representatives explain that this definition fails to understand the importance of individual elements of the Bulk-Power System that are essential to the delivery of power to the nation's critical infrastructure. They state that generation units serving individual communities, individual substations, telecommunication equipment and distribution assets are critical to the safety and security of the U.S., yet are excluded under CIP-002-1. iii. Commission Determination 340. The Commission is sensitive to the concerns raised by the Congressional Representatives regarding the severe impact that a cyber attack on assets not critical to the Bulk-Power System could still have on the public. The Commission, however, believes that its authority under section 215 of the FPA does not extend to other infrastructure. Section 215 of the FPA authorizes the Commission to approve Reliability Standards that “provide for the reliable operation of the bulk-power system,” which the statute defines as the facilities and control systems necessary for operation of an interconnected electric energy transmission network and the electric energy needed to maintain transmission system reliability. In addition, section 215(a)(1) specifically excludes from the definition of Bulk-Power System “facilities used in the local distribution of electric energy.” Moreover, given the complexities surrounding this issue and the aggressive timeline that will be necessary merely to meet the more modest task of developing and implementing cyber security standards capable of protecting the reliability of the Bulk-Power System, we will follow the approach that we described in the CIP NOPR of approving CIP Reliability Standards designed to safeguard the reliability of the Bulk-Power System. 341. Although the Commission will not direct modifications to the scope of critical assets to be identified under CIP-002-1, for the reasons discussed above, the Commission agrees with commenters regarding the importance of considering interdependencies with other critical infrastructures. The Commission believes that to meaningfully address interdependencies with other critical infrastructures, it is important to coordinate with the stakeholders of these other infrastructures as well as with other government agencies and organizations. Thus, we affirm our CIP NOPR approach that “[w]hile broader interdependency issues cannot be ignored, the Commission intends to revisit this matter through future proceedings and with other agencies. This work will help inform the electric sector and this Commission about the need for future Reliability Standards, especially when the interdependent infrastructures affect generating capabilities, such as through fuel transportation.” 104 104 CIP NOPR at P 118. 2. CIP-003-1—Security Management Controls 342. Reliability Standard CIP-003-1 seeks to ensure that each responsible entity has minimum security management controls in place to protect the critical cyber assets identified pursuant to CIP-002-1. To achieve this goal, a responsible entity must develop a cyber security policy that represents management's commitment and ability to secure its critical cyber assets. It also must designate a senior manager to direct the cyber security program and to approve any exception to the policy. 343. CIP-003-1, in addition, requires a responsible entity to implement an information protection program to identify, classify, and protect sensitive information concerning critical cyber assets, as well as an access control program to designate who may have access to such information. Finally, a responsible entity must establish a “change control and configuration management” program to oversee changes made to the hardware or software of critical cyber assets. 344. The Commission approves Reliability Standard CIP-003-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to this Reliability Standard through its standards development process and to take other actions. These actions pertain to
(1)the adequacy of policy guidance;
(2)discretion to grant exceptions;
(3)leadership;
(4)access authorization;
(5)change control and configuration management; and
(6)interconnected networks. a. Adequacy of Policy Guidance 345. Requirement R1 of Reliability Standard CIP-003-1 directs a responsible entity to “document and implement a cyber security policy that represents management's commitment and ability to secure its critical cyber assets.” The only guidance that is given with regard to the nature and scope of the cyber security policy is that it should address “the Requirements in CIP-002-1 through CIP-009-1, including the provisions for emergency situations.” i. NOPR Proposal 346. The Commission proposed in the NOPR that the ERO modify CIP-003-1 to provide additional guidance for the topics and processes that the required cyber security policy should address to ensure that a responsible entity reasonably protects its critical cyber assets. 105 We noted that Recommendation 34 of the Blackout Report called for grid-related organizations to have a planned and documented security strategy, governance model, and architecture for energy management automation systems. The CIP NOPR provided examples of possible topics for security policy guidance, such as communication networks related to control systems; the appropriate use of defense in depth strategy; the use of wireless communications for control systems; uninterruptible power supplies; and heating, ventilation, and air-conditioning
(HVAC)equipment for critical cyber assets. 105 *See* CIP NOPR at P 123-27. ii. Comments 347. NERC and other commenters contend that the Commission should not direct the ERO to modify CIP-003-1 to provide additional guidance for the topics and processes that the required cyber security policy should address. 106 The Commission should instead permit and encourage the development of “how” guidelines and work papers. Ontario Power is concerned that the expectation that security policies will address issues that are not currently reflected in the CIP Reliability Standards implies that an entity could be found non-compliant for not following its own policies that are outside of the Reliability Standards. Ontario Power maintains that this would be an unfounded increase in the scope of the CIP Reliability Standards. 106 *E.g.,* Alliant Energy, Mr. Brown, First Energy, Idaho Power, ISO/RTO Council and Ontario Power. 348. ISO/RTO Council opposes the Commission proposal and expresses concern that if a responsible entity's security policies go beyond the specific Requirements of the Reliability Standards, it could be penalized for failure to implement the policies fully. ISO/RTO Council also objects to reporting any steps that exceed what the CIP Reliability Standards require to any third party. It argues that it would be wasteful to require development of one set of plans, policies and standards to meet what is explicitly required by the Reliability Standards and another that is applicable to other assets such as market systems. ISO/RTO Council requests that the Commission clarify that monitoring for non-compliance will pertain to the specific Requirement of the Reliability Standards, not requirements expressed in corporate policies relevant to security. 349. In contrast, SoCal Edison believes that it is appropriate to include guidance in CIP-003-1 on important systems that have not yet been addressed such as data and communications networks, but that guidance on topics such as power supplies, heating, and other equipment is too detailed for a corporate level policy. APPA/LPPC agrees that security policies will address issues that are not currently reflected in the CIP Reliability Standards but that are important for control system security. Further, APPA/LPPC state that the nature and scope of a responsible entity's cyber security management policy generally should be left to the entity's discretion. 350. ReliabilityFirst and SPP comment that an entity's overall organizational security policies should address protection of supporting infrastructure and appropriately define a defense in depth posture. However, they are concerned that, by including such infrastructure in the scope of the CIP Reliability Standards, an audit could determine that the devices supporting the network throughout the entity should be considered either critical cyber assets or electronic security perimeter access points and thus become subject to all of the Requirements of the CIP Reliability Standards. Their concern is the possibility of increasing the scope of the electronic security perimeter to include the entity's entire communications network and all assets connected thereto. 351. Other commenters raise concerns whether specific issues should be addressed in this guidance. Idaho Power disagrees with the Commission's proposal to address the protection of support systems ( *e.g.* , communication and HVAC) in the CIP Reliability Standards. It states that other Commission-approved Reliability Standards are better suited for addressing these issues. For example, according to Idaho Power, communication concerns should be addressed in COM-001. 352. Tampa Electric notes that cyber assets associated with communications networks and data communication links between distinct electric security perimeters are exempt under the CIP Reliability Standards. It urges that this exemption be maintained and that further consideration of the exemption's merit should be addressed only in the Reliability Standards development process. Likewise, National Grid and MidAmerican oppose expanding the CIP Reliability Standards to cover communications and data networks beyond those directly involved in the security of control systems. 353. APPA/LPPC agree that it is reasonable for responsible entities to be responsible for the communications systems they own and operate. However, they cannot be expected to oversee the operations of commercial communication carriers. APPA/LPPC state the Commission should recognize that it has no authority to compel commercial communication carriers to comply with the CIP Reliability Standards and that responsible entities cannot compel them to comply. 354. ReliabilityFirst and SPP are concerned that environmental systems would become subject, at a minimum, to the requirements of CIP-006-1 (Physical Security). Environmental systems are often not fully enclosed within a physical security perimeter as defined by the Reliability Standard and it is impractical in some instances to do so. ReliabilityFirst states that, besides expanding the scope of the Reliability Standards to encompass issues that either have no bearing on Bulk-Power System reliability, or are specifically excluded from the CIP Reliability Standards, the Commission's proposal improperly deals with “how” a responsible entity is to address a Requirement. iii. Commission Determination 355. The Commission believes that responsible entities would benefit from additional guidance regarding the topics and processes to address in the cyber security policy required pursuant to CIP-003-1. While commenters support the need for guidance, many are concerned about providing such guidance through a modification of the Reliability Standard. We are persuaded by these commenters. Accordingly, the Commission directs the ERO to provide additional guidance for the topics and processes that the required cyber security policy should address. However, we will not dictate the form of such guidance. For example, the ERO could develop a guidance document or white paper that would be referenced in the Reliability Standard. On the other hand, if it is determined in the course of the Reliability Standards development process that specific guidance is important enough to be incorporated directly into a Requirement, this option is not foreclosed. The entities remain responsible, however, to comply with the cyber security policy pursuant to CIP-003-1. 356. In response to ISO/RTO Council, Ontario Power and other commenters, the Commission's intent in the CIP NOPR—as well as the Final Rule—is not to expand the scope of the CIP Reliability Standards. Requirement R1 of CIP-003-1 requires a responsible entity to document and implement a cyber security policy “that represents management's commitment and ability to secure its Critical Cyber Assets.” The Requirement then states that the policy, “at a minimum,” must address the Requirements in CIP-002-1 through CIP-009-1. The Commission believes that there are other topics, besides those addressed in the Requirements of the CIP Reliability Standards, which are relevant to securing critical cyber assets. The Commission identified examples of such topics in the CIP NOPR. Thus, the Commission, in directing the ERO to develop guidance on additional topics relevant to securing critical cyber assets, is not expanding the scope of the CIP Reliability Standards. 357. Nor do we believe, as suggested by Idaho Power, that the proposed topics for guidance are better addressed by revisions to other Reliability Standards. Again, the guidance is in the context of securing critical cyber assets and is best addressed in the CIP Reliability Standards or a supporting guidance document. 358. In response to SoCal Edison, we disagree that guidance on topics such as power supplies, heating, and other equipment is too detailed for a corporate level policy. These topics are potentially relevant to securing critical cyber assets and, therefore, appropriate topics for guidance. 359. ISO/RTO Council, Ontario Power and other commenters raise concerns regarding potential civil penalty liability if a responsible entity addresses the additional guidance topics in its cyber security policy. The Commission does not believe that the inclusion of additional topics in the cyber security policy will increase a responsible entity's penalty liability. We provide our views regarding the enforcement of cyber security policies below in addressing exceptions to such policies. In particular, we state there that our concern is that a good policy exists and that it is implemented through the exercise of sound reasoning. Consistent with the discussion in the following section, we do not believe that an entity's decision to not follow its cyber security policy in a particular situation should trigger a penalty, as long as no Reliability Standard Requirement (other than Requirement R1 in CIP-003-1) is violated as a result. We do require that the reasoning be documented to ensure that the responsible entity is indeed implementing the security policy as required by Requirement R1 of CIP-003-1. 360. We agree with APPA/LPPC that responsible entities cannot be expected to oversee the operations of commercial communications carriers. However, this is an example of precisely why more guidance would be useful. Since responsible entities cannot oversee commercial communications carriers, it is important that they consider what they can do to guard against potential threats from that quarter. b. Discretion to Grant Exceptions 361. Requirement R3 of CIP-003-1 provides that a responsible entity must document as an exception each instance where it cannot conform to its security policy developed pursuant to Requirement R1. Exceptions need senior manager approval. The documentation must include “an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk.” An exception to the cyber security policy must be documented within 30 days of senior management approval. An authorized exception must be reviewed and approved annually to ensure that the exception is still required and valid. i. NOPR Proposal 362. The Commission expressed concern in the CIP NOPR that Requirement R2 allows a responsible entity too much latitude in excusing itself from compliance with its cyber security policy. 107 The Commission, therefore, proposed to direct the ERO to develop modifications to CIP-003-1 that require a responsible entity to submit documentation of cyber security policy exceptions periodically to the relevant Regional Entity to provide added assurance that exceptions are adequately justified. 107 *See* CIP NOPR at P 128-33. 363. Further, the Commission distinguished between situations where a responsible entity excepts itself from its cyber security policy and where it excepts itself from specific Requirements of the CIP Reliability Standards based on technical feasibility and stated that exceptions from a policy provision do not also excuse compliance with a Requirement. In that regard, the Commission proposed that the ERO develop modifications to clarify that the exceptions mentioned in Requirements R2.3 and R3 of CIP-003-1 do not except responsible entities from the Requirements of the CIP Reliability Standards. ii. Comments 364. While NERC and ReliabilityFirst do not comment specifically on Regional Entity review of exceptions to a responsible entity's cyber security policy, their general comment is that the Commission should rely on NERC's existing oversight structure is applicable here. 365. EEI and other commenters oppose requiring responsible entities to submit documentation of exceptions to the cyber security policy to Regional Entities. EEI disagrees with the Commission's assertion that CIP-003-1 gives a responsible entity too much latitude to excuse itself from compliance with its cyber security policy. EEI adds that it is sufficient that exceptions to a cyber security policy must be explained in writing and approved by a designated manager. According to EEI, external accountability for such decisions is a function of the audit process, and the Commission should not suggest that the Regional Entity step outside its role of enforcing the Reliability Standards and engage in enforcing a responsible entity's internal cyber security policy. PG&E submits that the proposal is burdensome. 366. Entergy disagrees that responsible entities should be required to submit documentation of exceptions periodically to their Regional Entity. Entergy believes that a proper security policy will track what the Reliability Standards require. The Commission, the ERO, and Regional Entities should not be concerned with policy exceptions but rather only with whether the Requirements of the CIP Reliability Standards are being met. Entergy also argues that requiring documentation of exceptions could cause internal policies to be written less rigorously to avoid the burden of excessive documentation. 367. CEA and Manitoba Hydro are concerned that periodic submission of documents on cyber security policy exceptions to Regional Entities may allow the release of highly sensitive information. Manitoba Hydro states that such documentation would contain details about existing critical cyber assets and their security weaknesses that would threaten both security and reliability if it were released inadvertently into the wrong hands. SoCal Edison suggests that it is more appropriate for responsible entities to house all justifications for policy exceptions internally and have them reviewed during an audit. Bonneville is concerned that the practice could be deemed a waiver of FOIA protections. Bonneville also is concerned that external reviewers may be required first to obtain required federal security clearances before accessing the information. 368. MidAmerican believes that the reporting of exceptions will indicate a weak spot in a responsible entity's cyber security policy and a secure method of handling these exceptions would need to be established. 369. Several commenters address the Commission's proposal to clarify that the exceptions mentioned in Requirements R2.3 and R3 of CIP-003-1 do not except responsible entities from the Requirements of the CIP Reliability Standards. EEI opposes the Commission's proposal for the same reasons described above. MidAmerican comments that it has not interpreted Requirements R2.3 and R3 as the ability to avoid compliance. 370. Related, SPP states that a responsible entity cannot exempt itself from a Requirement of a CIP Reliability Standard. Once a policy is in place to comply with these Requirements, the only recourse in cases of technical infeasibility or other valid reason is to document an exception to the security policy. SPP maintains that the Commission's proposal for reporting and approval of technical feasibility exceptions would, if adopted, extend to exceptions to the required security policy if the exception would make the responsible entity incapable of complying fully with a Requirement of the CIP Reliability Standards. 371. Northern Indiana requests clarification of the information that would be required to justify an exception and suggests that it match the level of information required in self-certifications. It suggests that a responsible entity would benefit from consultation when attempting to justify an exception and that monetary penalties should be waived during this time as well as within the timeframe of any remediation plan. Northern Indiana also contends that security policy exceptions which do not affect compliance with the Reliability Standards need not be documented. Some policies may be stricter than the Reliability Standards, and responsible entities should not be required to submit documentation of exceptions that are consistent with the Reliability Standards Requirements. iii. Commission Determination 372. The Commission continues to believe that it is important that there be ERO and Regional Entity oversight of exceptions from required security policies, however, the Commission agrees with commenters such as EEI and PG&E that this oversight is best accomplished through the existing Regional Entity oversight and audit process. 373. Requirement R1 of CIP-003-1 requires the development and implementation of a security policy. Requirement R3 provides that a responsible entity must document exceptions to its policy with documentation and senior management approval. The Commission is concerned that, if exceptions mount, there would come a point where the exceptions rather than the rule prevail. In such a situation, it is questionable whether the responsible entity is actually implementing a security policy. We therefore believe that the Regional Entities should perform an oversight role in providing accountability of a responsible entity that excepts itself from compliance with the provisions of its cyber security policy. Further, we believe that such oversight would impose a limited additional burden on a responsible entity because Requirement R3 currently requires documentation of exceptions. 374. That being said, the Commission agrees with EEI and others that Regional Entity review of exceptions to a responsible entity's cyber security policy is best accomplished pursuant to the existing Regional Entity audit process where all the relevant facts and circumstances can be considered. Further, review of exceptions to a cyber security policy in the audit process should effectively address commenter concerns regarding disclosure of sensitive information by keeping that data on site. 108 108 In the Final Rule, the Commission has directed the ERO to develop somewhat different external review processes in different contexts. As discussed immediately above, the Commission believes that exceptions to a responsible entity's cyber security policy are appropriately addressed in the course of the Regional Entity's audit process. The Commission has also directed that Regional Entities evaluate and approve a responsible entity's reliance on the technical feasibility exception as part of the audit process. In addition, to provide the Regional Entity with an “upfront” understanding regarding the extent of industry reliance on the technical feasibility exception, as well as to allow the Regional Entity to adequately prepare for an audit, the Commission also required that a responsible entity submit a “notice” to the Regional Entity when the exception is invoked. In contrast, due to the importance of timely verifying that responsible entities have developed accurate cyber asset lists pursuant to CIP-002-1, the Commission has directed the development of an external review separate from the audit process. Thus, the Commission has tailored different review processes to different situations to minimize the burden on industry yet satisfy the goal of assuring adequate oversight. 375. As we discuss elsewhere in the Final Rule, we agree with Bonneville regarding the need to preserve a governmental entity's FOIA protections and address security clearance concerns. The ERO should address these concerns through consultation with relevant governmental entities. 376. Further, the Commission adopts its CIP NOPR proposal and directs the ERO to clarify that the exceptions mentioned in Requirements R2.3 and R3 of CIP-003-1 do not except responsible entities from the Requirements of the CIP Reliability Standards. In response to EEI, we believe that this clarification is needed because, for example, it is important that a responsible entity understand that exceptions that individually may be acceptable must not lead cumulatively to results that undermine compliance with the Requirements themselves. 377. The Requirement to develop and implement a security policy differs from many other Requirements in that it is a means to the end of implementing those Requirements. Our concern that exceptions be documented and justified is primarily a concern that there be reasoned decision-making, consistency, and subsequent effectiveness in implementing the policy. We thus disagree with Northern Indiana that security policy exceptions which do not affect compliance with the Reliability Standards need not be documented. Further, in response to Entergy, as stated elsewhere in this Final Rule, our concern is that a good policy exists and that it is implemented through the exercise of sound reasoning. We do not believe that an entity's decision to not follow its cyber security policy in a particular situation should trigger a penalty, as long as no Reliability Standard Requirement (other than Requirement R1 in CIP-003-1) is violated as a result. We do require that the reasoning be documented to ensure that the responsible entity is indeed implementing the security policy as required by Requirement R1 of CIP-003-1. 378. In response to Northern Indiana's request for clarification of the information that would be required to justify an exception, we leave it to the ERO to provide guidance on the level of information that it considers appropriate, consistent with our discussion above. c. Leadership i. NOPR Proposal 379. Requirement R2 of CIP-003-1 requires that a senior manager be assigned overall responsibility for implementation of the CIP Reliability Standards. In the CIP NOPR, the Commission interpreted this Requirement to require the designation of a single manager who has direct and comprehensive responsibility and accountability for implementation and ongoing compliance with the CIP Reliability Standards. 109 The Commission noted that Recommendation 43 of the Blackout Report called for clear lines of authority and ownership for security matters, and it proposed to direct that the ERO modify CIP-003-1 to make clear the senior manager's ultimate responsibility. 109 *See* CIP NOPR at P 134-36. ii. Comments 380. Bonneville states that the Commission should clarify whether its intent is to make the senior manager personally accountable for violations of the CIP Reliability Standards, i.e., subject to civil penalties for violations, so that necessary action can be taken to protect the manager, such as acquiring additional personal insurance coverage. Similarly, NRECA asks the Commission to confirm that the senior manager responsible for CIP Reliability Standards compliance is not, by virtue of his position, subject to civil penalties pursuant to section 215 of FPA. iii. Commission Determination 381. The Commission adopts its CIP NOPR interpretation that Requirement R2 of CIP-003-1 requires the designation of a single manager who has direct and comprehensive responsibility and accountability for implementation and ongoing compliance with the CIP Reliability Standards. The Commission's intent is to ensure that there is a clear line of authority and that cyber security functions are given the prominence they deserve. The Commission agrees with commenters that the senior manager, by virtue of his or her position, is not a user, owner or operator of the Bulk-Power System that is personally subject to civil penalties pursuant to section 215 of FPA. d. Information Access Authorization 382. Requirement R5 of CIP-003-1 directs the responsible entity to implement a program for managing access to protected critical cyber asset information and requires, among other things, that the list of personnel responsible for authorizing access to protected information be verified at least annually. i. NOPR Proposal 383. The Commission explained in the CIP NOPR that CIP-007-1, Requirement R5 (access implementation), CIP-004-1, Requirement R4 (access revocation), and CIP-003-1, Requirement R5 (access review and approval) each contain provisions on access to information, and it took the position that these various provisions are not interlinked as clearly as they should be. The Commission noted that Recommendation 44 of the Blackout Report stresses the need to prevent inappropriate disclosure of information. Thus, the CIP NOPR proposed to direct that the ERO modify Reliability Standards CIP-003-1, CIP-004-1, and/or CIP-007-1, to ensure that when access to protected information is revoked, it is done so promptly. ii. Comments 384. CPUC agrees with the Commission's proposal on clarifying that a revocation of access to protected information should be accomplished promptly, but it maintains that that the term “promptly” is too subjective. It would be more appropriate to specify a definite time interval for revoking access. FirstEnergy agrees with the Commission's proposal and states that in all cases of access authorization under the CIP Reliability Standards, responsible entities should revoke an employee's access to critical cyber assets within 24 hours in cases of termination for cause and within seven days for other personnel no longer needing such access. MidAmerican takes a similar position. 385. Northern Indiana states that while a responsible entity may remove an employee's or vendor's access to its critical cyber assets and systems, it cannot eliminate all possible access to information. A responsible entity cannot enter the employee's home to remove or destroy information that the employee, particularly the vendor's employee, may have maintained in his home because in the course of his employment he wanted ready reference to such information. A responsible entity may make a reasonable request that information be returned, but immediate return may not occur. iii. Commission Determination 386. The Commission adopts its CIP NOPR proposal and directs the ERO to develop modifications to Reliability Standards CIP-003-1, CIP-004-1, and/or CIP-007-1, to ensure and make clear that, when access to protected information is revoked, it is done so promptly. In general, the Commission agrees with commenters and believes that access to protected information should cease as soon as possible but not later than 24 hours from the time of termination for cause. 387. In response to Northern Indiana, while we acknowledge that responsible entities are not authorized to enter private homes, we believe that an appropriate cyber security policy will ensure that such information is present in an employee's home only for legitimate reasons specified in the policy and should require the return of all information upon request. e. Change Control and Configuration Management 388. Requirement R6 of CIP-003-1 requires a responsible entity to establish a process of “change control and configuration management” for adding, modifying, replacing, or removing critical cyber asset hardware or software. i. NOPR Proposal 389. The Commission noted in the CIP NOPR that Requirement R6 does not address accidental consequences or malicious actions by individuals where commercial vendors test and certify that the electronic security patches they provide will not adversely affect other electronic systems already in place. 110 The Commission proposed to direct that the ERO develop a modification to Requirement R6 to require that authorized changes made to critical cyber assets only affect the processes they are intended to affect (to address both accidental consequences and malicious actions by individuals performing the changes). Also, the CIP NOPR proposed that the ERO develop a new requirement for responsible entities to take actions to detect unauthorized changes to critical cyber assets, whether originating from inside or outside the responsible entity. 110 *See id* . P 140-44. ii. Comments 390. Entergy, ISO/RTO Council, Northern Indiana and PG&E oppose the Commission's proposed modifications to Requirement R6 of CIP-003-1. Entergy argues that the Commission's concern will be addressed by CIP-007-1 when implemented by information security professionals and changes to CIP-003-1 are unnecessary and burdensome. Entergy and BPA also believe that the NIST Security Risk Management Framework offers further comprehensive controls. Northern Indiana points out that assets and systems targeted by the proposal include software as well as hardware. 391. MidAmerican believes that Requirement R6 is sufficient as written and clearly outlines the process of review, testing and approval, and is adequate for monitoring of change control and configuration management. Idaho Power is concerned about the current availability of technology to assist in detecting accidental and malicious modifications. It asks whether the Commission is concerned with unauthorized changes, unintended changes or both. Idaho Power opposes additional changes and states that it can reduce the risk of unauthorized changes significantly, but it cannot eliminate them entirely. Idaho Power believes that there will be adequate protection against unintended changes where there are appropriate test plans, trained and qualified personnel, and a regimented change management process. 392. ISO/RTO Council states that it does not understand what the Commission meant by “detection and monitoring controls” and suggests that it consider the phrase “verification that unintended changes have not been made.” ISO/RTO Council objects to testing the functionality of changes made to live production systems. It agrees that verification of manually initiated changes is appropriate, and responsible entities should also be required to monitor and determine whether unintended changes have been made to devices in the production environment and to investigate and remediate any unintended changes. According to ISO/RTO Council, it is not always possible to confirm definitively or safely that applying a tested and approved change on a production device has had the intended effect, especially where the modification is rarely triggered or where testing could adversely affect reliability. ISO/RTO Council prefers a requirement to verify that changes have been made on the intended devices, to monitor for unintended or unplanned changes, and to investigate and remediate any exceptions that are discovered. 393. Further, ISO/RTO Council states some changes are intentionally initiated automatically using pre-approved means, such as automated virus signature updates. These changes can be unpredictable and can occur multiple times per day. ISO/RTO Council agrees these changes need to be verified, but states it is impractical and unnecessary to verify each change as it happens and suggests periodic verification that the necessary updates, or their cumulative equivalent, have been effectuated. 394. PG&E argues that technical problems could cause downtime of critical assets if this requirement is imposed. Any requirements for detection and monitoring controls for unintended changes must allow for controls that do not require considerable downtime for the critical cyber assets. 395. Puget Sound argues that the CIP Reliability Standards should expressly recognize that change control and configuration management processes for critical cyber assets cannot ensure 100 percent integrity for those assets when making changes. The CIP Reliability Standards also should recognize that test environments can mimic portions of the production environment but cannot capture all of the actual interactions among critical cyber assets. 396. ReliabilityFirst and SPP state that changes should be properly tested prior to implementation, although it may not always be feasible to test a change in an offline environment. They believe that a strict interpretation of the Commission proposal would be impossible to implement, as it would require a comprehensive regression test, including failure testing, to be performed on the entire environment. Even that might not detect an unintended consequence of the change and could conceivably result in an expectation to report an issue of non-compliance. Regression testing is appropriately reserved for significant changes, such as version upgrades or new applications, but not all changes. They state that appropriate mitigation measures exist for reducing the risk of unintended consequences resulting from changes. iii. Commission Determination 397. Based upon the comments received the Commission is altering its position on how best to address the apparent deficiencies of Requirement R6 in CIP-003-1. The Commission directs the ERO to develop modifications to Requirement R6 of CIP-003-1 to provide an express acknowledgment of the need for the change control and configuration management process to consider accidental consequences and malicious actions along with intentional changes. The Commission believes that these considerations are significant aspects of change control and configuration management that deserve express acknowledgement in the Reliability Standard. While we agree with Entergy that the NIST Security Risk Management Framework offers valuable guidance on how to deal with these matters, our concern here is that the potential problems alluded to be explicitly acknowledged. Our proposal does not speak to how these problems should be addressed. We do not believe that the changes will have burdensome consequences, but we also note that addressing any unnecessary burdens can be dealt with in the Reliability Standards development process. 398. We agree with ISO/RTO Council that the phrase “verification that unintended changes have not been made” captures the core issue. Our concern is that some form of verification is performed to detect when unauthorized changes have been made and to identify those changes, as well as ensuring that the proper alerts are issued. 399. Many of the comments address practical issues involved in addressing accidental consequences and malicious actions, and we recognize that such issues exist. We, thus, agree with Puget Sound that change control and configuration management processes for critical cyber assets cannot ensure 100 percent integrity for those assets when making changes. We do not seek absolute assurances but rather are concerned that there be processes in place that permit a reasonably high level of confidence modifications do not have unintended consequence. However, we reject Puget Sound's proposal that the Reliability Standard should expressly recognize that absolute assurances are not required. We also believe that our revised directive to the ERO on Requirement R6 addresses Puget Sound's concern about the limitations imposed by a test environment. 400. In response to ReliablityFirst and SPP, we understand that comprehensive regression testing is not necessary for every change regardless of how insignificant. We also agree with ISO/RTO Council that it can be impractical and unnecessary to verify every intentional automatic change as it occurs. We believe that our revised directive to the ERO addresses these concerns. f. Interconnected Networks i. NOPR Proposal 401. The Commission proposed in the CIP NOPR to direct the ERO to modify Reliability Standard CIP-003-1 to provide direction on the issues and concerns that a mutual distrust posture must address to protect a control system from the “outside world.” 111 The Commission noted that interconnected control system networks are susceptible to infiltration by a cyber intruder and stated that responsible entities should protect themselves from whatever is outside their control systems. 111 *Id.* at P 147. An architecture with a mutual distrust posture could involve various hardware or software mechanisms or manual procedures to restrict and verify access to the control system from these outside sources. Examples include: firewalls; data checking software(s); or procedures for manually implementing a connection to allow a vendor to perform maintenance work. ii. Comments 402. FirstEnergy agrees with the intent of the Commission's proposal that there be more direction on what constitutes a mutual distrust posture, but it argues that the need for uniform processes should be balanced against the need for flexibility in individual cases. FirstEnergy argues that each entity may have a unique architecture that requires a unique protection scheme. In addition, a common security method could cause a vulnerability of its own, in that one successful cyber attack could compromise all security systems if there are similarities across all systems. 403. ISO-NE agrees that the mutual distrust principle is a useful consideration when determining when to protect cyber assets and in designing a secure system architecture, but it disagrees that it should be used as a measurable requirement. ISO-NE thus asks the Commission to omit any direction to the ERO to address the concept of mutual distrust. 404. Northern Indiana comments that the Commission's proposal on mutual distrust is unnecessary because the issue is addressed in Reliability Standards CIP-005-1 and CIP-007-1. It argues that if the Commission's proposal on mutual distrust were applied in unqualified terms, it would have to sever the Midwest ISO's communication link to the Northern Indiana control system. Northern Indiana states that it trusts the Midwest ISO in its role as the reliability coordinator over the Northern Indiana electric system and thus argues that the Commission should exempt reliability coordinators. If the Commission does not exempt reliability coordinators, Northern Indiana respectfully requests that the Commission clarify and refine the definition of the term mutual distrust. 405. Entergy argues that the Commission needs to direct the ERO to define the term mutual distrust in CIP-003-1 to foreclose ambiguities in application and enforcement. Entergy notes that NIST has many documents in its SP800 Series that provide excellent treatment of the issues and variables involved in the concept of mutual distrust and that complement the NIST Security Risk Management Framework. The Commission could direct the ERO to consider this guidance. Entergy argues that the broad wording of the Commission's proposal extends beyond the scope of the Reliability Standards. It also argues that the Commission's proposal would direct the ERO to specify what the end result must be rather than permitting the Reliability Standards process to establish the optimum solution. 406. MidAmerican submits that the terms mutual distrust and outside world require clarification to facilitate compliance. MidAmerican recommends that the Commission ensure that the guidelines to be developed have no impact on either performance or reliability. EMS/SCADA systems are tuned for and certified by their vendor at specific communication rates. The introduction of delays due to additional security layers to communications and data exchange may impact reliability. iii. Commission Determination 407. The Commission proposed in the CIP NOPR that the ERO provide direction, i.e., guidance, regarding the issues and concerns that a mutual distrust posture must address in order to protect a responsible entity's control system from the outside world. The Commission noted that a mutual distrust posture requires each responsible entity that has identified critical cyber assets to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates. 408. The Commission agrees with FirstEnergy on the importance of flexibility in developing a mutual distrust posture, but does not see a conflict between the need for flexibility and what it is proposing, which is simply more guidance. More guidance will allow responsible entities to implement measures adapted to their specific situations more consistently and effectively. Additional guidance need not be included in a specific Requirement, but could be in the form of examples. We will leave it to the Reliability Standards development process and the ERO to decide whether some or all of the guidance can be contained in separate guidance documents referenced in the Reliability Standard. In response to Entergy, the Commission is not directing that the ERO establish a specific end result. Our concern is simply that responsible entities have guidance on how to achieve an appropriate result in individual cases, which can vary on a case-by-case basis. We disagree that providing useful guidance affects the scope of the Reliability Standards. 409. We agree with Entergy that NIST provides much guidance, but we disagree that it is necessary to define the term mutual distrust. Our proposal is that there be guidance on certain issues and concerns, and we therefore do not believe that a formal definition advances that goal. In response to MidAmerican, we believe that clarification of the terms mutual distrust and outside world, as well as ensuring that any guidelines developed do not harm performance or reliability, are matters that the ERO should consider in the Reliability Standards development process. 410. We disagree with Northern Indiana that Reliability Standards CIP-005-1 and CIP-007-1 address the matters of concern to us. Northern Indiana does not explain how these Reliability Standards provide guidance of the type we have described. We also disagree that the mutual distrust principle would require responsible entities to sever their communication links with their ISO or RTO or reliability coordinator. The principle could play a role in determining what precautions would need to be taken to protect those communications, but we do not see why it would lead to the specific result that Northern Indiana identifies. Mutual distrust does not imply refusal to communicate; it means the exercise of appropriate skepticism when communicating. The Commission believes additional guidance on what this means specifically in current practice would help responsible entities to avoid these misunderstandings. 411. We disagree with ISO-NE that guidance on mutual distrust is unnecessary because responsible entities either are compliant or they are not, mutual distrust not withstanding. We do not see how responsible entities can fully understand the compliance issues they face without some understanding of how mutual distrust is applied in a modern security environment. Mutual distrust helps explain where an entity's responsibilities begin and end and what assumptions it can make about factors outside its control when it performs its risk-based assessment. 412. The Commission therefore directs the ERO to provide guidance, regarding the issues and concerns that a mutual distrust posture must address in order to protect a responsible entity's control system from the outside world. 3. CIP-004-1—Personnel and Training 413. Standard CIP-004-1 requires that personnel having authorized cyber access or unescorted physical access to critical cyber assets must have an appropriate level of personnel risk assessment, training and security awareness. Responsible entities must develop and implement a security awareness program that addresses concerns related to cyber security; a cyber security training program for affected personnel that addresses policies, access controls, procedures for the proper use of critical cyber assets, physical and electronic access to critical cyber assets, proper handling of asset information, and recovery methods after a cyber security incident; and a personnel risk assessment program for all personnel having access to critical cyber assets. 414. As discussed further below, the Commission approves Standard CIP-004-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to this CIP Reliability Standard. The Commission also requires the ERO to clarify and provide guidance on other matters. The required modifications are discussed below in the following topic areas of concern regarding CIP-004-1:
(1)Training;
(2)personnel risk assessments;
(3)cyber and physical access; and
(4)jointly owned facilities. a. Training 415. The requirements for ongoing awareness reinforcement in sound security practices specified in Requirement R1 and for training specified in Requirement R2 apply to all personnel, contractors, and service vendors who have authorized cyber access or unescorted physical access to critical cyber assets. Requirement R2.1 allows such personnel to have access to critical cyber assets for up to 90 days prior to receiving any cyber security training. i. NOPR Proposal 416. In the CIP NOPR, 112 the Commission stated that training is integral to the protection of critical cyber assets, and that allowing personnel access to critical cyber assets prior to receiving training increases the vulnerability of and risk to such assets. The Commission proposed to direct the ERO to modify CIP-004-1 to require affected personnel to receive the required training before obtaining access to critical cyber assets (rather than within 90 days of access authorization), but to limit exceptions to circumstances such as emergencies, subject to documentation and mitigation. To facilitate communications in emergency situations, the Commission proposed to direct the ERO to require responsible entities to identify “core training” elements to ensure that essential training elements will not go unheeded in an emergency and in other contingency situations where full training prior to access will not best serve the reliability of the Bulk-Power System. We also proposed that the ERO consider what, if any, modifications to CIP-004-1 should be made to assure that security trainers are adequately trained themselves. 112 *See Id.* at P 151-61. 417. In addition, the Commission proposed to direct the ERO to modify CIP-004-1 to clarify that the cyber security training programs required by Requirement R2 are intended to encompass training on the networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of the critical cyber assets. The CIP NOPR stated that CIP-004-1 should clearly state that cyber security training concerning a critical cyber asset should encompass the electronic environment in which the asset is situated and the attendant vulnerabilities. To clarify that point, we proposed that the ERO consider adding a provision similar to that in Requirement R1.4 of CIP-005-1, which specifically subjects any non-critical cyber asset within a defined electronic security perimeter to the CIP Reliability Standard. 418. Further, the Commission proposed to direct that the ERO increase the guidance in the CIP Reliability Standard as to the scope and quality of training, including examples of areas where the inclusion of guidance can be considered, as follows: control of electronic devices (such as laptop computers); the appropriate audiences for the training; delivery methods; and updates of training materials. The CIP NOPR stated that the awareness and training programs, addressed separately by Requirements R1 and R2, complement each other and work in tandem. The Commission also stated its expectation that the ERO consider relevant aspects of certain NIST Special Publications, as well as other relevant models, to improve CIP-004-1 and prevent a lowest common denominator result. ii. Comments 419. Entergy recommends that the Commission modify its direction to the ERO regarding access to critical cyber assets for newly-hired personnel to provide access to critical cyber assets for newly-hired personnel if they are accompanied by qualified escorts. Entergy insists that individuals without training should be allowed to be escorted by a trained individual to access a critical cyber asset and, if similar required training has been received by an unescorted individual at another industry facility, that training should be allowed to be credited at the current facility. SDG&E recommends that new employees be allowed escorted access to critical cyber assets, even in non-emergency situations, since training is not always coincident with a hiring date. 420. Entergy disagrees with the proposal to direct the ERO to require responsible entities to identify core training elements. On the other hand, FirstEnergy and SoCal Edison agree with the Commission's proposal that NERC should require the development of core training elements. They state that additional guidance in this area would be helpful preparation for responsible entities to operate in emergency and other contingency situations. FirstEnergy proposes that CIP-004-1 be revised to further specify what situations should be considered emergency and contingency for the purpose of granting access prior to completion of full training. Northern Indiana agrees with the common sense approach in the CIP NOPR on how responsible entities should be allowed to handle emergency conditions, but would retain the 90-day transition period for conducting training. Northern Indiana requests clarification of what is intended by the term “core training” and requests additional guidance in the Final Rule with respect to training. 421. Entergy contends that specific discussion of the many forms of training needed is beyond the current scope of the CIP Reliability Standards. Entergy argues that, if specificity is needed, the Commission should refer to materials issued by other federal agencies, including the Defense Information Systems Agency. Mr. Brown argues that the level of detail the Commission is proposing to be added to the training portion of the CIP Reliability Standards would be more appropriately and efficiently developed through some process other than that of Reliability Standards development process. 422. MidAmerican believes that CIP-004-1, Requirement R2 is adequate as proposed and that specific job-related training requirements are more properly managed by the entity performing or contracting the work. MidAmerican submits that the entity performing the work is best suited to determine the scope and delivery method of job-specific training. MidAmerican believes additional clarification of acceptable awareness and training programs is necessary for compliance purposes, should the Commission's call for increased guidance be adopted. 423. In response to the Commission's proposal that training encompass network and interconnectivity aspects, many commenters suggest that training should be tailored to match up with the trainee's duties, experience, or “need to know.” FirstEnergy suggests that CIP-004-1 should include a provision that would direct a responsible entity to establish access categories based on security roles because access categories based on job responsibilities would ensure that the level or frequency of exposure to critical cyber assets will be considered. For example, a systems analyst would need access to certain critical cyber assets on a frequent basis and at a level that allows file manipulation, while a system user would need access to the data output of the systems during working hours and not necessarily file manipulation access. Those with access to critical cyber assets should have training specific to the critical cyber asset and those without such access should have general awareness training. 424. Likewise, National Grid argues that, while a general understanding of networking hardware and software and interconnectivity is important, the focus of the training should be geared toward understanding cyber security policies and each trainee's role in response and recovery plans. National Grid believes that not every employee requires IT training and that training should match an employee's required skill set. 425. FirstEnergy agrees that CIP-004-1 should address training regarding access to the cyber assets themselves and the networking hardware and software linking them, but it also asks the Commission to clarify that only those personnel that have access to both the critical cyber assets and the networking hardware and software should have training on both. FirstEnergy argues that it would be overly burdensome and serve no purpose to do otherwise and, conversely, it serves no purpose to train personnel on the networking hardware and software security methods, if those personnel have access only to the critical cyber asset itself. Training personnel on security measures of equipment for which they have no access can create a potential weakness in the security measures for such equipment. 426. ISO-NE argues that requirements for training relating to networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of the critical cyber assets are a business management decision and should be omitted from the Final Rule. ISO-NE argues that the decision to determine the level of skill training necessary for an individual, based on that employee's functional task requirements and coordinated career goals, is a business decision beyond the scope of security training for access controls, monitoring, and incident response. 427. Similarly, Northern Indiana contends that CIP-004-1 should not specify who should be trained, what the training should include, or how frequently training should occur. Northern Indiana argues that the responsible entity must be given flexibility to differentiate between those aspects of networked systems potentially affecting critical control systems and those that should be included in critical cyber asset training. Northern Indiana argues that the focus should be on the applications, policies and procedures that relate to the critical control systems and other critical cyber assets. 428. ISO/RTO Council and ISO-NE argue that training that addresses vulnerabilities is not appropriate for all individuals with access to critical cyber assets and, therefore, they disagree with the statement in the CIP NOPR that “CIP-004-1 should leave no doubt that cyber security training concerning a critical cyber asset should encompass the electronic environment in which the asset is situated and the attendant vulnerabilities.” Information about vulnerabilities associated with critical cyber assets and/or their security perimeters is highly sensitive. Such information should be known only to those with direct responsibility to administer the secure operation of the critical cyber assets and their security perimeters. 429. ReliabilityFirst is concerned that the ERO not lose sight of the fact that Requirement R2.2 requires specific training “appropriate to personnel roles and responsibilities” as it develops the additional guidance proposed by the Commission. ReliabilityFirst argues that it is inappropriate, for example, to train an operator in the dispatch operations center on firewalls and networking devices. Training for personnel with electronic or unescorted physical access to systems within the electronic security perimeter should be appropriate to the trainee's scope of access. The goal of the training is not to make operational personnel into network specialists, but to train them on the policies and procedures implemented by the responsible entity to protect their critical cyber assets. 430. In response to the Commission's question regarding what, if any, modifications to CIP-004-1 should be made to address the concern that security trainers be adequately trained themselves, SoCal Edison believes that the Commission should require the ERO to have a program to have qualified trainers in order to determine the adequacy of training. To ensure quality and consistency, this implies that all trainers would have to be qualified by the ERO prior to training. Any vendor training tools ( *e.g.* , online training courses) would similarly need to be approved by the ERO. iii. Commission Determination 431. The Commission adopts the CIP NOPR's proposal and directs the ERO to develop a modification to CIP-004-1 that would require affected personnel to receive required training before obtaining access to critical cyber assets (rather than within 90 days of access authorization), but allowing limited exceptions, such as during emergencies, subject to documentation and mitigation. 432. The Commission notes that commenters did not provide specific reasons why employees should be granted access prior to training, but focused on the nature and scope of our proposed exceptions. Entergy and SDG&E recommend that newly-hired employees be allowed access to critical cyber assets if they are accompanied by qualified escorts. We note that a qualified escort would have to possess enough expertise regarding the critical cyber asset to ensure that the actions of the newly-hired employee or vendor did not harm the integrity of the critical cyber asset or the reliability of the Bulk-Power System. However, if the escort is sufficiently qualified, we believe such escorted access could be permitted before a newly-hired employee is trained. 433. Based on the concerns of commenters, the Commission modifies its CIP NOPR proposal that the ERO identify core training elements to ensure that essential training elements will not go unheeded in emergencies and in other compelling situations. While the Commission continues to believe that the identification of core training elements is useful, this issue would benefit from further vetting within the Reliability Standards development process. Thus, we direct the ERO to consider, in developing modifications to CIP-004-1, whether identification of core training elements would be beneficial and, if so, develop an appropriate modification to the Reliability Standard. If the Reliability Standard development process determines not to identify core requirements, the ERO should provide an explanation of this decision. In reply to commenters, we clarify that by using the term core training our concern is for a responsible entity to pre-plan what information and training is necessary for personnel temporarily called in to help in an emergency—not that the actual scope of such training needs to be articulated in the Reliability Standard and applicable to all responsible entities in all circumstances. It is important that responsible entities have plans for introducing the personnel called in to assist in such situations. We expect that core training would be different for different responsible entities. 434. The Commission adopts the CIP NOPR's proposal to direct the ERO to modify Requirement R2 of CIP-004-1 to clarify that cyber security training programs are intended to encompass training on the networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of critical cyber assets. CIP-004-1 should leave no doubt that cyber security training concerning a critical cyber asset should encompass the electronic environment in which the asset is situated and the attendant vulnerabilities. We note that, according to Requirement R1.4 of CIP-005-1, all cyber assets within an electronic security perimeter are to be protected, not just the critical cyber assets. In reply to commenters, we clarify that our proposal discussion on this topic was not intended to suggest that personnel have training that is not appropriate for an employee's duties, functions, experience, or access level. We agree with commenters that information concerning vulnerabilities should be revealed on a need to know basis and not universally. However, any employee with access to an area where his or her actions, or carelessness, could put critical assets at risk, should receive the necessary training to assure that the employee understands how his or her actions or inactions could, even inadvertently, affect cyber security. 435. Consistent with the CIP NOPR, the Commission directs the ERO to determine what, if any, modifications to CIP-004-1 should be made to assure that security trainers are adequately trained themselves. Commenters provided minimal input on this proposal and, consistent with the CIP NOPR, we believe that whether a modification is appropriate to address this issue is better determined in the first instance through the ERO's Reliability Standards development process. The ERO should consider the comments of SoCal Edison with regard to what role and steps should be taken by the ERO to ensure quality and consistency of trainers. b. Personnel Risk Assessment 436. Requirement R3 of CIP-004-1 requires each responsible entity to have a documented personnel risk assessment program. It also requires that a personnel risk assessment, including a criminal background check, be conducted within 30 days after a person receives cyber access or unescorted physical access to critical cyber assets. The wording of Requirement R3 would allow access to critical cyber assets while an investigation is still underway, and even before an investigation has started. i. NOPR Proposal 437. In the CIP NOPR, the Commission stated that allowing applicable personnel, including vendors, to access critical cyber assets prior to the completion of their personnel risk assessment increases the vulnerability of, and risk to, these assets. 113 We also observed that Recommendation 41 of the Blackout Report emphasizes the need for guidance on implementing background checks. 114 At the same time, the Commission indicated that commenters had raised a valid concern regarding the disruptions that would result if current employees and vendors with established involvement were denied access to critical cyber assets for a 30-day period. Accordingly, the Commission proposed to direct the ERO to develop modifications to Requirement R2 to provide that newly-hired personnel and vendors should not have access to critical cyber assets, except in specified circumstances, such as an emergency. To avoid transition disruptions, the Commission proposed that the 30-day window allowing access before completion of the personnel risk assessment remain in effect for current employees and vendors with existing contractual relationships with the responsible entity as of the effective date of the Reliability Standard. The Commission proposed that the ERO include, in developing modifications to CIP-004-1, criteria that address circumstances in which current personnel can continue access to critical cyber assets during the 30-day investigative period during initial compliance with CIP-004-1. 113 *See id.* P 162-66. 114 *See* Blackout Report at 167-68, Recommendation 41 (recommending that NERC provide guidance on background checks to be completed on contractor and sub-contractor employees in advance of allowing access to secure facilities). ii. Comments 438. California Commission and MidAmerican support the Commission's proposal to require that a personnel risk assessment be performed before access is granted except in emergency situations for the reasons articulated in the CIP NOPR. California Commission stresses that the personal risk assessment must be conducted before a person obtains access to critical cyber assets, because, if access is granted before a person clears a risk assessment, Requirement R3 is rendered useless. California Commission states that the point is to keep unwanted persons away from critical cyber assets, not to grant them access for a brief period of time and then bar them from access if they do not pass the risk assessment. 439. ReliabilityFirst and SPP do not believe that the CIP Reliability Standards should attempt to define an all encompassing set of emergency contingencies for which unescorted access could be granted in the absence of a background check, because there is a risk that a valid emergency exists for which the guidance is unsuited. They suggest that a more appropriate way to handle the emergency access is to allow a short-term exception to the security policy, appropriately justified and approved as any other exception to the policies implementing the provisions of the CIP Reliability Standards. 440. FirstEnergy agrees with the Commission that newly hired employees or vendors with no previous relationship to the responsible entity should not have access to critical equipment while undergoing the personnel risk assessment. The 30-day window may be appropriate for employees and vendors with which the responsible entity has had a working relationship, such as employees transferring to another position or contractors that are returning from a reassignment. In contrast, SoCal Edison maintains that 30 days is not adequate time to update personnel risk assessments during initial implementation on all current personnel that would require an updated personnel risk assessment. It believes that the 30 days would be adequate if such a timeframe begins when personnel risk assessment certification paperwork is provided for each individual. 441. APPA/LPPC note that they do not object to the requirement in CIP-004-1 R3.1 that “[t]he responsible entity shall ensure that each assessment conducted include, at least, [a] seven-year criminal check” on employees with access to critical cyber assets. However, they seek clarification that responsible entities have discretion in reviewing the results of criminal background checks to determine, on a case-by-case basis, whether any crime identified in the background check would disqualify an individual from obtaining access to critical cyber assets. 442. SDG&E comments that Requirement R3 may require refinement on various issues regarding the personnel risk assessment requirements, including whether state and local law should be pre-empted to permit industry-wide protocols for periodic background and criminal checks on existing employees. SDG&E asks the Commission to clarify that an entity may comply with Requirement R3 by using its existing pre-employment background check procedures for current employees, at seven year intervals, provided that such procedures encompass the required social security verification and criminal background checks. SDG&E argues that, otherwise, applicable state and local laws could prohibit an entity from conducting such periodic checks. iii. Commission Determination 443. The Commission adopts with modifications the proposal to direct the ERO to modify Requirement R3 of CIP-004-1 to provide that newly-hired personnel and vendors should not have access to critical cyber assets prior to the satisfactory completion of a personnel risk assessment, except in specified circumstances such as an emergency. We also direct the ERO to identify the parameters of such exceptional circumstances through the Reliability Standards development process. FirstEnergy and California Commission agree with the Commission's proposals. 444. ReliabilityFirst and SPP believe that it would be appropriate to handle emergency access via a short-term exception to the security policy. We note that such access would not be only an exception to the security policy, but an exception to a CIP Reliability Standard Requirement. Therefore, such exceptions would have to comply with the conditions of a technical feasibility exception that we have specified elsewhere in this Final Rule. The Commission believes that a workable solution is for the Reliability Standards development process to identify emergency circumstances that would warrant allowing access to critical cyber assets. However, if a responsible entity experienced a situation outside of those circumstances that it believed warranted access to critical cyber assets, the responsible entity could treat the situation as a technical feasibility exception and follow the conditions set out by the Commission. With this approach, we believe that in most cases it will be unnecessary to go through the administrative burden of a technical feasibility exception. 445. SoCal Edison expresses concern that the 30 days allowed in CIP-004-1 for completion of the personnel risk assessment may not be enough time to process all existing employees with access. We note that there is no reason why such assessments cannot be completed well before responsible entities are to be auditably compliant with this provision. The ERO should consider SoCal Edison's issue in the Reliability Standards development process. 446. APPA/LPPC seek clarification regarding discretion in reviewing results of personnel risk assessments and in coming to conclusions regarding the subject employees. SDG&E seeks refinements on various issues, including an industry-wide protocol for periodic background and criminal checks, and the use of pre-employment background check procedures for current employees. The ERO should consider these issues when developing modifications to CIP-004-1 pursuant to the Reliability Standards development process. c. Cyber and Physical Access 447. Requirement R4 of CIP-004-1 directs the responsible entity to maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets. The lists do not serve to deny personnel access from critical cyber assets prior to completion of a personnel risk assessment, although Requirement R4.2 requires that both cyber and physical access to critical cyber assets be revoked within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access. i. NOPR Proposal 448. The Commission stated in the CIP NOPR that timely system updates to access rights are important because access to critical cyber assets by employees, contractors, or vendors represents a gap in security when such access is no longer needed. We proposed to direct the ERO to develop modifications to CIP-004-1 to require immediate revocation of access privileges when an employee, contractor, or vendor no longer performs a function that requires authorized physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement or termination). Further, we proposed to direct the ERO to modify Requirement R4 to make clear that unescorted physical access should be denied to individuals that are not identified on the authorization list. 115 115 *See* CIP NOPR at P 167-69. ii. Comments 449. Numerous commenters responded to the CIP NOPR proposal to require immediate revocation of access to critical cyber assets when an employee, contractor or vendor no longer performs a function that required authorized physical or electronic access to a critical cyber asset for any reason. California Commission agrees with the requirements of CIP-004-1, and states that access controls should be updated upon termination or transfer of personnel. However, as with its recommendation regarding CIP-003-1, California Commission suggests that CIP-004-1 should provide a specific time limit for revoking access, rather than requiring access to be revoked promptly. 450. MidAmerican supports the proposal, but believes that the timelines provided in Requirement R4.2 are clearly defined and appropriate for the risk associated with removal of access. ReliabilityFirst and SPP agree with the Commission that access should be revoked as quickly as possible upon termination or reassignment, but believe the use of the term “immediate” is subjective and could lead to conflicting interpretations. According to ReliabilityFirst, one entity might interpret the requirement as allowing a reasonable amount of time, perhaps an hour, to revoke access once the termination or reassignment has occurred and notifications made, while another entity might interpret it as needing to terminate access prior to the moment of termination or reassignment, perhaps coincident with the employee being notified of his or her termination. 451. SoCal Edison and Entergy believe that it will be difficult to comply with the immediate revocation of access requirement. For example, SoCal Edison states that meeting the proposed change would be dependent upon direct communication from a manager initiating the termination actions, and SoCal Edison believes it is appropriate to allow 24 hours to revoke access privileges. FirstEnergy similarly argues that an organization will not be aware in advance of personnel that are transferred in short order to address an immediate need or personnel that are dismissed or fired on the spot for misconduct. Entergy asserts that the systems and equipment currently in use across the industry simply cannot operate in the type of networked computing environment necessary to revoke all access immediately. For example, a responsible entity may have a magnetic strip physical access control at a substation perimeter, but if the controller is not networked back to a central access control system, meeting the immediacy requirement would not be possible. The industry will need time and adequate grounds to justify modernization of capabilities for rate relief in order to implement such a proposal. 452. First Energy and Idaho Power suggest that the Commission should soften its position on immediate revocation and propose that the Commission require access to critical cyber assets to be revoked as soon as practicable. They suggest allowing either 24 hours or one business day for revocations. Ontario Power notes that some activities can be performed quickly, but others will take time. 453. ReliabilityFirst argues that, from a risk perspective, it is more time-critical to terminate access when an employee is involuntarily terminated or reassigned due to disciplinary action. ReliabilityFirst argues that an employee who voluntarily terminates or changes positions normally does so on good terms with the employer. In addition, both ReliabilityFirst and SPP maintain that, while an entity should be cognizant of planned terminations and reassignments within the company, the entity has no such insight into a vendor or contractor. The entity must rely upon a timely notification from the vendor or contractor, especially when the services are provided remotely as opposed to on-site. In addition, ReliabilityFirst reasons that primary access needs to be terminated as quickly as possible, with secondary access not as time-critical. Primary access would include the physical access, VPN access, and domain account, and terminating that access will effectively quarantine the terminated employee while remaining access is disabled. ReliabilityFirst and SPP recommend that, in lieu of the term “immediate,” a reasonable and measurable time frame already exists and has been defined within the CIP Reliability Standard itself. 454. Similarly, ISO-NE argues that personnel transfers can at times require a protracted, transitional process, where there is good business reason for the individual to retain access privileges after the formal transfer date. Most often this would be where continued back-up support is appropriate while the individual's replacement is being identified, or a personal risk assessment is conducted, and/or is trained and becomes familiar with new job responsibilities. 455. ISO-NE and Northern Indiana oppose requiring revocation of access when an employee is facing disciplinary action. ISO-NE argues that not all disciplinary action should arbitrarily warrant revocation of access privileges. Northern Indiana argues that, notwithstanding the disciplinary action, such an employee might still be responsible for performing tasks that require access. Northern Indiana argues that Requirement R4.2 should be left intact and the timeline for revocation should remain 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require access to critical control systems and other critical cyber assets. ISO-NE requests management discretionary power in determining when revocation is warranted. 456. Various commenters raise concerns about the timelines associated with the Commission's proposal to deny unescorted physical access to individuals not identified on the authorization list. For example, Northern Indiana is concerned that absolute compliance with this requirement would be very difficult to achieve and record within the time specified. 457. EEI objects to the immediate revocation of access privileges proposal if the Commission is proposing to require responsible entities to perform immediate updating of their authorization lists. EEI argues that these changes are not needed, because, at the time any individual is terminated for any reason, the manager collects items such as badges, keys, tokens used for electronic entrance and other methods of access, thus denying the individual access to facilities where critical cyber assets are kept. Access control systems are updated using an efficient overnight batch process. EEI asserts that converting to immediate updates for all situations (including low-risk situations such as individuals transferring or retiring) would require significant expense with minimal improvement in security. 458. Duke and others 116 argue that some flexibility in the promptness of access revocation is warranted, but raise many of the same points as EEI. Duke concedes that immediate updates of access authorization control systems can be performed outside of a batch process, but argues that this would involve additional cost and should be reserved for situations involving a tangible threat, such as when an employee is being terminated for cause. 116 *See also* PG&E and Tampa Electric. 459. PG&E argues that CIP-004-1 already provides sufficient controls and need not be revised. PG&E argues that CIP-004-1 ensures that individuals who are terminated or who no longer require such access lose their access in a timely manner, but argues that there should be no requirement for immediate updating of authorization lists. In this regard, PG&E argues that, although having the means to identify individuals with valid access rights is important, if the individual has been disabled from access to relevant systems and physical areas, a slight delay in updating the list would not significantly compromise security and thus there is no need to require the impractical task of immediately updating authorization lists. iii. Commission Determination 460. The Commission adopts the CIP NOPR proposal to direct the ERO to develop modifications to CIP-004-1 to require immediate revocation of access privileges when an employee, contractor or vendor no longer performs a function that requires physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement, or termination). 461. As a general matter, the Commission believes that revoking access when an employee no longer needs it, either because of a change in job or the end of employment, must be immediate. As noted in the CIP NOPR, most organizations will know in advance the timing of personnel actions and can arrange ahead of time for access revocation to be concurrent with any disciplinary action, transfer, retirement or termination. Revocation of access is usually a matter of assuring that a particular employee's credentials no longer permit physical or electronic access. We understand that outlying elements may require some brief lag before denial of access is effective, in which case, the circumstances justifying such lag must be documented for audit purposes. 462. FirstEnergy comments that the term “immediate” should be clarified and be interpreted as “as soon as possible” but not later than 24 hours to take care of on-the-spot dismissals. Others also comment about various circumstances where advance or coincident preparations for revocation to access cannot be made. We continue to believe that most dismissals can be anticipated in advance and believe that revocation should be immediate upon the employee's notification of any personnel action requiring revocation of access. However, the ERO may define what circumstances justify an exception that is other than immediate and determine what is the fastest revocation possible. 463. We acknowledge that not all disciplinary actions warrant revocation of access privileges. In addition, certain personnel transfers can require a protracted transitional process that warrants retention of access privileges after the formal transfer date. There may be operational reasons that justify retention of access privileges after an employee transfers, but the default procedure should be to cancel access privileges at transfer and to document any exceptions to that policy for audit purposes. 464. We also adopt our proposal to direct the ERO to modify Requirement R4 to make clear that unescorted physical access should be denied to individuals that are not identified on the authorization list, with clarification. Our concern, in calling for this adjustment, is that the current language in the CIP Reliability Standard does not describe the purpose of the required list of personnel with authorized access; rather, it merely states that such a list must be made, reviewed, and updated. Similar to our expectations expressed earlier regarding implementation of required plans and policies, we believe that the expectation that access not be granted to personnel not on the authorized list should be made clear in the Reliability Standard. 117 However, while a responsible entity should not allow access to any personnel not included on the list, the Commission believes commenters misunderstood the CIP NOPR and inappropriately linked the Commission's proposal with respect to the immediate revocation of access with its proposal with respect to denying access to personnel not on the list. We clarify that we are not requiring the list to be updated simultaneously with the revocation of an employee's access. 117 As we stated in our discussion above, we are directing the ERO to revise the CIP Reliability Standards to explicitly add a requirement for responsible entities to implement any plans they are required to develop as part of these Standards. d. Jointly-Owned Facilities 465. In the CIP NOPR, the Commission addressed concerns raised with regard to the application of and compliance responsibility for the CIP Reliability Standards, especially on access issues, when facilities governed by existing joint use or joint ownership agreements are involved. i. NOPR Proposal 466. In the CIP NOPR, the Commission stated that joint owners of critical cyber assets are equally as subject to the CIP Reliability Standards as are other responsible entities. 118 We further stated that, if an asset is designated as a critical cyber asset by one joint owner, it must be treated likewise by the other owner(s) and, therefore, each owner would be responsible to develop a list of its authorized personnel and to respect each other joint owner's corresponding list. 118 *See* CIP NOPR at P 170-73. 467. With regard to joint use arrangements, the Commission stated the principle that the owner of a critical cyber asset is responsible under the CIP Reliability Standards for ensuring that all persons having access to the critical cyber asset meet the requirements of the CIP Reliability Standards, much as the owner is responsible to ensure that vendor personnel have the required levels of security training, awareness and background checks. 468. The Commission proposed to require the ERO to consider further clarifying CIP-004-1 to address the “joint use” concerns expressed by APPA/LPPC while developing any modifications to the CIP Reliability Standards. ii. Comments 469. APPA/LPPC support the Commission's proposal to direct the ERO to address the joint use concerns. 470. Northern Indiana is concerned that the Commission's proposal means that a responsible entity must perform risk assessments of the other owner's personnel so that such personnel may access a facility that the responsible entity has identified as a critical cyber asset. Northern Indiana argues that such a broad application of the CIP Reliability Standards was never intended and requests that the Commission clarify this point. Northern Indiana sees a conflict with respect to sharing information with other entities that jointly own or jointly use transmission facilities if it is required to maintain a mutual distrust posture. Northern Indiana urges the Commission to provide for flexibility when applying the CIP Reliability Standards to such jointly owned facilities. 471. SPP believes that jointly operated assets may require contractual agreements to assign responsibility and liability for compliance with the CIP Reliability Standards, similar to the Commission's concern with respect to out-sourced service providers in the CIP NOPR. It is unclear to SPP whether the Commission's recommendations adequately cover the situation where each party is uniquely responsible for a subset of the requirements of the CIP Reliability Standards. For example, one entity may place critical cyber assets within a facility managed by a second entity. The second entity would be fully responsible for the physical security requirements of CIP-006-1, while the first entity would be fully responsible for the system management requirements of CIP-007-1 only for their own assets. A contractual agreement between the two entities should be in place to codify the second entity's physical security responsibilities and, as with out-sourced services, to absolve the first entity of any responsibility for CIP-006-1 beyond ensuring that the cyber assets are within the second entity's physical security perimeter. SPP recommends that the Commission direct the ERO to include recognition of such contractual agreements in its auditing and sanctioning processes. 472. NRECA is concerned that the Commission's joint use proposal would cause problems for small entities. NRECA also raises concerns about how disputes regarding joint use facilities will be addressed. iii. Commission Determination 473. The Commission adopts its proposals in the CIP NOPR with a clarification. As a general matter, all joint owners of a critical cyber asset are responsible to protect that asset under the CIP Reliability Standards. The owners of joint use facilities which have been designated as critical cyber assets are responsible to see that contractual obligations include provisions that allow the responsible entity to comply with the CIP Reliability Standards. This is similar to a responsible entity's obligations regarding vendors with access to critical cyber assets. 474. Regarding Northern Indiana's comments, we do not believe that this Requirement obligates one joint owner of a critical cyber asset to perform risk assessments of another owner's personnel. Each such owner is responsible for performing assessments of its own personnel. 475. The ERO should consider the suggestions raised by Northern Indiana, SPP and NRECA in the Reliability Standards development process. 476. Therefore, we direct the ERO to modify CIP-004-1, and other CIP Reliability Standards as appropriate, through the Reliability Standards development process to address critical cyber assets that are jointly owned or jointly used, consistent with the Commission's determinations above. 4. CIP-005-1—Electronic Security Perimeter(s) 477. NERC's proposed Standard CIP-005-1 requires identification and protection of the electronic security perimeters inside which all critical cyber assets are located, as well as all access points. The electronic security perimeters are to encompass all the critical cyber assets that are identified using the methodology required by Standard CIP-002-1. Multiple electronic security perimeters may be required; for example, one may be needed around a control room while another may be established around a substation. For any electronic security perimeter established, the responsible entity must develop mechanisms to control and monitor electronic access to all electronic access points and, further, it must assess the electronic security perimeter's cyber vulnerability and test every electronic access point at least annually. 119 119 CIP-005-1 only pertains to electronic security. Physical security is addressed in CIP-006-1. 478. The Commission approves Standard CIP-005-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to this CIP Reliability Standard. The Commission also requires the ERO to clarify and provide guidance on other matters. The required modifications are discussed below in the following topic areas of concern regarding CIP-005-1:
(1)Adequacy of electronic security perimeters;
(2)protecting access points and controls;
(3)monitoring access logs; and
(4)vulnerability assessments. a. Adequacy of Electronic Security Perimeters 479. Requirement R1 of CIP-005-1 requires each responsible entity to identify electronic security perimeters and ensure that every critical cyber asset resides within one. i. NOPR Proposal 480. In the CIP NOPR, the Commission stated that, while the electronic security perimeter constitutes a first line of defense, the effectiveness of any one defensive measure is often dependent on the quality of active human maintenance, and that there is no one perfect defensive measure that will guarantee the protection of the Bulk-Power System. The Commission proposed to direct the ERO to develop a requirement that a responsible entity implement a defensive security approach including two or more defensive measures in a defense in depth posture when constructing an electronic security perimeter. 120 120 *See* CIP NOPR at P 178-81. ii. Comments 481. Many commenters, including Manitoba, NERC, NRECA, Ontario Power and ReliabilityFirst, maintain that CIP-005-1 is adequate as drafted and they oppose the Commission's proposal to require a defense in depth strategy. 121 In contrast, Juniper and ISA99 Team support the Commission's proposal. Although Idaho Power expresses support for the defense in depth concept, it questions the Commission's proposal to require two distinct security measures when developing an electronic security perimeter. MidAmerican supports the proposal to require implementation of a defensive security approach including two or more defensive measures in a defense in depth posture, but submits that the term “defensive measure” requires clarification to facilitate compliance. 121 *See also* Arkansas Electric, APPA/LPPC, Alliant, Arizona Public Service, California Commission, Duke, Entergy, FPL Group and Northern Indiana. 482. NERC and ReliabilityFirst argue that the defense in depth provisions recommended by the Commission make sense in a control center environment, because additional layers of electronic security and physical security can be readily implemented, and they are prudent due to the centralized function performed at a control center. However, they question the direct impact to the reliability of the Bulk-Power System from implementing multiple defensive actions in a substation or generating plant environment. NRECA believes that the CIP NOPR contemplates imposing excessive defense in depth requirements, particularly in environments where the additional depth will not yield a significant benefit, but will impose costs. NRECA states that a better course would be for the Commission to defer to the ERO's technical expertise as to the application of defense in depth, rather than dictate a specific outcome. 483. NERC, Idaho Power and ReliabilityFirst further explain that the use of multiple electronic security perimeter devices (i.e., firewalls) obtained from different vendors, creating rings of protection using different methods, is an accepted mainstream information technology approach. The expected result is that a failure of one device only appears on one of the two perimeters, thereby allowing the other perimeter to provide the desired protection. For small numbers of zones, which protect relatively large numbers of assets (e.g., a single zone containing all of the corporate servers), this makes implementation and economic sense. 484. However, NERC states that the use of multiple electronic security perimeter devices comes at a cost to performance and reliability. According to NERC, each “hop” through a perimeter device introduces a delay in the transmission of the data. In a traditional information technology environment, this may be tolerable, or may be mitigated through the use of higher-speed networks. In a control system environment, NERC states that neither option may be acceptable or available. Additional equipment takes up space in equipment racks, and uses additional power and cooling, which in some cases, may be at a premium, or may introduce equipment reliability problems. Certified equipment from different vendors may not be available for all protocols and toolsets used in the control system environment. Additionally, there would be more equipment which must be functional in order to maintain reliable operations. Any time there is an increase in the number of components that must be running in series, the availability of the entire system decreases. In this case, this results in an overall decrease in the reliability of the system. Last, but not least, is the impact of having more equipment at a substation or generating plant to install, service, maintain, and for which to provide instruction and training. 485. Ontario Power argues, similarly, that while the multiple layers of security required by a defense in depth strategy may be feasible in some situations, it is impractical or impossible in others and should be excluded from the Final Rule. 486. APPA/LPPC and Northern Indiana state that CIP-005-1 provides the needed degree of flexibility to accommodate very diverse physical and electronic situations. 487. Arkansas Electric, Duke and Northern Indiana state that there is a point at which having multiple defense layers would not be cost-effective. Arkansas Electric and Duke maintain that the CIP Reliability Standards as a whole prescribe a sufficient defense-in-depth strategy. In addition to electronic security controls, Arkansas Electric notes that the Reliability Standards also require physical security controls, access-control, authentication, and intrusion detection at the perimeter. The CIP Reliability Standard also requires a general “hardening” of the security of the critical cyber assets. Furthermore, policy and procedural controls are required. Adding security controls for the sake of redundancy adds unnecessary cost, complexity and administrative burden to the system. Further, Duke argues that responsible entities must establish sufficient electronic and physical security perimeters, which in some situations could require multiple layers that other situations do not warrant. 488. Manitoba maintains that providing one monitored and alarmed electronic security measure provides a sufficient and balanced security measure when implemented in conjunction with required physical security measures. The proposed additional security measure may require other security installations within the proposed implementation timeframe for CIP Reliability Standards that could delay implementation of the more important requirement to establish an electronic perimeter for all critical cyber assets. 489. SDG&E and Entergy raise concerns with the Commission's comments regarding the placement of security measures in front of systems. SDG&E cautions against giving such “in front” measures a high priority over those placed inside the system. SDG&E comments that consideration of both measures is necessary to make informed defense in depth decisions. Alternatively, it agrees with NERC that the Commission should omit the requirements for a defense in depth approach in the Final Rule. Entergy also disagrees with the Commission's proposal to place measures “in front of” systems as opposed to “inside” systems. It argues that data/control centers and field sites are two very different matters and that two-factor authentication is more challenging in the field, where most equipment being remotely accessed simply cannot be upgraded or retro-fitted to affect this technological approach. 490. APPA/LPPC argue that, if the Commission continues to direct the ERO to require two or more defensive measures, then it should clarify whether or not the second security measure must be on a par with the first security measure. NERC and APPA/LPPC maintain that an inflexible rule calling for redundant electronic security in all cases poses some very practical problems in a variety of settings. APPA/LPPC believe that, given sufficient flexibility by the Commission, these issues can be worked out in the Reliability Standards development process. 491. In FPL Group's view, the NERC approach of allowing responsible entities to develop strategies appropriate for their environment to protect their critical cyber assets is preferable to the CIP NOPR proposal. FPL Group characterizes the CIP NOPR proposal as a “one size fits all” approach that could fail to take into account site-specific realities. It is concerned that the CIP NOPR approach mandates form over function and logic by placing too much emphasis on uniformity and ignoring a site's specific environment. 492. In contrast, Juniper and ISA99 Team argue that multiple layers are essential for defense in depth and that the Reliability Standard must provide guidance on devices that may be considered to be a layer of defense. ISA99 Team argues that single peripheral layers of defense are not adequate to protect control networks. More significantly, ISA99 Team argues, the very nature of the CIP Reliability Standards provides defense in depth for many of the control system components. For example, not only are perimeters identified and established, and defended with access controls, but anti-virus and other defensive measures are applied to components within the perimeters. ISA99 Team argues that this defense in depth is consistent with guidance provided in most references and standards today. 122 122 *See* ISA99 TEAM at 4, citing NERC Control Systems Security Working Group's, Top 10 Vulnerabilities of Control Systems and Their Associated Mitigations—2006. The inner layer device may disallow certain protocols on port 520, or only allow read commands from certain networks. 493. In addition, ISA99 Team disagrees that legacy control systems can be excused from defense in depth requirements. ISA99 Team argues that it is unacceptable to leave critical control systems components, like distributed control systems controllers, remote terminal units for supervisory control and data acquisition systems, programmable logic controllers and intelligent electronic devices, without additional protection similar to that commonly used for basic personal computers used in business system networks every day. And this protection can be provided by various means, including further segmentation and isolation of those components from the other parts of the control networks. It does mean additional hardware and does require great caution, but it can be done effectively and should be required for our critical power infrastructure. 494. Juniper comments that, unless wireless access can be limited to a physical boundary, any wireless enabled device must be considered as outside the perimeter and must authenticate to gain access and encrypt its communications. Jamming of RF signals even with spread-spectrum is a real concern. An attack does not have to jam all transmission. It can cause disruption by corrupting data. If this can cause loss of data for even a short duration, that might be enough to perpetrate other incursions without raising alarms. 495. Northern Indiana and Xcel ask the Commission to clarify or direct the ERO to clarify the phrase “single access point at the dial up device” in CIP-005-1, Requirement R1.2. Xcel asks whether this refers to the initiating device, the device at the point of termination, or both. Northern Indiana would not modify CIP-005-1, but urges that any modifications to Requirement R2 should allow continued reliance on legacy systems. iii. Commission Determination 496. The Commission adopts the CIP NOPR's proposal to direct the ERO to develop a requirement that each responsible entity must implement a defensive security approach including two or more defensive measures in a defense in depth posture when constructing an electronic security perimeter. However, in light of the comments received, the Commission understands that there may be instances in which certain facilities cannot implement defense in depth or where such an approach would harm reliability rather than enhance it. For that reason, the Commission believes that it is appropriate to allow the ERO and the Regional Entities to grant exceptions based on the technical feasibility of implementing defense in depth, consistent with the Commission's determination on technical feasibility above. However, the responsible entity should implement electronic defense in depth measures or justify why it is not doing so pursuant to our discussion of technical feasibility exceptions. 497. As stated in the CIP NOPR, the Commission recognizes that there is a point at which having multiple defense layers would not be cost effective. However, we continue to believe that the effectiveness of any one defense measure is often dependent on the quality of active human maintenance, and there is no one perfect defense measure that will guarantee the protection of the Bulk-Power System. The Commission does not agree with Manitoba that providing one monitored and alarmed electronic security measure provides a sufficient and balanced security measure when implemented in conjunction with required physical security measures. A single electronic device is too easy to bypass and a physical security measure cannot thwart an electronic cyber attack. Therefore, we believe it is in the public interest to require that a responsible entity must implement two or more distinct security measures when constructing an electronic security perimeter. 498. Many of the commenters' concerns with regard to the impact on performance and reliability will be alleviated by allowing Regional Entities to grant justified exceptions based on technical feasibility. For example, an exception might be granted if an entity can demonstrate that implementing any defense in depth mechanism would create a delay in the transmission of the data that is not tolerable on the system and cannot be mitigated. In addition, the Commission does not think that there will be a problem with respect to a delay in data transmission. If this is a problem for older or distant equipment, the responsible entity can claim a technical feasibility exception. Newer equipment should operate at sufficiently high speeds that multiple hops will not affect data transmission. In fact, some vendor companies claim that their devices will actually increase transmission speeds due to compression and other techniques. 123 123 *See,* *e.g.* , *http://aegistech.us/?page_id=73; http://www.teltone.com/products/security/features.htm* . 499. Further, an exception might be granted until equipment is available for a given protocol or toolset used in a specific control system environment. However, the fact that additional equipment may take up space or use additional power and cooling alone does not warrant reversing the Commission proposal. 500. The Commission agrees with the ERO that requiring two or more defensive measures may increase the chance of equipment failure. But, the ERO has not provided the Commission with an adequate explanation of why the availability of the entire system would decrease with two or more defensive measures. Defensive measures can often be formatted so that if they fail, they do so in a fail-safe mode that still allows operation. Therefore, system availability would not decrease. 501. In response to SDG&E and Entergy, in stating that the placement of security measures in front of systems provides a layer of protection for those systems, the Commission was not giving priority to “in front” measures. In fact, the Commission acknowledged in the CIP NOPR that defense in depth measures are generally integrated within and constitute part of a system or program. In commenting that defense in depth measures may also be effectively placed in front of a system, the Commission intended only to acknowledge that there are multiple ways to implement a defense in depth strategy. The Commission is not mandating any specific mechanism to be the second security measure. We are also not requiring uniformity of security measures, only that each responsible entity have at least two security measures unless it is not technically feasible to do so. The revised CIP Reliability Standard should allow enough flexibility for a responsible entity to take into account each site's specific environment. The Commission believes that this, in conjunction with the allowance of technical feasibility exceptions, alleviates FPL Group's concern that the Commission's proposal is a “one size fits all” approach. 502. In response to APPA/LPPC, the Commission clarifies that it does not intend to create an inflexible rule calling for redundant electronic security in all cases. While the Commission directs that a responsible entity must implement two or more distinct security measures when constructing an electronic security perimeter, the specific requirements should be developed in the Reliability Standards development process. This would include whether or not the second security measure must be “on par” with the first. The Commission also directs the ERO to consider, based on the content of the modified CIP-005-1, whether further guidance on this defense in depth topic should be developed in a reference document outside of the Reliability Standards. 503. In response to Manitoba's concern that the proposed additional security measure could delay implementation of the more important requirement of an electronic perimeter for all critical cyber assets, the Commission notes that this Final Rule approves the Reliability Standard as filed by the ERO. The Commission is directing the ERO to revise the Reliability Standard to require two or more defensive measures. Until that Reliability Standard is developed by the ERO and approved by the Commission, responsible entities in the United States will not be required to implement two or more defensive measures. 504. The ERO should consider in the Reliability Standards development process Northern Indiana's and Xcel's concerns regarding the phrase “single access point at the dial up device.” b. Protecting Access Points and Controls 505. Requirement R2 of CIP-005-1 requires a responsible entity to implement organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter. Requirement R2.4 requires “strong procedural and technical controls” at enabled external access points “to ensure authenticity of the accessing party, where technically feasible.” i. NOPR Proposal 506. The Commission indicated that requiring “strong” controls does not provide sufficient guidance toward ensuring authenticity of the accessing party, and proposed to direct the ERO to modify Requirement R2.4 of CIP- 005-1 to provide greater clarity regarding the expectation for adequate compliance by identifying examples of specific verification technologies that would satisfy the Requirement, while also allowing compliance pursuant to other technically equivalent measures or technologies. 124 The Commission acknowledged that strong verification includes technologies such as digital certificates and two-factor authentication. We also noted that Recommendation 32 of the Blackout Report emphasizes the need “to ensure access is granted only to users who have corresponding job responsibilities.” 125 124 *See* CIP NOPR at P 182-91. 125 *See* Blackout Report at 164-65, Recommendation 32. 507. Consistent with our discussion of technical feasibility, we did not propose to direct the ERO to remove the technical feasibility language from Requirement R2.4 of CIP-005-1. However, we proposed that Regional Entities review the application of “technical feasibility” as the basis for allowing a responsible entity an exception to full compliance with a Requirement. 508. The Commission also clarified the specific conditions and accountability measures needed to be granted an exception based on technical feasibility. ii. Comments 509. SoCal Edison and MidAmerican agree with the Commission that Requirement R2.4 needs to be clarified. ISO-NE raises a concern regarding the phrasing of “ `strong controls' * * * such as digital certificates and two-factor authentication.” ISO-NE asks that the Commission ensure that “use of either digital certificates or two-factor authentication” constitutes an acceptable example for strong authentication. Entergy generally agrees with the Commission's proposal to direct the ERO to modify this CIP Reliability Standard in accordance with the Blackout Report. In Entergy's view, well-constructed passwords should be satisfactory as long as password management best practices are employed, such as configuring equipment to `drop calls' after presentation of three successive incorrect passwords. 510. Juniper also argues that several CIP Reliability Standards require the use of encryption. Juniper recommends that specific NIST or Federal Information Processing Standards
(FIPS)encryption standards be mentioned as minimum requirements for compliance as weak encryption mechanisms can be easily reverse engineered. iii. Commission Determination 511. The Commission adopts the CIP NOPR's proposal to direct the ERO to identify examples of specific verification technologies that would satisfy Requirement R2.4, while also allowing compliance pursuant to other technically equivalent measures or technologies. In response to commenters, in discussing digital certificates and two-factor authentication, the Commission was providing examples of strong authentication, not limiting authentication to those options. The Commission is not prescribing the specific methods as an exclusive solution pursuant to Requirement R2.4. The ERO can propose an alternative solution that it believes is equally effective and efficient. If the ERO believes it would be helpful to responsible entities, additional guidance beyond the examples that are eventually included in Requirement R2 can be given in a separate reference document. Since we are directing the ERO to provide guidance on what constitutes strong authentication, it is not necessary for the Commission to respond to ISO-NE's request that digital certifications or two-factor authentication are acceptable methods of authentication. In identifying examples or categories of specific verification technologies that would satisfy Requirement R2.4, the ERO should take into account the specific comments raised in this proceeding. Similarly, while encryption is one method to accomplish two-factor authentication, and is an effective process for ensuring authenticity of the accessing party, for some facilities, we leave it to the ERO in the Reliability Standards development process to evaluate whether and how to address the use of encryption. In the alternative, the ERO may identify verification technologies or categories of verification technologies in a reference document. c. Monitoring Access Logs 512. Requirement R3 of CIP-005-1 requires responsible entities to implement electronic or manual processes for monitoring and logging access at access points to the electronic security perimeter at all times. Further, where technically feasible, the security monitoring process must detect and alert for attempts at or actual unauthorized access. Where such alerts are not technically feasible, Requirement R3.2 requires a responsible entity to review access logs at least every 90 calendar days. i. NOPR Proposal 513. The Commission stated that regular manual review of logs is beneficial because, while automated review systems provide a reasonable daily check and a convenient screening for obvious system breaches, periodic manual review provides the opportunity to recognize an unanticipated form of malicious activity and improve automated detection settings. The Commission stated that frequent reviews of access logs are necessary to detect breaches that automated alerts do not detect and, moreover, where automated alerts are not used, frequent monitoring takes on even greater importance. 514. The Commission recognized that accessibility of an access log may affect the review interval. We stated, for instance, that readily available logs, such as those from within a control room setting, should be reviewed at least weekly. Those logs that are not readily available, such as those located at a remote substation, are less accessible and therefore can be read less frequently. We stressed, however, that any attempt to differentiate the required frequency of review of these logs must be balanced against the criticality of the facilities; it is not acceptable to dismiss a critical facility from timely review simply because it is remote. 515. The Commission proposed to direct the ERO to develop a bifurcated review requirement of access logs at electronic access points in which readily available logs are reviewed more frequently than every 90 days. The Commission stated that such review should be performed at least weekly. As part of developing this bifurcated review requirement, the Commission proposed to direct the ERO to include in the Reliability Standard guidance on how a responsible entity should designate individual assets as “readily accessible” or “not readily accessible,” consistent with our discussion above. ii. Comments 516. EEI and Tampa Electric maintain that the proposal to revise the log review requirements in CIP-005-1 is overly prescriptive. 517. Entergy, MidAmerican, Northern Indiana, PG&E, ReliabilityFirst, SPP and Tampa Electric do not agree with the Commission that a weekly review of access logs at electronic access points is necessary. A weekly review would place an undue burden on the industry without a clear direct benefit to improved security given the proposed level of increased frequency. Entergy argues that the Commission should recognize that the other access controls contemplated by the CIP Reliability Standards, as well as the 90-day review, should be sufficient to initially identify any unanticipated form of malicious activity. More frequent reviews should only be required where additional efforts are justified based on site specific or industry information. 518. Tampa Electric argues that weekly manual reviews of substantial data are too burdensome especially when an entity is capable of performing electronic reviews. Along the same lines, Idaho Power argues that the proposed bifurcated review process may be extremely difficult to perform without technological advances in products. Idaho Power agrees that a review must occur; however, without technology to assist, it argues that implementation will be difficult. 519. ISO-NE comments that automated log monitoring to detect and alert on any unauthorized or suspicious events is sufficient, and that manual review of logs should only be required in situations where automated monitoring and alerting tools are not technically feasible. However, ISO-NE does suggest that review of automated alerts should be frequent. ISO-NE maintains that its perspective is supported by evaluations that it conducted against a subset of cyber assets similar to those that would be used to maintain an electronic security perimeter and those that would be found inside an electronic security perimeter. ISO-NE found that the logs generated by its testing were voluminous and any effort to routinely manually review logs would be futile and burdensome. In ISO-NE's view, other than during a forensic investigation in response to an automated alert, any expectation of useful manual review on a routine basis is not reasonable. 520. ReliabilityFirst and SPP disagree that a regular manual review of logs is always beneficial. For example, a weekly manual review of logs in a control room setting may be impossible. In a control center environment, the electronic security perimeter firewalls may log several million events per day. The outer network perimeter firewalls will typically log an even greater number of events per day. Servers and workstations may record hundreds to thousands of events per day across the system, security, and wide variety of application logs. The only way to monitor and analyze the logs is through the use of automation. 521. While MidAmerican supports frequent review, it maintains that the review intervals should be designed to accomplish the detection and improvement objectives discussed in the CIP NOPR. MidAmerican submits that basing review intervals on accessibility of records will not optimally achieve this objective and would be unduly burdensome for responsible entities and should be reconsidered. MidAmerican would support a frequency of 30 days for electronically generated access logs and a 45-day review frequency for manually generated logs. 522. SPP believes that a periodic review of the log correlation and analysis engine's rules should be conducted to ensure the automated analysis is properly alerting on pertinent events. This may require a manual examination of the raw log files. A weekly review is excessive—a quarterly review may be more appropriate, as would a review upon a significant change to the access controls. 523. By contrast, Juniper argues that logs should be reviewed daily, stating that there are correlation tools that can prioritize events automatically and reduce the effort required to go through all logs manually. Juniper argues that the requirement for reporting within an hour of an incident seems to be at odds with not requiring frequent review of the logs. 524. MidAmerican maintains that the term “bifurcated review” is inadequately defined. MidAmerican recommends that the Commission add specific language addressing the use of a combination of automated and manual review of logs to satisfy this requirement. Likewise, the terms applying to whether the logs are “readily available,” “readily accessible” and “not readily accessible” need clarification to facilitate compliance. Northern Indiana also requests that the Commission clarify the scope of the reviews and what is meant by the term “readily accessible.” iii. Commission Determination 525. The Commission adopts the CIP NOPR proposal to require the ERO to modify CIP-005-1 to require logs to be reviewed more frequently than 90 days, but clarifies its direction in several respects. At this time, the Commission does not believe that it is necessary to require responsible entities to review logs daily, as requested by Juniper. 526. The Commission agrees with MidAmerican that the review intervals should be designed to accomplish the detection and improvement objectives discussed in the CIP NOPR. Requirement R3 of CIP-005-1 does not currently require a responsible entity to manually review logs if it has alerts. However, the Commission continues to believe that, while automated review systems provide a reasonable day-to-day check of the system and a convenient screening for obvious system breaches, periodic manual review provides the opportunity to recognize an unanticipated form of malicious activity and improve automated detection settings. Further, manual review is beneficial to judge the effectiveness of protection measures, such as firewall settings. If a firewall setting is incorrect or ineffective, an automated review system may not identify a cyber security intrusion. For those entities without automated log review and alerts, it is even more important to perform a manual review because this will be the only review of the logs. The Commission believes allowing 90 days to pass without a log review is unacceptable. In that time, an incident could have occurred undetected or an attacker could have gained access to a critical system and extended that access throughout the enterprise with the targeted entity being unaware that the security of their systems had been compromised. For this reason, the Commission directs the ERO to modify CIP-005-1 through the Reliability Standards development process to require manual review of those logs without alerts in shorter than 90-day increments. The Commission continues to believe that, in general, logs should be reviewed at least weekly, but leaves it to the Reliability Standards development process to determine the appropriate frequency. In addition, the Commission directs the ERO to modify CIP-005-1 to require some manual review of logs, consistent with our discussion of log sampling below, to improve automated detection settings, even if alerts are employed on the logs. 527. In response to MidAmerican's concern about the term “bifurcated review,” the Commission intent was that certain assets, deemed readily accessible, would be reviewed at least weekly while other assets would continue to be reviewed every 90 days. However, the Commission will not adopt this direction from the CIP NOPR. We leave it to the Reliability Standards development process to decide whether different timeframes are appropriate for logs that are readily accessible and not readily accessible. If different review timeframes are adopted, the ERO should provide guidance as to what constitutes a readily accessible log and a log that is not readily accessible. The ERO may also delineate different timeframes for manual review for other reasons, but must clearly define how to determine in what timeframe a specific log must be reviewed. However, we reiterate that any attempt to differentiate the required frequency of review of these logs must be balanced against the criticality of the facilities; it is not acceptable to dismiss a critical facility from timely review simply because it is remote. 528. Finally, the Commission also agrees with commenters that a full review of logs could be burdensome. Therefore, the Commission clarifies its direction with regard to reviewing logs. In directing manual log review, the Commission does not require that every log be reviewed in its entirety. Instead, the ERO could provide, through the Reliability Standards development process, clarification that a responsible entity should perform the manual review of a sampling of log entries or sorted or filtered logs. The Commission recognizes that the manner in which a responsible entity determines what sample to review may not be the same for all locations. Therefore, the revised Reliability Standard does not need to prescribe a single method for producing the log sampling. However, any requirements for creating this sample review could be detailed in its cyber security policy so that it can be audited. The Reliability Standards development process should decide the degree to which the revised CIP-005-1 describes acceptable log sampling. The ERO could also provide additional guidance on creating the sampling of log entries, which could be in a reference document. The final review process, however, must be rigorous enough to enable the responsible entity to detect intrusions by attackers. d. Vulnerability Assessments 529. Requirement R4 of CIP-005-1 requires a responsible entity to “perform a cyber vulnerability assessment of the electronic access points to [an] electronic security perimeter at least annually.” The minimum criteria provided do not specify whether a live vulnerability assessment is required, as opposed to a paper assessment. i. NOPR Proposal 530. In the CIP NOPR, the Commission stated that annual vulnerability assessments are sufficient when no modifications are made, but that when the electronic security perimeter or another measure in a defense in depth strategy is modified, it is not acceptable to wait a year to test modifications. 126 The Commission proposed to direct the ERO to revise the Reliability Standard to require a vulnerability assessment of the electronic access points as part of, or contemporaneously with, any modifications to the electronic security perimeter or defense in depth strategy. 126 *See* CIP NOPR at P 198-202. 531. The Commission also proposed to direct the ERO to modify Requirement R4 to require live vulnerability assessments at least once every three years, with annual paper assessments allowable in the intervening years. The Commission stated that, if such live vulnerability assessments are not “technically feasible,” then a responsible entity may apply to be excused from full compliance to the Regional Entity, fully documenting the necessary interim actions, milestone schedule, and mitigation plan. ii. Comments 532. Northern California and PG&E support live, not paper, vulnerability assessments of the electronic security perimeter, subject to exceptions where necessary. PG&E qualifies its support, explaining that technical infeasibility is not the only valid reason for not performing a live vulnerability assessment. 533. NERC, ReliabilityFirst, Northern Indiana, SDG&E and Ontario Power address their concerns about live testing issues generally, across Requirements that span several of the CIP Reliability Standards. They argue that the Commission should omit the requirements to include “live vulnerability testing” requirements in the Final Rule. 127 NERC and ReliabilityFirst argue that implementing such a requirement would be ill-advised because of the potential for disruption of operations resulting from an improperly run test, or the activation of an unknown or unforeseen vulnerability. NERC and ReliabilityFirst agree that performing such tests in a test environment is extremely useful and desirable, but performing such tests *in situ* in almost all cases would directly lead to significantly degraded reliability at that critical asset. FirstEnergy agrees that the risks of certain forms of live assessments are greater than their benefits. Similarly, NRECA maintains that the Bulk-Power System was not designed to facilitate live testing and is concerned that live testing, where inappropriate, could negatively impact reliability and service to consumers. 128 127 Live vulnerability testing is discussed in several of the CIP Reliability Standards. Where commenters generally discuss live vulnerability testing, those comments are discussed in this section. Comments about specific Reliability Standards are discussed in the section concerning that Reliability Standard. 128 One example cited by NRECA is software “patches” in other industries that failed to work as intended and instead disrupted service. 534. NERC and ReliabilityFirst believe that “active” vulnerability assessments of test systems are beneficial to understanding potential attacks. However, NERC finds it problematic to require test environments for all possible instances of electronic security perimeters and critical cyber assets. While most modern control centers contain such environments, they are rare for substation and generating plant environments, and the required resources could not be justified simply to perform active vulnerability tests once every three years. 535. NERC and ReliabilityFirst argue that, while test systems are required for testing of patches and software updates, these are not required to exactly match or mirror the operational system. For example, if a substation consists of many intelligent electronic devices, but only a few different models of intelligent electronic devices, then the test environment for patches and updates need only have one of each model in order to test updates. Depending on the vendor implementation, a single intelligent electronic device representative of all of the intelligent electronic devices may be sufficient for this purpose. This environment is suitable to test for software vulnerabilities, even though it is not a “full” or “complete” replication of the real environment, because it represents the essential equipment to perform the test. NERC states that it could support performing active tests in such an environment, provided the responsible entity could document and demonstrate that the test environment and the tests performed do, in fact, map to all the implemented components of the live environment. 536. NERC therefore requests that the Commission decline to include its proposed requirements for live vulnerability testing in the Final Rule. Rather, NERC proposes replacing live vulnerability testing with “active vulnerability assessments of test systems.” 129 NERC believes that the active nature of the NERC proposed language addresses the concerns of the Commission, while ensuring reliable operations of the Bulk-Power System. These modifications also must be effectuated through the Commission-approved Reliability Standards development process. 129 Alliant, Arizona Public Service and ReliabilityFirst support these wording changes. 537. Northern Indiana argues that the current Reliability Standard allows the flexibility of performing live or paper vulnerability assessments as appropriate. 538. Juniper argues that, in addition to the paper assessment, creation of a “sandbox” environment that is fairly representative of the physical plant must be mandatory. Semi-annual penetration test of such a sandbox is essential. 539. MidAmerican believes that conducting a vulnerability assessment of the electronic access points as part of, or contemporaneously with, any modifications to the electronic security perimeter or defense in depth strategy on a three-year cycle would be an extremely burdensome task. It suggests the following:
(1)A baseline audit;
(2)an assessment during the change control process of the vulnerability implications; and
(3)a periodic review based upon the assessment. 540. Several commenters state that the Commission's proposal to require a vulnerability assessment when any “modification” of the electronic security perimeter or defense in depth strategy is made is too broad. 130 Commenters generally state that the Commission's use of the modifier “any” suggests that the Commission believes that all modifications of the electronic security perimeter, no matter how nominal, must result in a live vulnerability assessment of the entire perimeter. Northern California maintains that, as a result, the contemporaneous testing requirement could be a perverse disincentive that prevents upgrades to increase security when an entity's existing electronic security perimeter is “good enough.” An entity with “good enough” security may delay upgrades to security in order to minimize testing. Several commenters offer specific examples of modifications which they believe would not warrant a vulnerability assessment. Northern California believes that an appropriate Reliability Standard should require live vulnerability testing within 90 to 180 days of an electronic security perimeter modification. 130 *See, e.g.* , Northern California, FirstEnergy, FPL Group, PG&E and SPP. iii. Commission Determination 541. The Commission notes that the concerns expressed by some commenters of triggering an unknown vulnerability during a live test is one reason why some form of live or active testing is necessary. A responsible entity cannot protect its system from exploitation of vulnerabilities that it does not know about. However, in light of the comments received, the Commission will not adopt its proposal as set out in the CIP NOPR regarding live vulnerability assessments in Requirement R4 of CIP-005-1. Instead, we adopt the ERO's proposal to provide for active vulnerability assessments rather than full live vulnerability assessments. Further, as discussed below, we clarify that an interim vulnerability assessment will only need to be performed if a responsible entity makes a significant modification to the electronic security perimeter. 542. The Commission's goal in proposing live vulnerability testing is to provide a level of confidence that the Bulk-Power System has a certain level of resistance to attack. We understand the concerns raised by commenters that live vulnerability testing could, at this time, diminish reliability. While the Commission's goal is to require full live vulnerability testing on the entire Bulk-Power System at some point, we understand that this may not be possible at this time. As suggested by FirstEnergy, industry may need time to gain experience in this area before it can conduct full live vulnerability testing. Therefore, the Commission adopts the ERO's recommendation of requiring active vulnerability assessments of test systems. 131 131 The Commission approaches the live testing issues in CIP-007-1, CIP-008-1 and CIP-009-1 from this same perspective. 543. The Commission agrees with the ERO that test systems do not need to exactly match or mirror the operational system. However, to perform active vulnerability assessments, the responsible entities should be required to create a representative system, i.e., one that replicates the actual system as closely as possible. The active vulnerability assessment should be carried out on this representative system. In doing so, a responsible entity must document the differences between the operational and representative system for the auditors. As part of this documentation, the responsible entity should also document how test results on the representative system might differ from the operational system, and how the responsible entity accounts for such differences in operating the system. Our goal is to ensure that each responsible entity understands the differences between its representative system and the operational system and how those differences might affect its test results. The entities remain responsible, however, to ensure that the testing systems are adequate to model the production systems and to document and account for the differences between the two. 544. Further, the Commission agrees with commenters that requiring each responsible entity to perform a vulnerability assessment of the electronic access points when any modification is made to the electronic security perimeter or defense in depth strategy is too broad. Instead, the Commission directs the ERO to revise the Reliability Standard so that annual vulnerability assessments are sufficient, unless a significant change is made to the electronic security perimeter or defense in depth measure, rather than with every modification. To be clear, the Commission is not requiring the Reliability Standard to use the terminology that a “significant change” is made to the electronic security perimeter or defense in depth strategy. Rather, we are directing the ERO to determine, through the Reliability Standards development process, what would constitute a modification that would require an active vulnerability assessment. For example, we would anticipate that updating an attack signature file on the electronic access point would not require an active vulnerability assessment, but replacing the devices that comprise the electronic access point would require an active vulnerability assessment. 545. Given our changes to the Commission proposal, and based upon the comments, the Commission does not believe performing an active vulnerability assessment once every three years will pose too great a burden on company personnel. The burden above that is required by the Reliability Standard as proposed by the ERO is justified by the insights that will be gained from the active assessments. 546. At this time, the Commission does not believe it is necessary to require twice a year penetration tests by responsible entities, as requested by Juniper. We believe that the combination of annual testing and active vulnerability assessments is sufficient for the Reliable Operation of the Bulk-Power System. 547. In sum, we direct the ERO to modify Requirement R4 to require these representative active vulnerability assessments at least once every three years, with subsequent annual paper assessments in the intervening years. The ERO should develop the details of how to determine what constitutes a representative system and what modifications require an active vulnerability assessment in the Reliability Standards development process. The revised Reliability Standard should contain the essential requirement that an active assessment must be performed at least once every three years. Based on the amount of guidance contained in the modified Reliability Standard, the ERO should consider at that time whether additional guidance should be provided in a reference document. 5. CIP-006-1—Physical Security of Critical Cyber Assets 548. Reliability Standard CIP-006-1 addresses the physical security of the critical cyber assets identified in Reliability Standard CIP-002-1. In particular, CIP-006-1 requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter. 132 The physical security plan must be approved by senior management and must contain processes for identifying, controlling, and monitoring all access points and authorization requests. 132 As defined in the NERC Glossary, an “Electronic Security Perimeter” means, “[t]he logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled * * *” and a Physical Security Perimeter is “the physical, completely enclosed (“six-wall”) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets means are housed and for which access is controlled * * *.” 549. Reliability Standard CIP-006-1 also addresses operational and procedural controls to manage physical access at all access points to the physical security perimeter at all times by the use of alarm systems and/or human observation or video monitoring. The Reliability Standard also requires that the logging of physical access must occur at all times, and the information logged must be sufficient to uniquely identify individuals crossing the perimeter. Finally, the Reliability Standard requires responsible entities to test and maintain all physical security mechanisms on a three-year cycle. 550. In the CIP NOPR, the Commission proposed to approve Reliability Standard CIP-006-1 as mandatory and enforceable. In addition, we proposed to direct the ERO to develop modifications to this Reliability Standard. Further, the Commission also proposed to require the ERO to consider various other matters of clarification, guidance, and modification. In our discussion below, we address the following topic areas regarding CIP-006-1:
(1)Physical security plan;
(2)physical access controls and monitoring physical access; and
(3)maintenance and testing. 133 133 In the NOPR, the Commission also addressed the issue of physical security breaches, and proposed no modification to CIP-006-1. We stated that our concerns would be resolved with modifications proposed to CIP-008-1, pertaining to the term “reportable incident.” We affirm that position here. a. Physical Security Plan 551. Requirement R1.1 of CIP-006-1 addresses processes that a responsible entity must include in its physical security plan to ensure that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter. The CIP Assessment noted that Requirement R1.1 anticipates that there may be instances where a completely enclosed border cannot be established and that, in such instances, the responsible entity shall deploy and document “alternative measures” to control physical access to the critical cyber assets. It cautioned, however, that Requirement R1.1 does not provide guidance on how an alternative measure should be identified or determined to be adequate. 552. In the CIP NOPR, the Commission stated that the phrase “alternative measures” as referenced in Requirement R1.1 should be interpreted to be an exception to the Requirement, and that our discussion of technical feasibility exceptions should apply to Requirement R1.1. We noted that, under this Requirement, the responsible entity is required to deploy and document alternative measures if a completely enclosed six-wall border cannot be established to control physical access to the critical cyber assets. However, we observed that the Requirements did not provide guidance on how an alternative measure should be identified or determined to be adequate. Therefore, the Commission proposed to direct the ERO to treat the allowance of alternative measures as interim actions developed and implemented as part of a mitigation plan under a technical feasibility exception. i. Comments 553. NERC, APPA/LPPC, OGE, SoCal Edison and SDG&E disagree with the Commission's proposal to treat the allowance of alternative measures as interim actions developed and implemented as part of a mitigation plan under a technical feasibility exception. 554. MidAmerican generally supports the proposal to treat an alternative measure to a six-walled perimeter as an exception and mitigated under a technical feasibility exception for the reasons articulated in the CIP NOPR. However, MidAmerican recommends that the Commission consider the alternative measures to be implemented when a six-wall border cannot be established, where appropriately equivalent, as the mitigation solution and not an interim action. The merits of the alternative measures can be evaluated at the time of an audit. 555. NERC, APPA/LPPC, Arizona Public Service, and Consumers maintain that, where the equipment cannot be contained within a six-wall border, alternative measures should be permitted on a permanent basis. NERC argues that the Commission's proposal implies that by treating these alternative measures as interim actions with required mitigation plans, the responsible entity could overcome the physical or safety-related obstacles to achieving the completely enclosed physical boundary. NERC believes this is impractical, if not impossible. APPA/LPPC assert that the configuration or layout of a specific cyber asset simply may not lend itself to a complete physical perimeter, and alternative means of protection (including electronic protections) may be entirely adequate, given the level of security risk posed by the asset and the nature of the alternative form of protection. In some cases, NERC states that there is no possibility of mitigation. The responsible entity does not choose not to completely enclose the asset—it is a physical limitation which cannot be overcome. In cases where the physical or safety limitations do not exist, the responsible entity is expected to comply with the Requirements, and not use alternative measures. In cases where the physical limitations cannot be overcome, NERC argues that the responsible entity cannot ignore the Requirement, but must implement an alternative. NERC also argues that this alternative is expected to be a permanent solution, not an interim measure. 556. Arizona Public Service agrees with NERC that the Commission should omit this proposal from the Final Rule and supports remanding this provision to NERC to modify R1.1 to permit the use of alternative measures on a permanent basis under requirements, developed through the NERC Reliability Standards development process, which could include documenting and justifying the need for the alternative measure and describing the alternative measures implemented. 557. Georgia Operators states that the industry will continue to struggle for years to agree on a clear definition of what comprises six walls for a physical security perimeter: not every wall need necessarily be bunker-strength concrete, but neither should every wall be paper-thin. 558. While APPA/LPPC maintain that alternative measures should be documented by the Regional Entity, Northern Indiana argues that, if a responsible entity establishes or has established adequate alternative measures, then the responsible entity should not need to document or otherwise justify the alternative measure. Northern Indiana requests that, if the Commission does require NERC to modify Requirement R1 in the Final Rule, it clarify what is meant by alternative measures. ii. Commission Determination 559. We are persuaded by commenters that there may be instances in which the physical or safety-related obstacles to achieving a completely enclosed physical boundary cannot be overcome. In such instances, we agree with commenters that it would be inappropriate to treat the alternative measures under this CIP Reliability Standard as interim actions under the technical feasibility exception, as the exception was proposed in the CIP NOPR. However, the Commission has revised its determination with respect to the technical feasibility exception to address concerns such as those raised by commenters on Requirement R1.1 of CIP-006-1. The Commission believes that allowing a technical feasibility exception to Requirement R1.1 of CIP-006-1, with the changes discussed in the Technical Feasibility section of this Final Rule, should address commenters' concerns. Specifically, the Commission acknowledges that some circumstances merit reliance on mitigation strategies that are ongoing and effective, so long as they are justified and reviewed periodically. This should alleviate the concern of commenters that the Commission is not allowing exceptions to Requirement R1.1 on a long-term basis. 560. Therefore, the Commission directs the ERO to treat any alternative measures for Requirement R1.1 of CIP-006-1 as a technical feasibility exception to Requirement R1.1, subject to the conditions on technical feasibility exceptions. 134 In evaluating the requests for a technical feasibility exception to Requirement R1.1, we expect the ERO to work with the responsible entities to ensure consideration of any emerging technologies that may allow the responsible entity to satisfy Requirement R1.1. 134 In section II.F.3 of this Final Rule, we explain the circumstances under which technical feasibility exceptions can be claimed and direct the ERO, through the Reliability Standards development process, to revise the Reliability Standards accordingly. b. Physical Access Controls and Monitoring Physical Access 561. Requirement R2 of the CIP Reliability Standard requires the use of at least one of four listed physical access control methods, but does not require or suggest that the method(s) employed to control physical access consider the characteristics of the access point at issue and the criticality of the asset being protected. Requirement R3 requires monitoring at each access point to the physical security perimeter, including alarm systems and/or human monitoring. For both Requirement R2 and Requirement R3, a responsible entity can choose whether to implement single or multiple access control methods and monitoring devices. 562. The CIP NOPR suggested that a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter. It stated that use of a minimum of two different security procedures would, for example, enable continuous security protection when one of the security protection measures is undergoing maintenance and provides redundant security protection in the event that one of the measures is breached. Therefore, while the Commission recognized that there is a point at which implementing multiple layers of defense becomes an unreasonable burden to responsible entities, the Commission nevertheless proposed to direct the ERO to modify this CIP Reliability Standard to state that a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter around critical cyber assets. i. Comments 563. While California Commission finds the Requirements of CIP-006-1 to be sound and succinct, it also finds the proposal in the CIP NOPR to require two or more security procedures to be sound policy. It adds that defense in depth strategy should be used in such situations, because multiple security procedures make it harder for a potential attacker to penetrate the system. FirstEnergy finds the Commission's proposal to require a minimum of two different security procedures is appropriate where technically feasible. However, it notes that a variety of different security procedures could satisfy this requirement. For example, the minimum of two different security procedures could be met by having two doors each with one security device or one door with two security devices. 564. Within a substation, NERC and ReliabilityFirst argue that there is no practical way to implement a second physical perimeter without jeopardizing the reliability of the substation itself. If the “outer” perimeter is outside the building, NERC and ReliabilityFirst see space problems with adding the mandated physical security perimeter (e.g., monitoring, logging, access control, personnel management, and training) on the border fence, noting that, in most substations, physical space around the control building is at a premium, and implementing an additional perimeter is problematic. 565. NERC and ReliabilityFirst raise similar concerns with requiring two physical security controls as they do with respect to electronic security controls in CIP-005-1. They further argue that, if the control building structure is still expected to be the inner perimeter, then, by necessity, a new perimeter (most likely an additional fence) will need to be built. In space-restricted substations this will likely be impossible. Similarly, if the control building structure is expected to be the outer perimeter, additional construction—whether solid walls or fence-like caging—will need to be constructed inside the control building. In this regard, NERC objects to a requirement to retrofit existing installed equipment to require additional construction or cabinet installation required due to the distributed nature of the equipment. NERC considers it counterintuitive to require that these new constructions be built as “cabinets within cabinets” or “rooms within rooms,” contending that this kind of construction or implementation is burdensome without real benefit. 566. APPA/LPPC, Idaho Power, Northern Indiana, OGE and Tampa Electric do not believe that it is appropriate to categorically require two different security procedures when establishing a physical security perimeter. APPA/LPPC are concerned that the Commission's proposal to do so could necessitate needless and expensive redundancy. Since Requirements R2 and R3 are already designed to be redundant (controlled access is backed up by monitoring), APPA/LPPC assert the Commission's proposal would appear to require a total of four measures. If the Commission meant that four separate and distinct security measures are necessary to comply with Requirements R2 and R3, then APPA/LPPC disagree with the proposed change. 567. Entergy argues that the term “security procedures” in CIP-006-1 is confusing and that the Commission should direct NERC to define the term. Entergy argues that the terms physical security “measures” or “barriers” in the context of perimeters would improve clarity, whereas the term “procedures” better applies to access control management
(R2)and monitoring (R3). 568. Several commenters seek clarification of what the Commission intended in requiring two or more security procedures. For example, SPP interprets the Commission's comment as requiring two independent security procedures at the physical security perimeter access point, as opposed to complementary security controls such as closed-circuit television observation of a secured door. SPP recommends that the Commission clarify that this is its intent, and offers that if a proper defense in depth strategy is used that provides for progressively restricted access or other obstructions to access as one approaches the physical security perimeter, multiple access controls at the physical security perimeter access point are excessive. SPP recommends that a progressive security scheme be acceptable in lieu of implementing multiple access controls at the physical security perimeter access point. SPP further recommends that the Commission clarify its intent as to whether an asset perimeter fence would constitute an acceptable obstruction and achieve the goal of the Commission's proposal. Similarly, MidAmerican requests that the Commission clarify whether the security procedures must be completely independent or may rely on a common component. 569. Arkansas Electric states it is uncertain if the Commission intends the term security procedures to apply to actual methods of implementing physical security (e.g., locks, gates, fences) or to procedural methods (e.g., logging). Arkansas Electric argues that adequate security fencing with a special lock should suffice for a secondary physical security procedure. 570. Idaho Power states that, for example, special locks and key cards would meet the Commission's recommended security procedures; however, they are significantly the same control measure and do nothing to provide defense in depth. While they afford back-up during maintenance, they fall short on defense since one can override the other. If the Commission truly wants to promote defense in depth, Idaho Power states that the chosen options should be required to support one another (e.g., key cards and closed circuit television), and not be just two of the provided four options. 571. Northern Indiana argues that it is unreasonable to put in place two different security measures in remote or field locations. National Grid also argues that two or more different security procedures may not always be needed to accomplish defense in depth. ii. Commission Determination 572. The Commission adopts the CIP NOPR proposal to direct the ERO to modify this CIP Reliability Standard to state that a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter around critical cyber assets. However, similar to our determination in CIP-005-1 regarding defense in depth for electronic security perimeters, in light of the comments received, the Commission understands that there may be instances in which certain facilities cannot implement defense in depth or where such an approach would harm reliability rather than enhance it. For that reason, the Commission believes that it is appropriate to allow the ERO and the Regional Entities to grant exceptions based on the technical feasibility of implementing defense in depth, consistent with the Commission's determination on technical feasibility above. However, the responsible entity should implement physical security perimeter defense in depth measures or justify why it is not doing so pursuant to our discussion of technical feasibility exceptions. 573. As stated in the CIP NOPR, the Commission recognizes that there is a point at which implementing multiple layers of defense becomes an unreasonable burden to responsible entities. However, as more fully detailed in our discussion of defense in depth in CIP-005-1, we continue to believe that the effectiveness of any one defense measure is often dependent on the quality of active human maintenance, and there is no one perfect defense measure that will guarantee the protection of the Bulk-Power System. 135 Therefore, we continue to require the use of layered and complementary security procedures that a defense in depth approach embodies. 135 *See* discussion of CIP-005-1, section II.F.4.a, *supra.* 574. In response to APPA/LPPC's comments, the Commission does not require two or more different monitoring methods under Requirement R3. We did not propose to modify Requirement R3 and are not doing so in this Final Rule. Further, the Commission did not intend to require two or more physical perimeters, as suggested by NERC and ReliabilityFirst. Rather, the Commission intended only to require the ERO to modify R2 to provide for two or more different and complementary physical assess controls at a physical access point of the perimeter. The Commission believes that this should clarify what it meant by the term “procedures” and sees no need to direct the ERO to define the term, as requested by Entergy. 575. In response to commenters' questions regarding specific physical access controls, the Commission clarifies that it does not intend to create an inflexible rule calling for redundant physical security. While the Commission continues to believe that a responsible entity must implement two or more distinct and complementary physical access controls at a physical access point of the perimeter, the specific requirements should be developed in the Reliability Standards development process when the ERO develops its modifications in response to this Final Rule. 136 The Commission also directs the ERO to consider, based on the content of the modified CIP-006-1, whether further guidance on this defense in depth topic should be developed in a reference document outside of the Reliability Standards. 136 The Commission notes that the requirements in Standard CIP-005-1 are not alone sufficient to address the Commission's goal. CIP-005-1 concerns electronic security perimeters. A single physical security measure is too easy to bypass and an electronic security measure could not thwart a physical attack. Therefore, we believe it is in the public interest to require that a responsible entity must implement two or more distinct physical security measures at a physical access point of the perimeter. 576. Northern Indiana raises a concern about security measures in remote or field locations, but did not provide specific information. The Commission believes that, if it is not possible to implement two or more distinct physical security measures in a remote or field location, a Regional Entity could grant justified exceptions based on technical feasibility. c. Maintenance and Testing 577. Requirement R6 of CIP-006-1 requires responsible entities to implement maintenance and testing programs of physical security systems on a cycle no longer than three years and retain testing and maintenance records for the same timeframe. In addition, Requirement R6 requires retention of outage records of certain physical security systems for a minimum of one year. In the CIP NOPR, the Commission stated that maintenance and testing of physical security systems should occur more frequently than once every three years. However, the Commission also stated that testing at remote substations should be allowed less frequently. Therefore, the Commission proposed to direct the ERO to modify this Reliability Standard to require that:
(1)A readily accessible critical cyber asset be tested every year with a one-year record requirement for the retention of testing, maintenance, and outage records; and
(2)a non-readily accessible critical cyber asset be tested in a three-year cycle with a three-year record retention requirement. The Commission stated that this approach provides an appropriate assurance that security measures for geographically dispersed physical assets are functioning properly. i. Comments 578. FirstEnergy agrees with the Commission that the frequency of the maintenance and testing programs should be a function of the accessibility of critical cyber assets. The Requirement should specify the form of testing and the frequency of such testing that will be considered adequate. For example, testing the functionality of a system that is part of the work environment and used every day may be excessive, while a more extreme form of testing, such as simulated break-ins may be appropriately applied biennially or triennially. In addition, the CIP Reliability Standards should clarify what is considered readily accessible and what is not. Any testing requirements should consider the specific facilities being tested and allow entities to use their discretion until more experience is gained in this area. Finally, changes to the frequency of the maintenance and testing program cycles should be considered in the Reliability Standards development process. 579. National Grid argues that the testing of critical cyber assets (as opposed to testing of physical security measures for such critical cyber assets) is beyond the scope of the physical security requirements in Reliability Standard CIP-006-1. Thus, it requests that the Commission clarify that the CIP NOPR's reference to the testing of critical cyber assets was inadvertent, and that the Commission was merely proposing testing intervals for physical security measures. 580. Northern Indiana requests that the Final Rule clarify what is intended by a “test.” A test of a card access system, for example, can be the normal operation with the card and the operation with a non-programmed card to determine whether the lock is working. The protocol for physical security system tests are dictated more by the type of equipment to be tested as well as the equipment's application. Northern Indiana states that, like the Commission, it believes in a strong maintenance and testing program. However, Northern Indiana also believes the focus of the Final Rule should be on whether an unauthorized person accesses the physical security system, and not the administrative nature of testing the system. Clarification of what is intended by, or what makes up, an acceptable test will in effect strengthen the Requirement. ii. Commission Determination 581. The Commission adopts the CIP NOPR proposal and directs the ERO to develop a modification to CIP-006-1 to require a responsible entity to test the physical security measures on critical cyber assets more frequently than every three years, but clarifies our direction in several respects. Similar to our action with respect to reviewing logs in CIP-005-1, the Commission will not adopt the proposal to require different testing periods for physical security measures on critical cyber assets that are readily accessible or not readily accessible. Instead, we leave it to the Reliability Standards development process to decide whether different timeframes are appropriate for physical security measures on critical cyber assets that are readily accessible and not readily accessible. Similar to our direction in CIP-005-1, if different review timeframes are adopted, the ERO should provide guidance as to what constitutes a readily accessible facility and a facility that is not readily accessible. The ERO may also delineate different timeframes for testing for other reasons, but must clearly define how to determine in what timeframe the physical security measures on a specific critical cyber asset must be reviewed. 582. In response to Northern Indiana, the Commission does not believe it is necessary at this time to specify what would constitute a test, because each test may be different based on the type of physical security measure employed. Northern Indiana may ask the ERO to provide guidance on this matter. 583. In response to National Grid, we clarify that the CIP NOPR's reference to the testing of critical cyber was inadvertent, and that we proposed testing intervals for physical security measures. 6. CIP-007-1—Systems Security Management 584. The Purpose statement in CIP-007-1 states that it requires responsible entities to define methods, processes and procedures for securing those systems determined to be critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter(s). This Reliability Standard deals primarily with changes made to the operating production systems and verification that such changes will not inadvertently have adverse effects. 137 137 *See* CIP NOPR at P 224-25 and CIP Assessment at 31. 585. The Commission approves Reliability Standard CIP-007-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to this Reliability Standard. The required modifications are discussed below in the following topic areas of concern regarding CIP-007-1:
(1)Acceptance of risk and technical feasibility;
(2)test procedures;
(3)malicious software prevention;
(4)security status monitoring;
(5)disposal or redeployment;
(6)cyber vulnerability assessment; and
(7)documentation review and maintenance. a. General Issues Regarding Acceptance of Risk and Technical Feasibility in CIP-007-1 586. In the CIP NOPR, the Commission expressed various concerns regarding acceptance of risk and technical feasibility language in CIP-007-1. For example, Requirement R2.3 allows a responsible entity to accept risk rather than take mitigating action where unused ports and services cannot be disabled due to “technical limitations” and Requirement R3.2 allows an acceptance of risk in lieu of mitigating risk exposure through a patching program. Requirement R4 requires the responsible entity to use antivirus software and malicious software prevention tools where technically feasible. Requirement R6 of CIP-007-1 requires responsible entities to ensure that all cyber assets within the electronic security perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. 587. Requirement R3 of CIP-007-1 requires a responsible entity to establish and document a security patch management program for tracking, evaluating, testing and installing applicable cyber security software patches for all cyber assets within an electronic security perimeter. Among other things, a responsible entity must document the implementation of security patches. Where a patch is not installed, the responsible entity must document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. 588. The Commission proposed to direct the ERO to eliminate the acceptance of risk language from Requirement R3.2. 138 We stated that patch management choices must be weighed in light of the risks involved, with senior management involved in the decision. We noted that this provision is a component of implementing Recommendation 33 of the Blackout Report, 139 which states that using up-to-date patches that deal specifically with security vulnerabilities is of the utmost importance, provided it does not degrade the system and the patch does not create more vulnerability than the problem it is intended to fix. 138 *See id.* P 235-39. 139 *See* Blackout Report at 164, Recommendation 33. 589. The Commission also proposed to direct the ERO to eliminate the acceptance of risk language from Requirement R2.3. At the same time, the Commission proposed to leave intact the exception for technical limitations in Requirement R2.3. However, the Commission stated that the technical limitations language of Requirement R2.3 raised the same concerns as raised concerning the technical feasibility language. While the Commission acknowledged that an exception for technical limitations might be appropriate, it stated that the language must include the same conditions as discussed in the context of technical feasibility. Accordingly, we proposed that the same conditions and reporting requirements should apply here. Thus, the Commission proposed to direct the ERO to revise Requirement R2 and its subparts to remove the acceptance of risk language and to impose the same conditions and reporting requirements here for “technical limitations” as imposed elsewhere in the CIP NOPR regarding “technical feasibility.” i. Comments 590. The California Commission agrees with the proposal to remove the phrase “acceptance of risk” from the Reliability Standard. The California Commission also finds the existence of the term “technically feasible” in this Reliability Standard acceptable with the burden of proof on the individual organization to prove the exception. MidAmerican supports the Commission's proposal to eliminate acceptance of risk from Requirement R2.3 and that exceptions for technical limitation may be appropriate but must be treated as an exception the same as technical feasibility issues. However, MidAmerican cautions that the terms “technical limitations” and “technical feasibility” need clarification to facilitate compliance. 591. Juniper maintains that it is not technically feasible to turn off ports. It states that, if a device cannot turn off unused ports, it must be protected with a firewall in front of it. Unused open ports are the most common form of attack since devices can fail in unplanned ways when they receive unexpected traffic. Ideally, device providers must be mandated to provide the list of ports they require to be opened, with a description of the protocol expected on each open port. 592. Commenters also raise concerns about the Commission's treatment of security patches. According to APPA/LPPC, the Commission's proposal to eliminate the acceptance of risk language from CIP-007-1, Requirement R3.2 would appear to prevent responsible entities from exercising any discretion to determine not to implement a security patch on the ground that it posed more risk than justified. Limiting the use of acceptance of risk to instances where adoption of a specific compliance measure is determined by the responsible entity to pose more risk than alternative compliance measures, is appropriate, but eliminating all discretion in this area undermines necessary flexibility. In the alternative, APPA/LPPC argue that the Commission should give responsible entities the discretion to determine whether specific security patches create more vulnerability to the Bulk Power System than they solve. In this regard, APPA/LPPC note that the Commission itself stated in the CIP NOPR that the most up-to-date patches should be used, provided this does not “degrade the system and the patch does not create more vulnerability than the problem it is intended to fix.” Thus, APPA/LPPC argue that, if the Commission proceeds to delete the acceptance of risk language, it should specifically include the disclaimer on patches referenced above. 593. MidAmerican opposes the Commission's proposal to direct NERC to revise the Reliability Standard to remove acceptance of risk from the provisions for security patch management in Requirement R3. MidAmerican believes that the acceptance of risk should remain in the Reliability Standard if accompanied by a mitigation plan and sunset provisions for the exception. By requiring a mitigation plan to reduce the risk and a time frame to come into compliance the standard provides needed flexibility while maintaining the certainty of a committed end-date. 594. Northern Indiana does not support the Commission's proposal that senior management be involved in each and every case because it is not necessary. The Commission should refine its proposal and provide that senior management should be consulted when mitigation is needed, but not in situations not requiring mitigation. Such situations can be appropriately addressed by senior management's delegate. 595. FPL Group states that, the Commission's statement that patch management must be weighed in light of the risks involved, with senior management involved in the decision, acknowledges that a certain level of risk associated with patch management must be taken into account. However, FPL Group states that this analysis is no different than the acceptance of risk language that the Commission rejects. The Commission is essentially stating that by using technical judgment, a responsible entity's senior management can accept the risk associated with not applying security patches in instances where the patches would degrade performance after performing a risk assessment. Therefore, FPL Group recommends directing the ERO Reliability Standards development process to consider the issue related to acceptance of risk and make appropriate modifications, if any, to the Reliability Standards. 596. Juniper states that an inline intrusion prevention system or intrusion detection system that is able to automatically identify and understand the protocols being used on a control network provides a mitigation for conditions where applying patches against known vulnerabilities is not feasible. Hence, in locations where patches cannot be applied such a network device must be required. ii. Commission Determination 597. The Commission affirms its proposals with respect to technical feasibility and acceptance of risk. Therefore, the Commission directs the ERO to eliminate the acceptance of risk language from Requirements R2.3 and R3.2. However, as discussed in the CIP NOPR, this leaves intact the exception for technical limitations in Requirement R2.3, so long as the treatment of Requirement R2.3 conforms to our findings regarding the technical feasibility exceptions. 598. MidAmerican's concerns about clarifying the terms technical limitations and technical feasibility through the Reliability Standards development process are addressed in our findings regarding technical feasibility elsewhere in the Final Rule. 599. In response to Juniper, the Commission does not believe that applying the technical feasibility exception in lieu of acceptance of risk means that a responsible entity would not have to mitigate the risk of not being able to turn off ports. The Commission believes that our discussion of the technical feasibility exception in the Technical Feasibility Exception Remediation and Mitigation section above supplies the obligation to mitigate that Juniper is seeking. 600. With respect to security patch management, the Commission continues to believe that the acceptance of risk language is unacceptable. However, in doing so we do not seek to prevent responsible entities from exercising some level of discretion. The Commission therefore directs the ERO to revise Requirement R3 to remove the acceptance of risk language and to impose the same conditions and reporting requirements as imposed elsewhere in the Final Rule regarding technical feasibility. The Commission believes that this will allow responsible entities the discretion APPA/LPPC seek. Further, this essentially accomplishes the outcome sought by MidAmerican. With respect to the disclaimer requested by APPA/LPPC, the Commission is not convinced to direct such a modification to the Reliability Standard at this time. However, this issue should be examined in the Reliability Standards development process. Given that we are modifying our direction, we do not believe that it is necessary to mandate senior management involvement in these decisions here. While we direct the ERO to modify Requirement R3 of CIP-007-1 to remove the acceptance of risk language, the ERO, through the Reliability Standards development process may choose to allow exceptions to this requirement for technical infeasibility, consistent with the Commission's determination on technical feasibility above. However, the responsible entity should implement the requirements for software patches for all cyber assets within an electronic security perimeter or justify why it is not doing so pursuant to our discussion of technical feasibility exceptions. b. Test Procedures 601. Requirement R1 of CIP-007-1 requires a responsible entity to ensure that new cyber assets and significant changes to existing cyber assets within the electronic security perimeter do not adversely affect existing cyber security controls. Responsible entities must create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system and its operation. They must document that testing is performed in a manner that reflects the production environment and must document test results. 602. The CIP Assessment suggested that Requirement R1.2 should require the responsible entity to document how each significant difference between the production and testing environments is considered and addressed. 140 140 CIP Assessment at 32. 603. In the CIP NOPR, the Commission stated that, if a testing environment does not accurately reflect the production environment, testing of systems may not be adequate to judge impacts on reliability. While, ideally, testing should be conducted on a precise duplicate of the production system, the Commission acknowledged that this is not always possible. When it is not, any differences between the test environment and the production system should be documented. Therefore, the Commission proposed to direct the ERO to modify Requirement R1 and its subparts to require documentation of each significant difference between the testing and the production environments, and how each such difference is mitigated or otherwise addressed. i. Comments 604. FirstEnergy argues that, while it is reasonable for the Commission to require documentation of significant differences between the testing and production environments, the Commission should clarify that it is not expecting that the differences themselves would be mitigated in the test—other than to simply get the test environment as close as possible to the production environment. The Commission should ensure that the documentation required to document the differences will not be burdensome. 605. MidAmerican supports the proposal to document differences between the testing and production environments, but suggests that these differences not be reported for every test version, but only when the production and test environments are established. 606. Northern Indiana maintains that the existence of any significant difference means the test will not reflect the production environment, which would violate Requirement R1.3. Further, Northern Indiana maintains that differences in testing and production environments may be difficult to eliminate or to mitigate. In a simulated test, differences will exist. Northern Indiana maintains that small differences should not require mitigation. 607. Northern Indiana argues that documenting vulnerability test results or the existence of any mitigation or remediation plans would reveal any vulnerability on its system. Tampa Electric contends that this would produce an unnecessary administrative burden. It explains that there are instances when the production system is too large and complex to practically reproduce in a test environment. In this circumstance, according to Tampa Electric, documenting every detail would expend additional resources without producing useful information. 608. ISO-NE and Northern Indiana ask for clarification of the term “significant difference” in the CIP-007-1 proposal. ISO-NE states that the term significant difference is highly subjective and potentially burdensome without actually enhancing an entity's security posture. ii. Commission Determination 609. The Commission has discussed issues related to testing environments in CIP-005-1. 141 In that context, the Commission clarifies the CIP NOPR proposal to require differences between the test environment and the production system to be documented. As stated with respect to CIP-005-1, the Commission understands that test systems do not need to exactly match or mirror the production system in order to provide useful test results. However, to perform active testing, the responsible entities should be required at a minimum to create a “representative system”—one that includes the essential equipment and adequately represents the functioning of the production system. We therefore direct the ERO to develop requirements addressing what constitutes a “representative system” and to modify CIP-007-1 accordingly. The Commission directs the ERO to consider providing further guidance on testing systems in a reference document. 141 Section II.H.4.d, *supra* . 610. Consistent with our action in CIP-005-1, the Commission will not at this time require documentation of each difference between the testing and the production environments and how each such difference is mitigated or otherwise addressed. In using the term mitigation, our goal was to ensure that each responsible entity understands the differences between its representative system and the production system and how those differences might affect its test results. The Commission believes that, as a part of this documentation, the responsible entity should also document how any test results might differ from the testing system to the production system and how the responsible entity accounts for such differences in operating the system. Therefore, we direct the ERO to revise the Reliability Standard to require each responsible entity to document differences between testing and production environments in a manner consistent with the discussion above. Such revision should address what types of differences must be documented. The entities remain responsible, however, to ensure that the testing systems are adequate to model the production systems and to document and account for the differences between the two. 611. With respect to MidAmerican's proposal that the differences between the testing and production environments only be reported when the production and test environments are established, the ERO should consider this matter in the Reliability Standards development process. However, the Commission cautions that certain changes to a production or test environment might make the differences between the two greater and directs the ERO to take this into account when developing guidance on when to require updated documentation to ensure that there are no significant gaps between what is tested and what is in production. 612. The Commission understands Northern Indiana's concern that documenting vulnerability test results or any mitigation or remediation plans may reveal system vulnerabilities. The ERO should alleviate this concern by providing for such reports to be reviewed under the confidentiality provisions of its Rules of Procedure. c. Malicious Software Prevention 613. Requirement R4 of CIP-007-1 requires responsible entities to use antivirus and other malicious software prevention tools where technically feasible, and allowing an acceptance of risk option. The Requirement and its subparts do not provide direction on how to implement this type of protection, where it should be deployed, or what care must be taken to implement and test malicious code protection in order to avoid harm to the production system. 614. The Commission proposed to direct the ERO to eliminate the acceptance of risk language from Requirement R4.2, and also attach the same documentation and reporting requirements to the use of technical feasibility in Requirement R4, pertaining to malicious software prevention, as elsewhere. The Commission discussed the issues of defense in depth, technical feasibility, and risk acceptance elsewhere in the CIP NOPR and applied those conclusions here. The Commission further proposed to direct the ERO to modify Requirement R4 to include safeguards against personnel introducing, either maliciously or unintentionally, viruses or malicious software into a cyber asset within the electronic security perimeter through remote access, electronic media, or other means. 142 142 *See* CIP NOPR at P 240-44. i. Comments 615. Consumers argues that requiring antivirus software on every system in the electronic security perimeter that uses a routable protocol would not be warranted. In Consumers' view, requiring such software on a blanket basis would itself lead to reliability problems. Thus, Consumers argues that only those systems that are vulnerable to this type of threat should require protection under this guideline. 616. In this regard, Consumers argues that many operating systems, like the UNIX operating server systems, switches and bridges, may be critical cyber assets. But they are not directly vulnerable to virus attacks and need not be protected by antivirus applications. In corporate environments, UNIX servers do require antivirus and malware protection, since they use hyper text transfer protocol and e-mail services which can make them infected carriers. However, there are no instances in control system environments requiring any such protection. 617. Consumers concedes that network infrastructure devices that are not directly targeted can be affected as collateral damage. But, it argues, some of the critical cyber assets do not have any mechanism for antivirus installation. Finally, Consumers argues that the Commission should promote the idea of perimeter defense, using firewall based content vulnerability security devices to protect the control systems' electronic security perimeter rather than application of antivirus software to every critical cyber asset. 618. MidAmerican asks the Commission to clarify the intent of the proposal that Requirement R4 be modified to include safeguards against personnel introducing, maliciously or unintentionally, viruses or malicious software to a cyber asset. Northern Indiana believes that systems and protections are in place to prevent unintentional actions affecting a cyber asset. It states that there are no safeguards that protect against all malicious or unintentional acts. Juniper recommends that network-based antivirus and intrusion prevention devices be mentioned as minimum requirement for such safeguards against unintentional introduction of malware by authorized personnel. ii. Commission Determination 619. The Commission adopts the CIP NOPR proposal with regard to CIP-007-1, Requirement R4. Issues concerning technical feasibility and acceptance of risk are discussed above. 620. The Commission will not adopt Consumers' recommendation that every system in an electronic security perimeter does not need antivirus software. Critical cyber assets must be protected, regardless of the operating system being used. Consumers has not provided convincing evidence that any specific operating system is not directly vulnerable to virus attacks. Virus technology changes every day. Therefore we believe it is in the public interest to protect all cyber assets within an electronic security perimeter, regardless of the operating system being used. Further, as Consumers admits, any network infrastructure devices that are not directly targeted can be affected as collateral damage. 621. While we agree that no safeguard will protect against all malicious or unintentional acts, this does not mean that systems should not be protected against such acts. In response to MidAmerican, the Commission believes that details regarding how to safeguard systems against personnel introducing, maliciously or unintentionally, viruses or malicious software to a cyber asset are best developed in the Reliability Standards development process. The revised Reliability Standard does not need to prescribe a single method for protecting against the introduction of viruses or malicious software to a cyber asset by personnel. However, how a responsible entity does this should be detailed in its cyber security policy so that it can be audited for compliance with the Reliability Standard. The Reliability Standards development process should decide the degree to which the revised CIP-007-1 describes how an entity should protect against personnel introducing viruses or malicious software to a cyber asset. The ERO could also provide additional guidance in a reference document. 622. Therefore, the Commission directs the ERO to eliminate the acceptance of risk language from Requirement R4.2, and also attach the same documentation and reporting requirements to the use of technical feasibility in Requirement R4, pertaining to malicious software prevention, as elsewhere. The Commission also directs the ERO to modify Requirement R4 to include safeguards against personnel introducing, either maliciously or unintentionally, viruses or malicious software to a cyber asset within the electronic security perimeter through remote access, electronic media, or other means, consistent with our discussion above. 143 143 *See id.* d. Security Status Monitoring 623. Requirement R6 of CIP-007-1 requires responsible entities to ensure that all cyber assets within the electronic security perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Among other things, a responsible entity must maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Reliability Standard CIP-008-1. Logs must be retained for 90 calendar days, and the responsible entity must review logs of system events related to cyber security and maintain records documenting review of logs. 624. In the CIP NOPR, the Commission stated that logs should be reviewed with the frequency necessary to ensure timely identification of a cyber security incident. We noted that this issue of log review touches on Blackout Report Recommendation 35, which addresses network monitoring, and Recommendation 37 which addresses diagnostic capabilities. 144 The Commission therefore proposed to direct the ERO to revise Requirement R6 to include a requirement that logs be reviewed on a weekly basis for readily accessible critical assets and reviewed within the retention period for assets that are not readily accessible. We stated that this direction should be completed consistent with our discussion above regarding “readily accessible” assets. 145 The CIP NOPR stated that accessibility should take into account both physical remoteness and available communications channels. We stated that we would expect control centers to fall within the “readily accessible” category. 144 *See* Blackout Report at 165-66, Recommendations 35 and 37. 145 *See* section II.B.4.c (Monitoring Access Logs) in the CIP NOPR. 625. The Commission also proposed to direct the ERO to revise Requirement R6.4 to clarify that while the retention period for all logs specified in Requirement R6 is 90 days, the retention period for logs mentioned in Requirement R6.3 for the support of incident response as required in CIP-008-1 is the retention period required by CIP-008-1, *i.e.* , three years. The Commission maintained that Requirement R6.4 is somewhat unclear and could be read to suggest that the 90 day period also applies to logs kept for purposes of CIP-008-1, and such an interpretation would conflict with the Requirements of that Reliability Standard. i. Comments 626. Similar to the concerns raised with regard to the log review requirement in CIP-005-1, commenters generally oppose the Commission's proposal to include a requirement that logs be reviewed on a weekly basis for readily accessible critical assets and reviewed within the retention period for assets that are not readily accessible. Northern Indiana, FPL Group, Idaho Power, MidAmerican, Entergy and SPP raise the same concerns as they did with respect to CIP-005-1. MidAmerican and Northern Indiana request clarification of the term “readily accessible” to facilitate compliance. Northern Indiana also requests clarification of what is meant by the reference to forensics and how data would be used in forensic investigations. 627. Juniper argues that it is crucial that logs be maintained for at least three years to allow analysis to detect behavioral anomalies and perform forensics in case of a successful attack. It argues that any device that is network enabled in the broadest sense must be considered readily accessible, and its logs ought to be checked at least daily. ii. Commission Determination 628. Requirement R6 of CIP-007-1 does not address the frequency with which logs should be reviewed. Requirement R6.4 requires logs to be retained for 90 calendar days. This allows a situation where logs would only be reviewed 90 days after they are created. The Commission continues to believe that, in general, logs should be reviewed at least weekly and therefore adopts the CIP NOPR proposal to require the ERO to modify CIP-007-1 to require logs to be reviewed more frequently than 90 days, but leaves it to the Reliability Standards development process to determine the appropriate frequency, given our clarification below, similar to our action with respect to CIP-005-1. 146 Also, at this time, the Commission does not believe that it is necessary to require responsible entities to maintain all logs for at least three years, as requested by Juniper. 146 In our findings on CIP-005-1, we directed the ERO to modify CIP-005-1 through the Reliability Standards development process to require manual review of logs without alerts in shorter than 90 day increments. In addition, the Commission directed the ERO to modify CIP-005-1 to require some manual review of logs even if alerts are employed on the logs. 629. For the reasons discussed in CIP-005-1, in directing manual log review, the Commission does not require that every log be reviewed in its entirety. Instead, the Commission will allow a manual review of a sampling of log entries or sorted or filtered logs. The Commission recognizes that how a responsible entity determines what sample to review may not be the same for all locations. Therefore, the revised Reliability Standard does not need to prescribe a single method for producing the log sampling. However, how a responsible entity performs this sample review should be detailed in its cyber security policy so that it can be audited to determine compliance with the Reliability Standards. The Reliability Standards development process should decide the degree to which the revised CIP-007-1 describes acceptable log sampling. The ERO could also provide additional guidance on how to create the sampling of log entries, which could be in a reference document. The final review process, however, must be rigorous enough to enable the entity to detect intrusions by attackers. 630. In response to Northern Indiana, the Commission discusses our use of the term forensics in our discussion of CIP-009-1. 147 147 *See* section II.H.8.b, *infra* . e. Disposal or Redeployment 631. Requirement R7 of CIP-007-1 requires the responsible entity to establish formal methods, processes and procedures for disposal or redeployment of cyber assets. In the CIP NOPR, the Commission addressed the concern that solely to “erase the data,” as stated several times in Requirement R7, may not be adequate because technology exists that allows retrieval of “erased” data from storage devices, and that effective protection requires discarded or redeployed assets to undergo high quality degaussing. 148 We noted that erasure is as much a method as it is a goal, and that the requirement ultimately needs to assure that there is no opportunity for unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it. Degaussing is not the sole means for achieving this goal. The Commission therefore proposed to direct the ERO to modify Requirement R7 to clarify this point. 149 148 *See* CIP Assessment at 34-35. To degauss is to demagnetize. Degaussing a magnetic storage medium removes all data stored on it. 149 *See* CIP NOPR at P 253-56. i. Comments 632. Northern Indiana states that the CIP NOPR is unclear what needs to be clarified in Requirement R7. Northern Indiana believes the only way to allow “no opportunity” to access data on storage media is to destroy the media. Northern Indiana states that it takes costly measures to erase data storage tapes and other storage media and follows the requirements of the United States Department of Defense, performing a seven-layer wipe of its storage media. Northern Indiana maintains that, if the clarification sought by the Commission is intended to direct NERC to be more prescriptive about erasure, Northern Indiana states that its cost of compliance will rise because failed disk devices could no longer be returned to manufacturers for replacement without destruction of the drive. Manufacturer warranties will no longer be effective after the storage media is destroyed. Requirement R7 as written is sufficiently broad and can apply to numerous media types. In addition, adherence to Department of Defense requirements should be adequate. ii. Commission Determination 633. The Commission adopts the CIP NOPR proposal to direct the ERO to clarify what it means to prevent unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it. The Commission notes that there is a difference between redeploying an asset and discarding it. Redeploying an asset within the same responsible entity allows that responsible entity to maintain control over the asset, whereas disposing of an asset places it out of the control of the responsible entity. The Commission believes that, while the seven layer wipe described by Northern Indiana may be sufficient for redeployment because the responsible entity maintains control over the cyber asset, it is not sufficient for disposing of an asset. 634. The Commission disagrees with Northern Indiana that the only way to allow no opportunity to access data on storage media is to destroy the media. As stated in the CIP NOPR, high quality degaussing can adequately protect media from unauthorized access. Northern Indiana has not provided information that convinces the Commission that a cyber asset would have to be destroyed in order to prevent access. 635. Therefore, the Commission directs the ERO to revise Requirement R7 of CIP-007-1 to clarify, consistent with this discussion, what it means to prevent unauthorized retrieval of data. f. Cyber Vulnerability Assessment 636. Requirement R8 of CIP-007-1 requires a responsible entity to perform a cyber vulnerability assessment of all cyber assets within the electronic security perimeter at least annually. Requirement R8.4 requires development of an action plan to remediate or mitigate vulnerabilities identified in the assessment, but it does not provide a timeframe for completion of the action plan. 637. In the CIP NOPR, the Commission stated its belief that vulnerability testing is a valuable tool in determining whether actions that were taken to shore up the security posture of the electronic security perimeter and other areas of responsibility are in fact adequate. 150 We noted that the Blackout Report recognized the importance of vulnerability assessments in Recommendation 38, which called for vulnerability assessment activities to identify weaknesses and mitigating actions. 151 Recognizing that a poorly chosen vulnerability assessment process could result in a false sense of security, the direction provided by this Requirement is important. The Commission noted that monitoring execution status is a good means to keep the action plan on track. Therefore, the Commission proposed to direct the ERO to provide more direction on what features, functionality, and vulnerabilities the responsible entities should address when conducting the vulnerability assessments, and to revise Requirement R8.4 to require an entity-imposed timeline for completion of the already-required action plan. 150 *See id.* P 257-60. 151 *See* Blackout Report at 167, Recommendation 38. i. Comments 638. MidAmerican supports the proposal to require the ERO to provide additional direction surrounding the vulnerability assessments conducted by the responsible entities, and to revise Requirement R8.4 to require an entity-imposed timeline for completion of an action plan, for the reasons articulated in the CIP NOPR. 639. ISO-NE proposes that the Final Rule omit the Commission's proposal because, given the diversity of hardware and software implementation throughout the industry, providing more meaningful direction on “features, functionality, and vulnerabilities” is not feasible. In the view of ISO-NE, no Reliability Standard can evolve fast enough to keep-up with emerging and diverse technologies and newly discovered vulnerabilities. Therefore, ISO-NE requests that the Commission omit this proposal from the Final Rule. 640. FPL Group and NRECA raise the same concerns about cyber vulnerability assessments as they did under CIP-005-1. Further, FPL Group states that, while specific directions may be appropriate with regard to certain Reliability Standards, the intent of this Reliability Standard is to determine whether there are vulnerabilities with regard to a specific system. In FPL Group's view, overly rigid guidance or requirements by the ERO could result in responsible entities failing to properly test for vulnerabilities specific to the entities' environments and systems, thus undermining the intent of the Reliability Standard. 641. SDG&E agrees that a vulnerability assessment should look for and prioritize specific types of vulnerabilities, and provides specific suggestions on such prioritization. 152 SDG&E comments that it should be recommended, but not required, that more than one tool should be used to find vulnerabilities. 152 SDG&E identifies:
(1)As unacceptable risk, vulnerabilities that can be exploited remotely without a user's cooperation to obtain access to the victim host;
(2)as highly critical, vulnerabilities that can be exploited remotely but require the victim to take some action, such as open an attachment, to obtain access;
(3)as medium critical, vulnerabilities that unnecessarily increase the attack surface of the victim host such as installed applications and unneeded running services; and
(4)as low priority, vulnerabilities that provide potential attackers with reconnaissance information. 642. Northern Indiana states that the responsible entity should maintain the makeup and depth of any vulnerability or penetration tests it undertakes, and control the associated mitigation timeline it establishes to address the results of the tests. Northern Indiana raises the same concerns about revealing its vulnerability test results as it did with respect to CIP-005-1 ii. Commission Determination 643. The Commission adopts its proposal to direct the ERO to provide more direction on what features, functionality, and vulnerabilities the responsible entities should address when conducting the vulnerability assessments, and to revise Requirement R8.4 to require an entity-imposed timeline for completion of the already-required action plan. 644. The Commission agrees with ISO-NE that hardware and software is implemented in diverse ways throughout the industry, but does not believe that this renders providing guidance infeasible. We also agree that overly rigid guidance could result in responsible entities failing to properly test for vulnerabilities specific to the entities' environments and systems. The Commission does not believe that the revised Reliability Standard should be inflexible. It should encourage responsible entities to take into account emerging and diverse technologies and newly discovered vulnerabilities as they emerge. The Commission believes that it is appropriate to leave such guidance to the Reliability Standards development process. Further, we leave it to the ERO's discretion whether to put guidance in the revised Reliability Standard or a reference document. 645. The Commission addressed Northern Indiana's concerns about revealing vulnerability test results in our discussion of CIP-005-1. We believe that the ERO's confidentiality provisions should adequately protect against unwanted disclosure of vulnerability test results. g. Documentation Review and Maintenance 646. Requirement R9 of CIP-007-1 requires the responsible entity to review, update and maintain all documentation needed to support compliance with the Requirements of CIP-007-1 at least annually. Changes resulting from modifications to the systems or controls must be documented within 90 calendar days of the change. 647. The Commission addressed concerns that the 90-day timeframe for updating documentation appears excessively long, especially given the context that this Reliability Standard establishes a significant line of defense for protecting critical cyber assets and that up-to-date documentation is essential in case of an emergency. The Commission proposed to direct the ERO to modify Requirement R9 to state that the changes resulting from modifications to the system or controls shall be documented within a 30-day time period. We stated our belief that the planning and engineering of system and control modifications require sufficient lead time to enable the documentation of such modifications to take place within a 30-calendar-day timeframe. 153 153 *See* CIP NOPR at P 261-63. i. Comments 648. Northern Indiana, Mr. Brown and MidAmerican object to shortening the time allowed for documentation of modifications to the system or controls from 90 to 30 days. Northern Indiana argues that a 90-day period provides flexibility in finalizing such documentation given the nature and type of facilities and their locations, particularly in light of the potential need for internal reviews and approvals by a number of people or groups of people before a documentation change can be effected. MidAmerican agrees that the proposed time line for required documentation may not be sufficient in all instances, particularly for remote locations that are relatively resource constrained. 649. Mr. Brown objects to the proposal to reduce the filing period from 90 to 30 days for documenting changes resulting from modifications to the system or controls. He argues that, in many organizations that will be impossible, or at least extremely costly in staff time. He argues that this will simply lead to unnecessary, trivial instances of technical noncompliance. Thus, Mr. Brown argues that, while 90 days may be too long, a more appropriate, practical and achievable period would be 60 days. 650. ISO-NE and SDG&E ask when the 30-day period begins. They request that the Final Rule direct the ERO to clarify for both CIP-007-1 and CIP-009-1 that changes resulting from modifications to the systems, controls, and procedures shall be documented within 30 days of final implementation of the modifications. Juniper agrees that the 30-day period should begin after the modifications are in place, i.e., accepted, tested, in production and running. ii. Commission Determination 651. The Commission adopts a modified version of the CIP NOPR proposal. We direct the ERO to revise Requirement R9 to state that the changes resulting from modifications to the system or controls shall be documented quicker than 90 calendar days. The Commission believes that 30 days should provide sufficient time to update any necessary documentation with exceptions granted by the Regional Entity for extraordinary circumstances. The Commission believes that having correct documentation of methods, processes and procedures for securing a responsible entity's system is necessary because if an event occurred before documentation was updated, an operator may not know of a change and could operate the system using out of date information. This puts reliability at risk by not informing operators of a method, process or procedure to secure the system against a known risk. Therefore, the Commission believes that 90 days is too long to allow a responsible entity to have incorrect documentation. Thirty days should be sufficient time to update any necessary documentation. 652. The Commission clarifies that the shorter period should begin upon final implementation of the modifications. The Commission believes that providing that the shorter period begins when the modifications are implemented satisfies Northern Indiana's concern about finalizing documentation and the potential need for internal reviews and approvals. By the time any modification is made, such approvals should already have been granted. Similarly, the Commission believes that MidAmerican's concern about resource constraints relate more to the implementation of a modification, not the documentation of that implementation. Once a modification is developed and implemented, documenting it should not consume significant time or resources. 7. CIP-008-1—Incident Reporting & Response Planning 653. Proposed Reliability Standard CIP-008-1 requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets. Specifically, Requirement R1 of CIP-008-1 requires responsible entities to develop and maintain an incident response plan that addresses responses to a cyber security incident. The plan should characterize and classify pertinent events as reportable cyber security incidents and provide corresponding response actions. The response actions should include:
(1)The roles and responsibilities of the incident response teams;
(2)procedures for handling incidents; and
(3)associated communication plans. In addition, cyber security incidents must be reported to the Electricity Sector Information Sharing and Analysis Center (ESISAC) either directly or through an intermediary. The incident response plan should be reviewed and tested at least annually. Changes to the incident response plan are to be documented within 90 days. Responsible entities must retain documentation related to reportable cyber security incidents for a period of three years. 654. The Commission approves Reliability Standard CIP-008-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to this Reliability Standard. The required modifications are discussed below in the following topic areas of concern regarding CIP-008-1:
(1)Definition of a reportable incident;
(2)reporting; and
(3)full operational exercises and lessons learned. a. Definition of a Reportable Incident 655. Requirement R1 of CIP-008-1 makes reference to reportable cyber security incidents, but it does not provide a definition of a “reportable incident.” 656. In the CIP NOPR, the Commission recognized the risk that cyber security incidents may go unreported depending upon a responsible entity's interpretation of a reportable incident. 154 We noted that the Blackout Report also pointed out the need for “uniform standards for the reporting and sharing of physical and cyber security incident information” in Recommendation 42. 155 We recognized that the definition of a reportable incident is currently undergoing extensive industry debate, and stated that it could be a catalyst for developing an appropriate level of guidance. We concluded that it is possible to provide guidance regarding what should be included in the term reportable incident and proposed to direct the ERO to:
(1)Develop and include in CIP-008-1 language that takes into account a breach that may occur through cyber or physical means; 156
(2)harmonize, but not necessarily limit, the meaning of the term reportable incident with other reporting mechanisms, such as DOE Form OE 417;
(3)recognize that the term should not be triggered by ineffectual and untargeted attacks that proliferate on the internet; and
(4)ensure that the guidance language that is developed results in a Reliability Standard that can be audited and enforced. 157 154 NERC's FAQ document answers the question of “what is a reportable incident?” by referencing definitions in the ESISAC Indications, Analysis, and Warnings Program guidelines document entitled “Indications, Analysis and Warnings Program Standard Operating Procedure” and the Department of Energy Form OE 417 Report entitled “Electric Emergency Incident and Disturbance Report.” However, since these materials are not incorporated into the proposed CIP Reliability Standards, CIP-008-1 remains ambiguous in this regard. North American Electric Reliability Council, Frequently Asked Questions
(FAQs)Cybersecurity Standards CIP-002-1 through CIP-009-1, March 6, 2006, page 27, question 1. 155 *See* Blackout Report at 168, Recommendation 42. 156 The Commission emphasized in the CIP NOPR that a cyber security incident that does not result in a material loss of physical assets should not prevent the incident from being reported. 157 *See* CIP NOPR at P 267-70. i. Comments 657. FirstEnergy, MidAmerican, Northern Indiana, ReliabilityFirst and SPP support the Commission's proposal that the ERO should provide guidance on the definition of reportable incident. Each also provides the Commission with input on how the term should be defined. 658. ReliabilityFirst and SPP recommend that NERC, as the operator of the ESISAC, be directed to publish the reporting criteria and thresholds separately from the CIP Reliability Standards and to provide appropriate reporting mechanisms for that purpose. They maintain that this approach would allow the ERO to maintain maximum flexibility in times of emergency. They state that Reliability Standard CIP-008-1 should then be modified to require entities to report incidents, both physical and cyber, that meet the criteria published by the ESISAC. For audit purposes, both SPP and ReliabilityFirst maintain that NERC should be required to maintain a three-year minimum change history for the published criteria and demonstrate that changes to the criteria were proactively announced and disseminated to all entities in a timely manner. By placing the reporting criteria in the CIP Reliability Standard itself, any changes would have to undergo the defined, lengthy Reliability Standards revision process and could impact the timely collection of information essential to the protection of the North America's critical infrastructure. 659. MidAmerican supports the proposal to further define and clarify the definition and reporting requirements for an incident and including a breach that may occur through cyber or physical means in an incident report, when the breach meets the other requirements outlined for an electronic incident. FirstEnergy states that the Commission should require reportable incident to be defined as an incident report for a security breach that may occur through physical means. According to FirstEnergy, a reportable incident determination should consider the totality of circumstances surrounding a physical breach. 158 158 For example, FirstEnergy states that, if it is apparent from an internal assessment of the breach that the intent of the perpetrator was not to gain access to cyber assets, then an incident report should not be required. ii. Commission Determination 660. The Commission adopts the CIP NOPR proposal to direct the ERO to provide guidance regarding what should be included in the term reportable incident. In developing the guidance, the ERO should consider the specific examples provided by commenters, described above. However, we direct the ERO to develop and provide guidance on the term reportable incident. The Commission is not opposed to the suggestion that the ERO create a reference document containing the reporting criteria and thresholds and requiring responsible entities to comply with the reference document in the revised Reliability Standard CIP-008-1, but will allow the ERO to determine the best method to accomplish the goal of better defining reportable incident. 661. Therefore, the Commission directs the ERO to develop a modification to CIP-008-1 to:
(1)Include language that takes into account a breach that may occur through cyber or physical means;
(2)harmonize, but not necessarily limit, the meaning of the term reportable incident with other reporting mechanisms, such as DOE Form OE 417;
(3)recognize that the term should not be triggered by ineffectual and untargeted attacks that proliferate on the internet; and
(4)ensure that the guidance language that is developed results in a Reliability Standard that can be audited and enforced. 159 159 *See* CIP NOPR at P 267-70. b. Reporting 662. CIP-008-1, Requirement R1.3, requires each responsible entity to establish a process for reporting cyber security incidents to the ESISAC. The responsible entity must ensure that all reportable cyber security incidents are reported to the ESISAC either directly or through an intermediary. ESISAC procedures require the reporting of a cyber incident within one hour of a suspected malicious incident. However, compliance with ESISAC's Indications, Analysis and Warnings Program Standard Operating Procedure is voluntary. 663. In the CIP NOPR, the Commission addressed concerns regarding the importance of responsible entities receiving timely information about other entities' reportable cyber security incidents. 160 Depending on the nature of the incident, timelines of incident reporting may be critical, which raised concern as to whether CIP-008-1 should incorporate ESISAC's one-hour reporting limit or another reporting interval that would provide adequate time for another responsible entity to take meaningful precautions. The Commission concluded that the ESISAC one-hour reporting limit is reasonable and proposed that it be incorporated into CIP-008-1. 160 *See id.* P 271-80. 664. The Commission proposed to direct the ERO to modify CIP-008-1 to require each responsible entity to contact appropriate government authorities and industry participants in the event of a cyber security incident as soon as possible, but, in any event, within one hour of the event, even if it is a preliminary report. We left development of the details to the ERO, but stated our view that the reporting timeframe should run from the discovery of the incident by the responsible entity, and not the occurrence of the incident. i. Comments 665. The Texas PUC states that the Commission's proposal for a one-hour reporting limit is reasonable if there is a uniform reporting form. The Texas PUC states that, if a cyber security attack affects several facilities, the one-hour reporting requirement would provide necessary information to other responsible entities that would allow them to take precautionary measures to protect their systems. Further, a uniform reporting form could be easily submitted to multiple agencies. 666. FirstEnergy maintains that it would be appropriate to include the one-hour time frame for reporting cyber security incidents, but the Reliability Standard should specify that the one-hour time period applies from the time of the discovery of the event, which may include at least a preliminary investigation of the incident by the reporting entity. SDG&E asks for clarification that the one-hour time frame would commence when the responsible entity is made aware of the event, which could be later than actual occurrence. 667. Northern California supports the Commission's recommendation that NERC modify Requirement R1.3 of CIP-008-1 to include a requirement that a cyber security incident be reported after the discovery of the incident. However, both NRECA and ReliabilityFirst state that the appropriate time for response should be addressed through the Reliability Standard development process. 668. In contrast, Entergy, MidAmerican and Northern Indiana object to the one-hour reporting limit. Given the potential penalties involved for non-compliance, Entergy argues that the Commission should require reporting within one hour of discovery of the incident, whether or not the reason or cause is known, unless system restoration takes priority to ensure reliability. If system restoration is a priority, reporting should be performed within four to eight hours depending on the measures required for system restoration. Northern California agrees that the reporting requirement should contain exceptions to ensure entities that are focused on recovery are not punished. According to Northern California, these exceptions should be more than technical feasibility and should allow for the fact that, in a crisis, human beings tend to focus on solving the crisis. 669. Entergy asks the ERO to clarify the relationship between CIP-001-1, which requires the reporting of sabotage events, and CIP-008-1, which requires the reporting of cyber security incidents. Entergy notes that many responsible entities will be required to report an actual or suspected cyber or communication attack that causes major interruptions of electrical systems events to the U.S. Department of Energy on DOE Form OE 417. This report must be submitted within one hour after discovery of an actual attack or six hours after a suspected attack. It is not clear why this report, which may satisfy certain CIP-001-1 requirements, would be submitted under a different timeline than any report required under CIP-008-1. Entergy believes that reporting for cyber security incidents should be coordinated as much as possible. Entergy suggests consideration of consolidating the requirements of CIP-001-1 and CIP-008-1. 670. MidAmerican disagrees with the Commission's contention that a one-hour notification from discovery provides such probative value as to justify the burden involved. On the contrary, MidAmerican submits the more likely result will be to cause far too many false positives from preliminary reports. MidAmerican recommends that the Commission strike a more balanced approach—either extend the window to six to twelve hours from discovery or make it one hour from when it is classified. 671. The California Commission maintains that the term appropriate government authorities should specify the exact authorities in each state. For example, it states that in California, power plants are subject to California Commission jurisdiction. Accordingly, California Commission argues that, for California, the term appropriate government authority should include the California Commission. Similarly, the Texas PUC states that, in Texas, the reports should be sent to NERC, the Texas PUC, the Texas Regional Entity and ERCOT. According to Texas PUC, this would not be unduly burdensome because only minimal changes would be needed to existing cyber security plans. 672. FirstEnergy agrees that there is a need for uniformity for reporting and sharing of physical and cyber security incident information. In this regard, FirstEnergy argues that NERC should adopt the DOE reporting mechanism, DOE Form OE 417, rather than create a new mechanism. On this same topic, Applied Control Solutions comments that NIST, FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, should be used to make this report. ii. Commission Determination 673. The Commission adopts the CIP NOPR proposal to direct the ERO to modify CIP-008-1 to require each responsible entity to contact appropriate government authorities and industry participants in the event of a cyber security incident as soon as possible, but, in any event, within one hour of the event, even if it is a preliminary report. As stated in the CIP NOPR, the reporting timeframe should run from the discovery of the incident by the responsible entity, and not the occurrence of the incident. 161 161 *Id* . P 280. 674. Most commenters are concerned with the burden placed on a responsible entity to report an incident when system restoration should take precedence. As stated in the CIP NOPR, while the Commission agrees that, in the aftermath of a cyber attack, restoring the system is the utmost priority, we do not believe that sending this short report would be a time consuming distraction, and we judge that its probative value would justify the minimal time spent in making this report. In this respect, the Commission now clarifies that the responsible entity does not need to initially send a full report of the incident. Rather, to report to appropriate government authorities and industry participants within one hour, it would be sufficient to simply communicate a preliminary report, including the time and nature of the incident and whatever useful preliminary information is available at the time. This could be accomplished by a phone call or another method. The responsible entity could then follow up with a full report once the system is restored. 675. With respect to the arguments by California Commission and Texas PUC concerning the term appropriate government authorities, we believe this determination should be made through the Reliability Standards development process. 676. Thus, the Commission directs the ERO to modify CIP-008-1 to require a responsible entity to, at a minimum, notify the ESISAC and appropriate government authorities of a cyber security incident as soon as possible, but, in any event, within one hour of the event, even if it is a preliminary report. The Reliability Standard development process should consider whether the ESISAC could act as an intermediary to promptly notify government authorities for responsible entities. While we expect the modified Reliability Standard to be consistent with our discussion above, we leave development of the details of how to report incidents while not burdening the recovery process to the Reliability Standards development process. 677. With respect to Entergy's question about the relationship between CIP-001-1 and CIP-008-1, the ERO should consider Entergy's concerns in the Reliability Standards development process. However, the Commission notes that, while CIP-001-1 requires the reporting of sabotage events, CIP-008-1 requires the reporting of all cyber security incidents. Not all cyber security incidents will be caused by sabotage, so not all incidents required to be reported under CIP-008-1 will be required to be reported under CIP-001-1. c. Full Operational Exercises and Lessons Learned 678. Requirement R1.5 of CIP-008-1 requires the responsible entity to maintain a process to ensure that the cyber security incident response plan is reviewed at least annually. Requirement R1.6 requires a process to ensure that the response plan is tested at least annually, and that such tests can range from a paper drill, a full operational exercise, or the response to an actual incident. CIP-008-1 does not require documentation or reassessment of a plan's adequacy as a result of lessons learned from testing or in response to specific issues. 679. In the CIP NOPR, the Commission addressed questions of whether the annual testing of the incident response plan should require full operational exercises due to the potential for such exercises to uncover unforeseen complications, and whether prospective benefits would balance attendant costs. 162 162 *See id.* P 281-87. 680. We recognized that annual testing may be costly and disruptive, but also that periodic operational drills are important because they may reveal weaknesses, vulnerabilities, and opportunity for improvement that a paper drill alone would not identify. The Commission stated its view that a full operational exercise should be performed at least once every three years, and that tabletop exercises are sufficient for the other two years, believing that this arrangement strikes an appropriate balance between the benefits of executing an operational exercise and the associated costs and potential risks of disruptions. Therefore, the Commission proposed to direct the ERO to revise the Reliability Standard to require responsible entities to perform a “full operational exercise” at least once every three years, or to fully document its reason for not conducting an exercise in full operational mode pursuant to the parameters used elsewhere for technical feasibility exceptions. Further, the Commission proposed to direct the ERO to provide guidance on the meaning of the term “full operational exercise.” 163 163 The meaning of the term “full operational exercise” is addressed below. 681. The Commission stated that industry will benefit from a requirement to document and implement lessons learned from testing or responses to actual cyber security incidents. While such information may be included in the “update” language of Requirement R1.4, we believe that CIP-008-1 would be improved by making a “lessons learned” requirement explicit. Therefore, the Commission proposed to direct the ERO to refine CIP-008-1, Requirement R2 to require responsible entities to maintain documentation of paper drills, full operational drills, and responses to actual incidents, all of which must include lessons learned. The Commission also proposed to direct the ERO to include language to require revisions to the incident response plan to address these lessons learned. i. Comments 682. MidAmerican supports the Commission's change to a three-year testing cycle, as long as a full operational exercise doesn't require the asset be taken out of service. MidAmerican argues that the risk to reliability by performing a full operational exercise on a live system seems to outweigh the benefits. MidAmerican states that, while many EMS/SCADA systems are implemented with redundant failover systems that facilitate recovery exercises, this may not be the case for all equipment/systems at control centers, substations and/or plants. MidAmerican argues that taking equipment out of service during these exercises could result in an unexpected impact to reliability. MidAmerican also supports the proposal to refine the Reliability Standard to require complete documentation and a lessons learned section for the reasons articulated in the CIP NOPR. 683. Idaho Power requests that the Commission not include the proposed requirements for full operational exercises in the Final Rule. Idaho Power believes that testing should only be performed on a test platform. The risk to the reliable operation of the Bulk-Power System outweighs the perceived benefit of this type of testing. With adequate test plans, trained and qualified personnel, and a regimented change management process, Idaho Power believes adequate protection is in place without additional modifications to the standard. 684. Entergy also disagrees with the proposed requirement to perform a full operational cyber exercise involving operational systems. This is a formula for unnecessary risk to reliability of the control systems used to operate the grid. There is a wide and permuted range of potential incident types that would need to be simulated in a full exercise, and the response to different incidents can literally mean disconnecting control system elements from the network to which they are attached—while in production operation. This is perhaps the most challenging of all the CIP Reliability Standards to address in practice, and in the absence of a representative identical parallel test suite of equipment upon which to conduct the exercises, the reasonableness of such testing is questionable. Entergy believes that the industry should not be required to perform tests in a real time production command and control system—the potential risks outweigh the potential value. 685. SoCal Edison states that it conducts numerous operational tests and drills and requests clarification that drills conducted under CIP-008-1 can be coordinated with other operational tests currently in place. ii. Commission Determination 686. The Commission adopts the CIP NOPR proposal to direct the ERO to modify CIP-008-1, Requirement R2 to require responsible entities to maintain documentation of paper drills, full operational drills, and responses to actual incidents, all of which must include lessons learned. The Commission further directs the ERO to include language in CIP-008-1 to require revisions to the incident response plan to address these lessons learned. 687. In light of the comments received, the Commission clarifies that, with respect to full operational testing under CIP-008-1, such testing need not require a responsible entity to remove any systems from service. The Commission understands that use of the term full operational exercise in this context can be confusing. We interpret the priority of the testing required by this provision to be that planned response actions are exercised in reference to a presumed or hypothetical incident contemplated by the cyber security response plan, and not necessarily that the presumed incident is performed on the live system. A responsible entity should assume a certain type of incident had occurred, and then ensure that its employees take what action would be required under the response plan, given the hypothetical incident. A responsible entity must ensure that it is properly identifying potential incidents as physical or cyber and contacting the appropriate government, law enforcement or industry authorities. CIP-008-1 should require a responsible entity to verify the list of entities that must be called pursuant to its cyber security incident response plan and that the contact numbers at those agencies are correct. The ERO should clarify this in the revised Reliability Standard and may use a term different than full operational exercise. 164 164 Because the use of the term full operational exercise in CIP-009-1 appears to have different implications for the testing environment, we encourage the development of a different term here in CIP-008-1. 8. CIP-009-1—Recovery Plans for Critical Cyber Assets 688. The purpose of proposed Reliability Standard CIP-009-1 is to ensure that recovery plans for critical cyber assets are in place and following established business continuity and disaster recovery techniques and practices. This Reliability Standard requires the development, updating, and testing of recovery plans, as well as storage and testing of associated backup data and backup media. 689. The Commission approves Reliability Standard CIP-009-1 as mandatory and enforceable. In addition, we direct the ERO to develop modifications to CIP-009-1 through the Reliability Standards development process. Further, the Commission also requires the ERO to consider various other matters of clarification, guidance, and modification. The required modifications are discussed below in the following topic areas of concern regarding CIP-009-1:
(1)Recovery plans;
(2)forensic data collection;
(3)operational exercises;
(4)updating recovery plans;
(5)backup and storage of restoration data and
(6)testing of backup media. a. Recovery Plans 690. Requirement R1 of CIP-009-1 requires the responsible entity to create and annually review recovery plans for critical cyber assets. Requirement R1.1 requires specification of response to “events or conditions of varying duration and severity that would activate the recovery plan(s).” 691. In the CIP NOPR, the Commission recognized that the Requirement R1.1 language is very general and does not provide or require a definition of what constitutes a precipitating event or triggering condition necessary for recovery plan implementation. We stated our concern that precipitating events should be readily recognized by responsible entities so that recovery plans are promptly implemented, but declined to propose modifications of the events and conditions language at this time. 165 165 *See* CIP NOPR at P 291-93. 692. We also noted that Requirement R1 does not specifically require implementation of a recovery plan because it requires that recovery plans must be created and reviewed but does not explicitly require actual implementation when the events or conditions occur. The Commission proposed to direct the ERO to modify CIP-009-1 to include this requirement. We stated that, in the interim period, the Commission will infer that implementation is embodied in this Requirement when enforcing it, i.e., if an entity has the required recovery plan but does not implement it when the anticipated event or conditions occur, the entity will not be in compliance with this Reliability Standard. i. Comments 693. MidAmerican supports the proposal to explicitly require the implementation of plans required in this Reliability Standard for the reasons articulated in the CIP NOPR. This issue also has arisen with regard to other Reliability Standards. ii. Commission Determination 694. For the reasons discussed in the CIP NOPR, the Commission adopts the proposal to direct the ERO to modify CIP-009-1 to include a specific requirement to implement a recovery plan. We further adopt the proposal to enforce this Reliability Standard such that, if an entity has the required recovery plan but does not implement it when the anticipated event or conditions occur, the entity will not be in compliance with this Reliability Standard. b. Forensic Data Collection 695. Requirement R1 of CIP-009-1, in requiring recovery plans, does not require the collection of forensics data and does not address how such collection activities relate to restoration of service efforts. 696. In the CIP NOPR, the Commission stated that concern for the reliability of the Bulk-Power System requires attention to forensics data collection, and noted that the Blackout Report also emphasized the need to improve forensics and diagnostic capabilities in Recommendation 37. 166 We explained that obtaining forensic data will benefit the long-term reliability of the Bulk-Power System because the lessons learned from one event assist in eliminating or dealing with a repeat or similar event. We noted that forensic data collection procedures could be as minimal as preserving a corrupted drive, making a data mirror of the system before proceeding with recovery, or taking the important assessment steps necessary to avoid reintroducing the precipitating or corrupted data. The Commission proposed to direct the ERO to modify CIP-009-1 to incorporate use of good forensic data collection practices and procedures into this Reliability Standard. 166 *See* Blackout Report at 166, Recommendation 37. 697. We acknowledged that recovery of critical cyber assets and the Bulk-Power System is of short-term critical importance, and information collection efforts should not impede or restrict system restoration, but emphasized that it is also important to long-term reliability interests that responsible entities make solid forensic efforts in a given situation, such as collecting the data immediately after system restoration or the recovery of critical cyber assets, if that is what can be done. We recognize that collecting forensic data may not be technically feasible for all situations due to equipment limitations, such as some legacy systems or older substation installations with little electronic monitoring. Therefore, the Commission suggested that it may be appropriate to allow a technical feasibility exception for forensic data collection where, if invoked, the responsible entity would be required to propose interim actions, milestone schedules, and a mitigation plan, the same as required by other instances of the clause. Also, we proposed to direct the ERO, when incorporating the use of good forensic data collection practices into this Reliability Standard, to make clear that such practices should not impede or restrict system restoration and to consider whether it is necessary to include a technical feasibility provision. 167 167 *See* CIP NOPR at P 294-98. i. Comments 698. NERC, SPP, ReliabilityFirst, Alliant, Arizona Public Service, Entergy, Idaho Power and Manitoba argue that the term forensics in other arenas conveys concepts of scientific rigor and chain of custody to assure that data are not tampered with in a legal proceeding. None of these are conducive to rapidly restoring service, or to maintaining or enhancing reliable operations of an already failed component. Thus, NERC, ReliabilityFirst and Idaho Power argue that this term should be removed from the Final Rule and replaced with the phrase “data collection for post-event analysis, where technically feasible.” Alliant agrees with NERC. 699. NERC believes that the Commission's intent would be better served through the development of a guideline concerning how data collection and analysis should be performed to determine causes of failures. NERC, the Commission and the responsible entities could then work together to engage control system vendors and manufacturers to develop and implement changes to their products to more readily allow the collection of high quality cyber event data, that can be used together with operational data to better understand the specific events which caused the outage or failure leading up to the need to invoke the incident response plan. NERC argues that the vendor community is in the best position to develop these toolsets, because, in most cases, both hardware and software modifications would be required to allow the rapid and efficient collection of quality data. Further, NERC argues that technical criteria will need to be developed to allow different manufacturers to generate such event log data in a common format for analysis. Equipment vendors need to be involved in these technical criteria and product development efforts, not the ERO-jurisdictional responsible entities. Idaho Power recommends that the ERO or Regional Entities develop and support work groups to address the latest technologies and methods to alleviate and address the Commission's concerns. Alliant agrees with NERC that these modifications should be effectuated through the Commission-approved Reliability Standards development process. 700. ISO-NE agrees in part with NERC's comments on the proposal to include a reference and requirements regarding the collection of forensic data. Further, forensic analysis is a skill used in the analysis of security incident data, the retention of which for three years is already addressed in CIP-008-1 for incident response. Also, ISO-NE states that CIP-005-1, CIP-006-1 and CIP-007-1 already require the retention of log data to support initial monitoring, analysis, and alerting of identified security incidents. 701. ISO-NE asserts that the broad-brush use of the term forensic data in the Blackout Report included all reliability incident data for post incident analysis. The scope is clear that these Reliability Standards are limited to cyber security incidents, and not all operational incidents impacting reliability. Therefore, ISO-NE believes the Reliability Standards already address this topic adequately, and it is therefore not appropriate to include in CIP-009-1. ISO-NE requests that any direction to the ERO regarding further collection of forensic data, or other operational reliability incident data, be omitted. 702. Entergy argues that forensic procedures can be quite complicated and situation dependent. Entergy argues that, if this CIP Reliability Standard is to be rewritten, it should be limited to the statement that “use of good forensic data collection practices should be employed.” Separate guidance could be included in ancillary advisory documents, such as those already available from NIST and various law enforcement authorities. 703. SoCal Edison and Northern Indiana are concerned that forensic data collection practices may hinder efforts to restore Bulk-Power System functionality. SoCal Edison believes that there may be impacts to restoration timeliness as well as additional personnel and hardware required if collection of forensics data are mandated. 704. NRECA believes that restoring service and reliability after an outage or other event must be the primary concern, and the need to preserve evidence should not compromise that objective. In some cases, both objectives can be achieved, and in other cases they cannot. Operating personnel should have the flexibility to make appropriate determinations as long as they can provide a reasonable explanation for their actions, without being exposed to penalties. In any event, it is difficult to reconcile the Commission's statutory authority to approve or remand Reliability Standards with a forensics requirement, which is not itself a Reliability Standard. The ERO, through its Reliability Standards development process, should be allowed to revisit the issue of what priority should be afforded to forensics without having a specific outcome dictated by the Commission. 705. MidAmerican suggests that the Commission substitute a reference to the National Institute of Justice's Forensic Data guideline, in lieu of the reference to “good forensic data collection.” ii. Commission Determination 706. The Commission adopts, with clarification, the CIP NOPR proposal to direct the ERO to modify CIP-009-1 to incorporate use of good forensic data collection practices and procedures into this CIP Reliability Standard. The Commission continues to believe that it is important to long-term reliability interests that responsible entities collect data in certain situations, such as immediately after system restoration or the recovery of critical cyber assets. In response to ISO-NE, the Commission does not believe that the requirement to keep log data contained in other CIP Reliability Standards is sufficient. As we stated in the CIP NOPR, the data collection procedures could include preserving a corrupted drive, making a data mirror of the system before proceeding with recovery, or taking the important assessment steps necessary to avoid reintroducing the precipitating or corrupted data. None of this is required in the Reliability Standards cited by ISO-NE. 707. The Commission used the term forensic because that is the term used in the Blackout Report. However, the Commission clarifies that it does not intend, as suggested by commenters, that the Reliability Standard impose the extent of scientific rigor or chain of custody required in criminal procedure. Rather, the Commission is concerned with responsible entities preserving the data necessary to determine the cause of any problem with the system. 708. In response to Entergy, NRECA, SoCal Edison and Northern Indiana, recovery of critical cyber assets and the Bulk-Power System is of immediate critical importance, and information collection efforts should not impede or restrict system restoration, as stated in the CIP NOPR. We agree that preserving evidence should not hinder system restoration. 709. We do not object to the alternate proposal developed by the ERO, including use of the phrase “data collection for post-event analysis, where technically feasible,” to describe what should be required under the revised Reliability Standard. The ERO may also consider the methods proposed by Entergy and MidAmerican. We also recognize that collecting forensic data may not be technically feasible for all situations due to equipment limitations, such as older substation installations with little electronic monitoring. Therefore, when revising the Reliability Standard, the ERO may incorporate a technical feasibility exception, subject to the same conditions for exercising the exception as described elsewhere in this Final Rule. 710. Therefore, we direct the ERO to revise CIP-009-1 to require data collection, as provided in the Blackout Report. The modification should focus on responsible entities preserving the data necessary to determine the cause of any problem with the system and may include a technical feasibility exception. c. Operational Exercises 711. Requirement R2 of CIP-009-1 requires the responsible entity to exercise recovery plans at least annually, and that such exercise can range from a paper drill, to a full operational exercise, or to recovery from an actual incident. 712. In the CIP NOPR, the Commission addressed the question of whether full operational exercises should be required to aid in identifying potential problems and to realize improvements, and concluded that some potential problems that could significantly impair reliability will not be found without them. 168 The Commission stated its belief that table-top exercises alone, on an ongoing basis, will not suffice, given the increasing complexity and interconnection of control systems. We also cautioned that technical feasibility and suitability of risk must be carefully weighed with the possible benefits of conducting the full operational exercises, and therefore opted for a limited approach. We concluded that benefits from operational exercises are sufficient that the industry as a whole should develop suitable operational exercises in the course of evolving good cyber security practices. 168 *See id.* P 299-304. 713. Accordingly, the Commission proposed to direct the ERO to develop modifications to CIP-009-1 to require a full operational exercise once every three years (unless an actual incident occurs), but to permit reliance on table-top exercises annually in other years. In conjunction, we proposed to direct the ERO to consider the appropriateness of a technical feasibility option, in the limited fashion proposed earlier. 169 As an example, we noted that CIP-009-1 could be modified to allow for partial operational exercises, reduced from full operational exercises, only to the extent a responsible entity explains and documents, for a particular substation or a particular generating plant, technical infeasibility. 169 *See id.* P 77-86 and section II.F.2-3, *supra* (Technical Feasibility and Acceptance of Risk). 714. The Commission noted the lack of clarity of the term full operational exercise and therefore also proposed to direct the ERO to either define in its glossary the term full operational exercise or provide more direction directly in the Reliability Standard as to the parameters of the term for use therein. We acknowledged that many operational exercise practices include table-top components in significant proportions. i. Comments 715. With the changes included in the CIP NOPR, the California Commission and Texas PUC view this Reliability Standard as acceptable. Consistent with its comments regarding Standard CIP-008-1, MidAmerican supports the Commission's change to a three-year testing cycle, as long as a full operational exercise does not require the asset to be taken out of service. 716. NERC raises similar concerns with the Commission's use of full operational exercises to test recovery plans as it raised with respect to full operational exercises of electronic security perimeters in CIP-005-1. 170 For example, NERC is concerned that the use of the term will require that a substation control environment will need to be completely reconstructed from scratch to ensure that it may be recovered following an incident. In the case of an information technology-only system (such as components of an energy management system), or for high-value centralized systems with limited specialized components (such as a SCADA system with its communications requirements), it may be practical to hold dedicated exercises through the use of dedicated equipment. NERC believes that requiring such full exercises in a substation or generating plant environment wastes resources without providing a significant reliability benefit. Even if such exercises were to be performed, each substation or generating plant implementation is different. Full exercises might imply that each specific substation and generating plant (or even each generating unit at a generating plant) would need to be exercised separately to ensure that the specific nuances of each implementation are exercised. 170 *See* section II.H.4.d.ii, *supra.* 717. NERC also argues that, when significant damage or failure occurs, responsible entities must take such action as necessary to ensure that their equipment meets the operational and cyber security requirements and expectations. It may not be possible to exactly replicate the damage or failure in a live operations context. NERC maintains that the phrase full operational exercises should be replaced by “demonstrated restoration of critical cyber assets in a test environment.” NERC goes on to explain that its comments on representative test environments in CIP-005-1 also apply here. 718. APPA/LPPC support the Commission's proposal. APPA/LPPC also agree with the Commission's determination that NERC should either define full operational exercise in its glossary or provide more direction directly in the Reliability Standard as to the parameters of the term. 719. APPA/LPPC, Arkansas Electric, Idaho Power, FPL Group, SPP and Consumers oppose including a live vulnerability test in a full operational exercise. APPA/LPPC state that, as noted by the Commission, the benefits of operational exercises must be weighed against the technical feasibility and operational risks of such exercises. 171 The commenters state that live vulnerability tests would pose operational risks that would outweigh any benefits such tests would produce. Consumers maintains that, because the activities involved in a live vulnerability/penetration test are intrusive and can result in major vulnerability exploitation beyond control, they can result in unintended damage to the system. 171 CIP NOPR at P 302. 720. FirstEnergy also opposes full operational exercises, on the grounds that they often require entire systems to be shut down, would require a large number of company personnel to be diverted from regular duties, and would provide little value until the industry gains more experience in this area. Until that time, FirstEnergy argues that paper drills and/or table top exercises should be adequate. 721. Northern Indiana requests clarification of what actual incident would excuse a full operational exercise. For instance, an incident (the nature of which may not be known) may occur that compels the responsible entity to stop the full operational exercise, which cannot be rescheduled for several months. The delay in operational testing should reset the clock such that the next paper drill of the tested system is performed one year from completion of the full operational exercise. 722. Idaho Power also argues that, with adequate test plans, trained and qualified personnel, and a regimented change management process, adequate protection is in place without additional changes to the Reliability Standard. ISO-NE asserts that clarification is needed of what constitutes a full operational exercise. ISO-NE thus supports the CIP NOPR's directive to direct the ERO to provide greater clarity as to the meaning of this term. As to whether to provide a definition of full operational exercise in the NERC Glossary, it needs to be understood that what may qualify as such an exercise with regards to readiness of Bulk-Power System operations would be somewhat different from such an exercise with respect to a cyber security incident response plan, or for IT back-up and recovery plans. Therefore, ISO-NE reserves further judgment of requirements for full operational exercises until additional clarity is provided. 723. Arkansas Electric opposes full operational exercises and suggests requiring a “functional exercise” be performed at least every three years. Arkansas Electric states that functional exercises are well defined in the emergency management and disaster recovery disciplines. Arkansas Electric notes that the National Incident Management System defines a functional exercise as one that “simulates the reality of operations in a functional area by presenting complex and realistic problems that require rapid and effective responses by trained personnel in a highly stressful environment.” Arkansas Electric argues that these exercises are more rigorous than tabletop exercises, yet they do not require the same system disruption as a full scale exercise. 724. Texas PUC maintains that the Commission's proposal to allow some entities to conduct partially operational exercises every three years appropriately recognizes the constraints faced by some entities. However, it states that this exception should not excuse entities from conducting more complex drills. ii. Commission Determination 725. The Commission adopts, with modifications, the CIP NOPR proposal to develop modifications to CIP-009-1 through the Reliability Standards development process to require an operational exercise once every three years (unless an actual incident occurs, in which case it may suffice), but to permit reliance on table-top exercises annually in other years. Consistent with our goals and discussion of CIP-005-1, the Commission will not at this time require responsible entities to perform full operational exercises. Instead, the Reliability Standard should require the demonstrated recovery of critical cyber assets in a test environment, with the requirements for representative test environments and for addressing differences between the test environment and the production environment, similar to the conditions discussed for live testing in CIP-005-1. Given the range of views presented in comments regarding live testing, as the Reliability Standard development process forms the details of this “demonstrated recovery” concept, it should consider offering guidance beyond the actual Requirements of the Reliability Standard in separate reference documents. The Commission believes this alleviates commenters' concerns about the risks associated with such testing. 726. The Commission notes ISO-NE's concerns about providing a definition of full operational exercise in the NERC Glossary are addressed since we are not requiring the use of that term in the Reliability Standards. d. Updating Recovery Plans 727. Requirement R3 of CIP-009-1 requires the responsible entity to update the recovery plans to reflect any changes or lessons learned from an exercise or the recovery from an actual incident. It requires plan updates to be communicated to the personnel responsible for activating or implementing the recovery plan within 90 days of the change. 728. The Commission stated its concern that individuals responsible for activating and implementing a recovery plan must have the most current information available, and its belief that a 90-day time lag between when a weakness in a recovery plan is discovered and when it is corrected and communicated to such responsible personnel is too long. 172 We noted that failure for the responsible personnel to have current information about a recovery plan could cause unnecessary delay in restoring critical cyber assets to service and thereby jeopardize the reliability of the Bulk-Power System. Therefore, the Commission proposed to direct the ERO to modify Requirement R3 of CIP-009-1 to shorten the timeline for updating recovery plans to 30 days, while continuing to allow up to 90 days for completing the communications of that update to responsible personnel. We stated our belief that a 30 day requirement for updating the recovery plans will promote timely incorporation of lessons learned during exercises and actual events, while acknowledging that 90 days is reasonable for the completion of personnel training sessions, due to varied shift schedules and other feasibility issues with regard to facility and organization. 172 *See id.* P 305-08. i. Comments 729. MidAmerican supports this proposal for the reasons articulated in the CIP NOPR. Northern Indiana supports retaining the Requirement as is, that is, to allow a 90-day period to both update and communicate recovery plans to responsible personnel. 730. ISO-NE is concerned that there is no clear indication of when the 30 day clock would start and asks that changes resulting from modifications to the systems, controls, and procedure shall be documented within 30 days of final implementation of said modifications, similar to its concerns with respect to CIP-007-1. ii. Commission Determination 731. The Commission adopts the CIP NOPR proposal to direct the ERO to modify Requirement R3 of CIP-009-1 to shorten the timeline for updating recovery plans. We believe that allowing 30 days to update a recovery plan is more appropriate, while continuing to allow up to 90 days for completing the communications of that update to responsible personnel. However, the Reliability Standards development process may propose a time period other than 30 days, with justification that it is equally efficient and effective. As we stated with respect to change made pursuant to CIP-007-1, the Commission believes that having correct documentation is necessary because if an event occurred before documentation was updated, an operator may not know of a change and could attempt to operate the system using out of date information. This puts reliability at risk by not informing operators of a method, process or procedure to secure the system against a known risk. Therefore, the Commission believes that 90 days is too long to allow a responsible entity to have incorrect documentation. Thirty days should be sufficient time to update any necessary documentation. Northern Indiana has not provided us sufficient reason to change the CIP NOPR proposal. Finally, as stated with respect to the documentation requirements in CIP-007-1, the 30 day period should begin upon final implementation of the modifications. e. Backup and Storage of Restoration Data 732. Requirement R4 of CIP-009-1 requires that a recovery plan include processes and procedures for the backup and storage of information necessary to successfully restore critical cyber assets. 733. We addressed whether the required backups should be tested as part of the system change before they are stored and assumed to be operational. 173 The Commission proposed to direct the ERO to modify CIP-009-1 to incorporate guidance that the backup and restoration processes and procedures required by Requirement R4 should include, at least with regard to significant changes made to the operational control system, verification that they are operational before the backups are stored or relied upon for recovery purposes. 173 *See id.* P 309-13. 734. The Commission stated that it understood that preserving multiple generations of restoration backups is common practice, and that competent implementation of the CIP Reliability Standards would tend to include the good and efficient practice of testing recovery backups as they are created. However, the Commission did not find that direction toward these good practices was contained in, implied by, or readily understood from either this or other Requirements among the CIP Reliability Standards, such as Requirement R6 of CIP-003-1. The Commission reiterated its position, stated with regard to the change control processes required by Requirement R6 of CIP-003-1, where no backups of any kind are mentioned, that there is a need for enhanced direction in issues related to proper change control, and that the CIP Reliability Standards should specifically state that a change control process should include procedures for a tested backup. We noted that adding clarification language here to Requirement R4 of CIP-009-1, such as “these procedures are to include practices to test and verify the operability of the backup before it is stored and relied upon for recovery,” would eliminate this ambiguity. i. Comments 735. MidAmerican supports the proposal to modify the Reliability Standard to require the ERO to provide directions on best practices for the back up and restore process for the reasons articulated in the CIP NOPR. 736. FirstEnergy and Northern Indiana disagree with the Commission's proposal to require verification and detection after adding, modifying, replacing or removing critical cyber asset hardware or software, arguing that this requirement is essentially the same as requiring continuous assessment. Northern Indiana argues that verification that backup tapes are operational is merely the assessment that the tapes are functional; verification does not assure the content may be used for restoration purposes. In the Final Rule, the Commission should clarify what is intended by backup and verify in the context of backup and restoration media. MidAmerican requests clarification of what constitutes a significant change that would require verification because it contends that this process could be extremely onerous if required outside of a planned plant shutdown. 737. SPP suggests that testing backups prior to storage is only one mitigation strategy that should be considered along with other available mitigations to assure the ability to recover from a system failure following any event, not just a significant upgrade. SPP suggests that in a properly managed data center environment, a combination of image and incremental backups should be regularly performed, or inter-site disk-to-disk replication should be implemented, regardless of significant system modifications. Periodic recovery testing, coupled with sound system backup/replication management processes, is adequate to assure recovery and restoration of failed cyber assets; special pre-modification backups are not necessary. It is impractical and unnecessary to test every backup media prior to storing it. Other mitigation strategies that may provide equivalent assurance of recovery include reconstitution of the asset from installation media with recovery of data from either backup files or redundant systems, and complete reconstitution of the asset from a redundant system. 738. Moreover, SPP states that some systems cannot be backed up due to their design architecture. In this instance, complete, up-to-date system configuration and recovery/or reconstitution documentation must be maintained. In addition, given the nature of certain deployed cyber assets, it is not possible to perform a restoration test without placing the asset and the facility it serves at risk. All of this must be weighed when developing the business continuity plan. ii. Commission Determination 739. The Commission adopts the CIP NOPR proposal to direct the ERO to modify CIP-009-1 to incorporate guidance that the backup and restoration processes and procedures required by Requirement R4 should include, at least with regard to significant changes made to the operational control system, verification that they are operational before the backups are stored or relied upon for recovery purposes. Our intent in doing so is to require responsible entities to have a procedure in place that gives them a high confidence level that their backups will actually restore the system as needed. Auditors should be able to determine compliance by reviewing a responsible entity's policies, procedures and records to determine how the testing is done and what recent tests have been performed. In response to commenters' suggestions on how to verify the backup and restoration processes, the ERO should determine appropriate methods to accomplish the Commission's objectives in the Reliability Standards development process. 740. The Commission does not agree with FirstEnergy and Northern Indiana that requiring verification of backup and restoration processes and procedures when a significant change is made to the operational control system requires continuous assessment. The Commission does not believe that every change will necessitate verification of the backup and restoration processes. Rather, it is sufficient to verify a process if a significant change, such as adding new hardware or installing new software to the control system, is made. The Commission does not believe that responsible entities will be making significant changes to their backup and restoration processes continuously. Similar to our determination with respect to Requirement R4 of CIP-005-1, the ERO should determine, through the Reliability Standards development process, what would constitute a modification that would require verification of the backup and restoration processes. f. Testing of Backup Media 741. Requirement R5 requires annual testing of information stored on backup media to ensure information essential to recovery is available. 742. The CIP Assessment noted that it is critical that such information be accessible in the event of an actual incident, and that the Reliability Standard does not specify any actions to be taken in the event of a failure in testing, and asked whether such testing should also be conducted on a more frequent basis. 743. In the CIP NOPR, the Commission addressed whether such testing should also be conducted on a more frequent basis and what action should be taken in the event of a failure in testing. We understood that, if these CIP Reliability Standards were implemented in a full and competent manner, then adequate backup verification measures would probably be in place. However, we stated that Reliability Standards demand a higher degree of certainty and should provide the guidance that responsible entities need to have procedures to verify backups are successfully completed every cycle and to have recovery procedures in place for when the backup fails. 744. The Commission proposed to direct the ERO to modify CIP-009-1 to provide direction that backup practices include regular procedures to ensure verification that backups are successful and backup failures are addressed, thus guaranteeing that backups are available for future use. 174 We stated that insertion of language such as, “backup procedures are to include regular verification of successful completion and procedures to address backup failures” would satisfy this goal. We stated our view that inability to recognize the failure of a backup process poses a great risk, and that the annual restoration testing required here is adequate frequency as long as the backup process is properly managed. 174 *See id.* P 314-19. i. Comments 745. ISO-NE agrees with the Commission proposal if the intent is to review the backup process. However, ISO-NE states that testing the actual backup data are not realistic in most instances, because the environment would literally have to be shut down and be restarted with the data in order to test it. ISO-NE asserts that, in an emergency, the restored data are a good starting point for recovery, but for a test process, such activity would not be acceptable due to the impact on reliability and market systems. Therefore, ISO-NE requests that the Commission omit directing the ERO to make any changes to CIP-009-1 Requirements R4 and R5. 746. FirstEnergy states that the requirement to ensure that backups are successful and available for future use should be limited to spot test restorations, such as restoration of a log file, because the ultimate verification of a backup—a complete restoration itself—is not practical. 747. Northern California agrees with the Commission that NERC should expand Requirement R5 of CIP-009-1 to include verification of backups. ii. Commission Determination 748. The Commission adopts the CIP NOPR proposal to direct the ERO to modify CIP-009-1 to provide direction that backup practices include regular procedures to ensure verification that backups are successful and backup failures are addressed, so that backups are available for future use. However, the Commission agrees with ISO-NE that it is impractical to require the system to be shut down and be restarted with the data in order to test it. As stated above with respect to verifying backups after a significant change, our intent is to give responsible entities a high confidence level that their backups will actually restore the system as needed. Auditors should be able to look at a responsible entity's policies, procedures and records to determine how the testing is done and what recent tests have been performed. The ERO should determine appropriate methods to accomplish the Commission's objectives in the Reliability Standards development process. I. Violation Risk Factors 749. Violation Risk Factors delineate the relative risk to the Bulk-Power System associated with the violation of each Requirement and are used by the ERO and the Regional Entities to determine financial penalties for violating a Reliability Standard. The ERO assigns a lower, medium or high Violation Risk Factor for each mandatory Reliability Standard Requirement. 175 The Commission has established guidelines for evaluating the validity of each Violation Risk Factor assignment. 176 175 The specific definitions of high, medium and lower are provided in *North American Electric Reliability Corp.,* 119 FERC ¶ 61,145 at P 9 ( *Violation Risk Factor Order* ), *order on reh'g,* 120 FERC ¶ 61,145
(2007)( *Violation Risk Factor Rehearing* ). 176 The guidelines are:
(1)Consistency with the conclusions of the Blackout Report;
(2)Consistency within a Reliability Standard;
(3)Consistency among Reliability Standards;
(4)Consistency with NERC's Definition of the Violation Risk Factor Level; and
(5)Treatment of Requirements that Co-mingle More Than One Obligation. The Commission also explained that this list was not necessarily all-inclusive and that it retained the flexibility to consider additional guidelines in the future. A detailed explanation is provided in *Violation Risk Factor Rehearing,* 120 FERC ¶ 61,145 at P 8-13. 750. In a separate filing, the ERO submitted 162 Violation Risk Factors that correspond to Requirements of the proposed CIP Reliability Standards. 177 While the Commission has addressed the Violation Risk Factors that correspond to the Requirements of the Reliability Standards it has already approved, NERC requested that going forward the Commission approve the Violation Risk Factors when it takes action on the associated Reliability Standards. 178 Accordingly, the Commission addresses the Violation Risk Factors that correspond to the CIP Reliability Standards in this proceeding. 177 *See* NERC's March 23, 2007 filing in Docket No. RR07-10-000, Exh. A. 178 *See North American Electric Reliability Corporation,* 119 FERC ¶ 61,145
(2007)(May 18 Order) (approving and modifying Violation Risk Factors). 751. In the CIP NOPR, the Commission proposed to approve the 162 proposed Violation Risk Factor assignments that correspond to the Requirements of the CIP Reliability Standards and direct the ERO to revise 43 of them. In addition, the Commission noted that the ERO did not assign Violation Risk Factors to nine Requirements and proposed to direct the ERO to make these Violation Risk Factor assignments and file them for Commission approval. 752. The Commission noted that NERC assigned a “lower” designation to almost 85 percent of the Violation Risk Factors corresponding to the Requirements of the CIP Reliability Standards. No Requirements received a “high” Violation Risk Factor assignment. The Commission stated that it believed the ERO mischaracterized many of the Requirements as administrative, resulting in a lower Violation Risk Factor assignment, where in fact a medium or high designation was more appropriate. 753. We proposed to direct the ERO to submit a filing containing revised Violation Risk Factors within 60 days of the date of the Final Rule. We also proposed to direct the ERO to include in its filing a complete Violation Risk Factor matrix. 1. General Issues a. Comments 754. NERC argues that the Commission should not establish a 60-day compliance deadline for NERC to modify the Violation Risk Factors. Instead, it suggests that the Commission should find that Violation Risk Factors may be addressed in the NERC Reliability Standards development process, so long as this produces timely results. 179 Alliant, Arizona Public Service, CEA, Progress and PSEG Companies agree. PSEG Companies point out the numerous procedural hurdles that would make modification of the 43 Violation Risk Factors within a sixty day window extremely difficult. Similarly, while Ontario Power disagrees with the Commission that Violation Risk Factors are not a part of the Reliability Standards, it does not oppose revisiting the Violation Risk Factors through NERC's Reliability Standards development process. 179 NERC cites *North American Electric Reliability Corp.,* 119 FERC ¶ 61,046
(2007)in support of this position. 755. While the Commission has elsewhere determined that Violation Risk Factors can be changed outside of the full ERO Reliability Standards development process, NRECA supports and continues to assert that it is preferable for all concerned for such changes to be made within the context of that process. It asserts that institutional bifurcation of the development of the Reliability Standards from the consequences of violation of the Reliability Standards is not a desirable practice and should be minimized. The ERO, through its Reliability Standards development process, should be allowed to revisit the CIP Violation Risk Factors without having a specific outcome dictated by the Commission. 756. Progress maintains that unnecessarily increasing Violation Risk Factors for planning Reliability Standards may have unintended consequences. According to Progress, assigning overly conservative Violation Risk Factors will cause senior managers responsible for CIP Reliability Standard compliance to focus more time and resources on satisfying those Reliability Standards, potentially to the detriment of other Reliability Standards. It maintains that the level of the Violation Risk Factor is intended to communicate the importance of the Reliability Standards and, consequently, the resources that should be devoted to its implementation and the magnitude of the penalty associated with its violation. b. Commission Determination 757. NERC and other commenters ask the Commission to defer to NERC on the determination of Violation Risk Factors and allow NERC to reconsider the designations using the Reliability Standards development process. The Commission has previously determined that Violation Risk Factors are not a part of the Reliability Standards. 180 In developing its Violation Risk Factor filing, NERC has had an opportunity to fully vet the CIP Violation Risk Factors through the Reliability Standards development process. The Commission believes that, for those Violation Risk Factors that do not comport with the Commission's previously-articulated guidelines for analyzing Violation Risk Factor designations, there is little benefit in once again allowing the Reliability Standards development process to reconsider a designation based on the Commission's concerns. Therefore, we will not allow NERC to reconsider the Violation Risk Factor designations in this instance but, rather, direct below that NERC make specific modifications to its designations. NERC must submit a compliance filing with the revised Violation Risk Factors no later than 90 days before the date the relevant Reliability Standard becomes enforceable. 180 *Violation Risk Factor Rehearing,* 120 FERC ¶ 61,145 at P 11-16 (2007), *citing North American Reliability Corp.,* 118 FERC ¶ 61,030 at P 91, *order on clarification and reh'g,* 119 FERC ¶ 61,046 (2007). 758. That being said, NERC may choose the procedural vehicle to change the Violation Risk Factors consistent with the Commission's directives. NERC may use the Reliability Standards development process, so long as it meets Commission-imposed deadlines. 181 In this instance, the Commission sees no vital reason to direct the ERO to use section 1403 of its Rules of Procedure to revise the Violation Risk Factors below, so long as the revised Violation Risk Factors address the Commission's concerns and are filed no less than 90 days before the effective date of the relevant Reliability Standard. 182 The Commission also notes that NERC should file Violation Severity Levels before the auditably compliant stage. 181 *See North American Electric Reliability Corp.,* 118 FERC ¶ 61,030 at P 91, *order on compliance,* 119 FERC ¶ 61,046 at P 33 (2007). 182 The Commission notes that this is a change from the CIP NOPR proposal, which proposed to direct the ERO to submit a filing containing these modifications within 60 days of the date of the Final Rule. 759. Consistent with the *Violation Risk Factor Order,* the Commission directs NERC to submit a complete Violation Risk Factor matrix encompassing each Commission-approved CIP Reliability Standard. 760. The Commission disagrees with Progress that the Commission's concerns with respect to the CIP Violation Risk Factors will result in overly conservative Violation Risk Factor assignments. We also disagree with the characterization that a Violation Risk Factor delineates the importance of the Reliability Standard. Rather, the Violation Risk Factors delineate the relative risk to the Bulk-Power System associated with the violation of each Requirement. The Commission believes that the analysis below appropriately takes into account the risk of violating each Requirement in the CIP Reliability Standards. 2. Specific Modifications to Violation Risk Factors 761. The Commission proposed to require NERC to assign several Requirements in the CIP Reliability Standards a high Violation Risk Factor. For example, CIP-002-1 Requirement R2, which requires the identification of assets that are critical to the Bulk-Power System, is assigned a lower Violation Risk Factor. While the product of the Requirement is a list of critical assets, the Commission stated that this is clearly not an administrative Requirement. In fact, the failure to properly identify critical assets could place the Bulk-Power System at an unacceptable risk or restoration efforts could be hindered. Further, this Requirement has a controlling effect over all of the CIP Reliability Standards that follow. The Commission stated that, if an asset is critical and is not identified as such, the remaining CIP Reliability Standards will not be applied to that asset. Depending on the asset that is overlooked, and consequently not protected by the Reliability Standards, a higher level of Bulk-Power System failure is possible. Thus, by NERC's definition, this Requirement should have a high Violation Risk Factor assignment. In addition, the recommendations related to physical and cyber security contained in the Blackout Report, 183 while largely addressed by the proposed CIP Reliability Standards, would essentially be thwarted if a responsible entity does not effectively comply with Requirements R2 and R3 of CIP-002-1. Accordingly, we proposed to direct the ERO to modify Requirement R2 to denote a high Violation Risk Factor assignment. 183 Blackout Report at 163-69, Recommendations 32-44. 762. Similarly, CIP-002-1 Requirement R3, which requires the identification of cyber assets that are essential to the operation of critical Bulk-Power System assets, has a medium Violation Risk Factor assignment. By definition, a medium Violation Risk Factor assignment means that the Requirement is unlikely, under emergency, abnormal, or restoration conditions to lead to Bulk-Power System instability, separation, or cascading failures, or to hinder restoration to a normal condition. However, if this Requirement is violated, the Bulk-Power System could in fact be at an unacceptable risk of failure or restoration efforts could be hindered. Further, this Requirement has a controlling effect over all of the CIP Reliability Standards that follow. As with CIP-002-1 Requirement R2, depending on the asset that is overlooked, and consequently not protected by the Reliability Standards, a higher level of Bulk-Power System failure is possible. Also, we stated that proper compliance with CIP-002-1, Requirement R3 is essential to the ability of the proposed CIP Reliability Standards to satisfy the recommendations of the Blackout Report. 184 Accordingly, we proposed to direct the ERO to modify this Requirement to denote a high Violation Risk Factor assignment. 184 *Id.* 763. The Commission also proposed to direct the ERO to change the Violation Risk Factor assignments for several Reliability Standards from a lower to a medium assignment. The Commission's primary reason for proposing to direct these changes was to promote implementation of the recommendations contained in the Blackout Report; to establish consistency within a Reliability Standard, i.e., among sub- and main Requirements of the same Reliability Standard; and consistency across Reliability Standards. a. Comments 764. Northern California agrees that many requirements inappropriately have a Violation Risk Factor of lower and that NERC should re-evaluate the Violation Risk Factors of the Requirements identified by the Commission in Appendix B of the CIP NOPR, and urges NERC to adopt the Commission's recommended assessment. 765. While APPA and the LPPC members state that they are committed to complying with all of the CIP Reliability Standards, APPA/LPPC believe that the Commission's proposal to elevate the violation risk factor for CIP-002-1, Requirement R2 from low to high and the violation risk factor for CIP-002-1, Requirement R3 from medium to high should be reexamined. While overlooked assets could result in Bulk-Power System failure, the oversight process now contemplated by Regional Entities over asset designation, and the overwhelming incentive responsible entities have to proceed cautiously, make it difficult to see a substantial potential for assets to be overlooked. 766. EEI states that the proposal to direct the ERO to modify CIP-002-1 to denote a high Violation Risk Factor assignment mandates a particular outcome and does not allow for consideration of any alternative. b. Commission Determination 767. The Commission adopts the CIP NOPR proposal to direct the ERO to revise 43 Violation Risk Factors. While the Commission hopes that APPA/LPPC are correct that there is not a substantial potential for assets to be overlooked, this is not a reason to not modify the Violation Risk Factors. As we stated in Order No. 672, the fundamental goal of mandatory, enforceable Reliability Standards and related enforcement programs is to promote behavior that supports and improves Bulk-Power System reliability. 185 It is not imposing penalties. However, as APPA/LPPC recognize, overlooked assets could result in Bulk-Power System failure. This comports with the definition of a high Violation Risk Factor as a requirement that, if violated, could directly cause or contribute to Bulk-Power System instability, separation, or a cascading sequence of failures, or could place the Bulk-Power System at an unacceptable risk of instability, separation, or cascading failures. APPA/LPPC have not provided a persuasive reason for the Commission to change its proposal to direct the ERO to modify the Violation Risk Factors. 185 Order No. 672 at P 455. 768. Further, the Commission is not persuaded by the argument that the Violation Risk Factor should not be high because there is an incentive for responsible entities to proceed cautiously. The Violation Risk Factor should consider the risk to the system of non-compliance, regardless of other incentives that users, owners and operators of the Bulk-Power System have to comply. 769. Finally, the regional oversight over asset designation discussed by APPA/LPPC is not in place yet. Therefore, the Commission cannot rule on what it might be. III. Information Collection Statement 770. The Office of Management and Budget
(OMB)Regulations require that OMB approve certain reporting and recordkeeping (collections of information) imposed by an agency. 186 The information collection requirements proposed in the CIP NOPR were identified under the Commission data collection, FERC-725B “Mandatory Reliability Standards for Critical Infrastructure Protection.” These proposed information collections will be submitted to OMB for review under section 3507(d) of the Paperwork Reduction Act of 1995. 187 In addition, OMB regulations require OMB to approve certain reporting and recordkeeping requirements imposed by agency rule. 188 186 5 CFR 1320.11. 187 44 U.S.C. 3507(d). 188 5 CFR 1320.11. 771. The “public protection” provisions of the Paperwork Reduction of 1995 require each agency to display a currently valid control number and inform respondents that a response is not required unless the information collection displays a valid OMB control number on each information collection or provides a justification as to why the information collection control number cannot be displayed. In the case of information collections published in regulations, the control number is to be published in the **Federal Register** . 772. *Public Reporting Burden:* The Commission developed its estimate of burden based upon the CIP Reliability Standards as proposed by NERC. The CIP Reliability Standards include only one actual reporting requirement. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to ESISAC. In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs and procedures. 189 189 *See* CIP NOPR at P 334. 773. The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities the various policies, plans, programs and procedures. However, the documentation of the policies, plans, programs and procedures must be available to demonstrate compliance with the CIP Reliability Standards. The Commission has included the cost of developing the required documentation for the required policies, plans, programs and procedures in its burden estimate. The Commission, however, did not include in our burden estimate the cost of substantive compliance with the CIP Reliability Standards, separate from the requirements to develop specific documentation. 774. In formulating our estimate of the reporting burden, the Commission has been guided by several factors. *Number of Entities:* As of April 2007, NERC identified 1,266 registered entities in the United States. The Applicability section of each CIP Reliability Standard specifies nine categories of users, owners and operators of the Bulk-Power System (as well as NERC and the Regional Entities) that must comply with the CIP Reliability Standards. The nine categories of users, owners and operators are based on the categories of functions identified in the NERC Functional Model. Based on a review of NERC's registration list, the Commission estimates that approximately 1,000 entities will be required to comply with the CIP Reliability Standards. *Variations in Compliance Burden:* The Commission's estimate is based on all 1,000 entities documenting an assessment methodology to identify critical assets and critical cyber assets pursuant to CIP-002-1. As explained above, only those entities that identify critical cyber assets pursuant to CIP-002-1 are responsible to comply with the requirements of CIP-003-1 through CIP-009-1. Accordingly, the cost burden estimate differs for those entities that identify critical cyber assets and those that do not. Further, the reporting burden would vary with the number of critical cyber assets identified pursuant to CIP-002-1. An entity that identifies numerous critical cyber assets, including assets located at remote locations, will likely require more resources to develop its policies, plans, programs and procedures compared to an entity that identifies one or two critical cyber assets, housed at a single location. Based on this distinction, the Commission has developed separate estimates for large investor-owned utilities and other responsible entities such as municipals, generators and cooperatives. *Customary Practices:* Prior to the development of CIP-002-1 through CIP-009-1, NERC approved through its urgent action process a cyber security Reliability Standard known as “UA-1200,” which applied to entities “such as control areas, transmission owners and operators, and generation owners and operators.” UA-1200 addressed a number of the same reporting burdens as the CIP Reliability Standards at issue in this proceeding. For example, UA-1200 required the creation and maintenance of a cyber security policy, the identification of “critical cyber assets,” and the development of a cyber security training program. Thus, entities that voluntarily complied with UA-1200 will continue these practices when the mandatory CIP Reliability Standards are in effect. Further, many entities, including those that did not comply with UA-1200, typically have followed certain practices specified in the CIP Reliability Standards. The Commission believes that practices such as conducting cyber security training, having procedures for whom to contact in case of a cyber security incident, and developing a plan for how to restore a computerized control system should it fail are usual and customary practices in the electric industry and others. The Commission has taken such customary practices into account when estimating the reporting burden. *Time Period:* The proposed CIP Reliability Standards were approved as voluntary reliability standards by the NERC board in May 2006, with a designated effective date of June 1, 2006. 190 The proposed implementation schedule submitted with the CIP Reliability Standards plans for responsible entities to be “auditably compliant” with most requirements by mid-2010 or later. Mid-2010 is four years after NERC's voluntary reliability standards went into effect. Therefore, the Commission developed an annual burden estimate by dividing total costs by 4 years. 190 Although NERC designated an effective date of June 1, 2006, the CIP Reliability Standards are not mandatory and enforceable, *i.e.* , subject to penalties for non-compliance, until they are approved by the Commission. Data collection Number of respondents Number of responses Hours per response Total annual hours FERC-725B: Large investor-owned utility 155 1 2,080 322,400 Others, including munis and coops 795 1 1,000 795,000 Entities that have not identified critical cyber assets 50 1 160 8,000 Totals 1,125,400 *Information Collection Costs:* The Commission estimates the costs to be: Large investor-owned utility = 322,400 hours@$88 = $28,371,200. Others, including munis and coops = 795,000 hours@$88 = $69,960,000. Entities that have not identified critical cyber assets = 8,000 hours@$88 = $704,000. Because auditably compliant status is not required for many requirements until mid-2010, the Commission has projected the costs over a four-year period. On an annual basis the costs will be ($28,371,200 + $69,960,000 + $704,000)/4 years = $24,758,800 per year. The hourly rate of $88 is a composite figure of the average cost of legal services ($200 per hour), technical employees ($39.99 per hour) and administrative support ($25 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS). Using the May 2006 OES Industry-Specific Occupational Employment and Wage Estimates, the median hourly rate wage estimate for a computer software engineer is $39.99. 191 191 *See* *http://www.bls.gov/oes/current/naics2_22.htm* . *Title:* Mandatory Reliability Standards for Critical Infrastructure Protection. *Action:* Proposed collection. *OMB Control Number:* 1902-0248. *Frequency of responses:* On occasion. *Necessity for information:* As discussed above, EPAct 2005 adds a new section 215 to the FPA, which requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO subject to Commission oversight, or the Commission can independently enforce Reliability Standards. Pursuant to section 215 of the FPA, the Commission approves eight CIP Reliability Standards submitted to the Commission for approval by NERC. The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. The information collections in the Final Rule are needed to protect the electric industry's Bulk-Power System against malicious cyber attacks that could threaten the reliability of the Bulk-Power System. 1. Comments 775. MidAmerican states that the Commission's information collection assessment warrants revision for significantly underestimating the cost of compliance, even after controlling for variation in the number of critical cyber security assets identified by the responsible entity. MidAmerican alone estimates its total compliance costs as a substantial fraction of the burden amount estimated by the Commission, based upon compliance with the originally proposed CIP Reliability Standards. That cost should be expected to increase by ten percent based upon the more stringent Reliability Standards and rising labor rates. Based on this actual experience to date, MidAmerican submits that the CIP NOPR burden underestimates implementation difficulties by inadequately accounting for both the replacement costs associated with upgrading existing antiquated cyber infrastructure as well as the host of employer recruiting, hiring and training challenges responsible entities will face to demonstrate compliance. The skilled computer software personnel necessary to achieve substantive compliance are in much demand (but short supply), nationally, and accordingly command compensation levels considerably higher than the CIP NOPR assumptions. To remedy these shortcomings, MidAmerican requests that the Commission revisit this issue by sampling the 1,000 or so entities expected to be required to comply with the CIP Reliability Standards and revising the burden estimate accordingly. 2. Commission Determination 776. MidAmerican seems to misunderstand the purpose of the information collection statement. The OMB regulations require agencies to submit a burden estimate for collections of information contained in proposed rules, not for the entire cost of compliance. As stated in the CIP NOPR, the Commission only included the cost of developing the required documentation for the required policies, plans, programs and procedures in its burden estimate, but did not include in our burden estimate the cost of substantive compliance with the CIP Reliability Standards. MidAmerican raises concerns regarding the total cost of compliance with the Reliability Standards, rather than the burden associated with reporting requirements in the Reliability Standards. Therefore, the Commission does not believe it is necessary to revise the burden estimate based on MidAmerican's comments. IV. Environmental Analysis 777. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment. 192 The Commission has categorically excluded certain actions from these requirements as not having a significant effect on the human environment. 193 The actions proposed here fall within categorical exclusions in the Commission's regulations for rules that are clarifying, corrective, or procedural, for information gathering, analysis, and dissemination, and for sales, exchange, and transportation of electric power that requires no construction of facilities. 194 Therefore, an environmental assessment is unnecessary and has not been prepared in this Final Rule. 192 Order No. 486, Regulations Implementing the National Environmental Policy Act, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs., Regulations Preambles 1986-1990 ¶ 30,783 (1987). 193 18 CFR 308.4. 194 *See* 18 CFR 380.4(a)(2)(ii), 380.4(a)(5), 380.4(a)(27). V. Regulatory Flexibility Act 778. The Regulatory Flexibility Act of 1980
(RFA)195 generally requires a description and analysis of any final rule that will have significant economic impact on a substantial number of small entities. The RFA does not mandate any particular outcome in a rulemaking. It only requires consideration of alternatives that are less burdensome to small entities and an agency explanation of why alternatives were rejected. 195 5 U.S.C. 601-612. 779. In drafting a rule an agency is required to:
(1)Assess the effect that its regulation will have on small entities;
(2)analyze effective alternatives that may minimize a regulation's impact and
(3)make the analyses available for public comment. 196 In its NOPR, the agency must either include an initial regulatory flexibility analysis (initial RFA) 197 or certify that the proposed rule will not have a “significant impact on a substantial number of small entities.” 198 196 5 U.S.C. 601-604. 197 5 U.S.C. 603(a). 198 5 U.S.C. 605(b). 780. If in preparing the NOPR an agency determines that the proposal could have a significant impact on a substantial number of small entities, the agency shall ensure that small entities will have an opportunity to participate in the rulemaking procedure. 199 199 5 U.S.C. 609(a). 781. In its Final Rule, the agency must also either prepare a Final Regulatory Flexibility Analysis (Final RFA) or make the requisite certification. Based on the comments the agency receives on the NOPR, it can alter its original position as expressed in the NOPR but it is not required to make any substantive changes to the proposed regulation. A. NOPR Proposal 782. In the CIP NOPR, the Commission analyzed the effect of the proposed rule on small entities. 200 The Commission's analysis found that the DOE's Energy Information Administration
(EIA)reports that there were 3,284 electric utility companies in the United States in 2005, 201 and 3,029 of these electric utilities qualify as small entities under the Small Business Administration
(SBA)definition. Of these 3,284 electric utility companies, the EIA subdivides them as follows:
(1)883 cooperatives of which 852 are small entity cooperatives;
(2)1,862 municipal utilities, of which 1842 are small entity municipal utilities;
(3)127 political subdivisions, of which 114 are small entity political subdivisions;
(4)159 power marketers, of which 97 individually could be considered small entity power marketers; 202
(5)219 privately owned utilities, of which 104 could be considered small entity private utilities;
(6)25 state organizations, of which 16 are small entity state organizations; and
(7)nine federal organizations of which four are small entity federal organizations. 200 CIP NOPR at P 342. 201 *See* Energy Information Administration Database, Form EIA-861, Dept. of Energy (2005), available at *http://www.eia.doe.gov/cneaf/electricity/page/eia861.html* . 202 Most of these small entity power marketers and private utilities are affiliated with others and, therefore, do not qualify as small entities under the SBA definition. 783. In addition, the Commission's analysis relied on NERC's compliance registry, applying the NERC Statement of Registry Criteria, to identify entities that must comply with the CIP Reliability Standards. For an entity to be included in the compliance registry, the ERO will have made a determination that a specific small entity has a material impact on the Bulk-Power System. Consequently, the compliance of such small entities is justifiable as necessary for Bulk-Power System reliability. Based on NERC's compliance registry as of June 2007, the Commission estimated that approximately 1,000 registered entities will be responsible for compliance with the CIP Reliability Standards. Of these, the Commission estimated that the CIP Reliability Standards would apply to approximately 632 small entities, consisting of 12 small investor-owned utilities and 620 small municipal and cooperatives. 784. The Commission's analysis concluded that the CIP Reliability Standards would not have a significant economic impact on a substantial number of small entities. The majority of small entities would not be required to comply with mandatory Reliability Standards based on the application of the NERC Registry Criteria. Moreover, the Commission explained that a small entity that is registered but does not identify critical cyber assets pursuant to CIP-002-1 will not have compliance obligations pursuant to CIP-003-1 through CIP-009-1. While a small entity that identifies only a few critical cyber assets must comply with CIP-003-1 through CIP-009-1, the Commission stated that the economic impact of such compliance would not be significant. Likewise, the housing of a limited number of critical cyber assets in a single location will lessen the economic impact of compliance. 785. The Commission also noted that, while not required or proposed by the CIP NOPR, small entities could choose to collectively select a single consultant to develop model software and programs to comply with the CIP Reliability Standards on their behalf. Such an approach could significantly reduce the costs that would be incurred if each company would address these issues independently. 786. The Commission further explained that, while there would be some portion of small entities that would have to expend significant amounts of resources on labor and technology to comply with the CIP Reliability Standards, the Commission believed that this would be a minority. Further, in such circumstances, the economic impact would be justified as necessary to protect cyber security assets that support Bulk-Power System reliability. 787. The Commission also investigated possible alternatives. These included the Commission's adoption in Order No. 693 of the NERC definition of bulk electric system, which reduces significantly the number of small entities responsible for compliance with mandatory Reliability Standards. 203 The Commission also noted that small entities could join a joint action agency or similar organization, which could accept responsibility for compliance with mandatory Reliability Standards on behalf of its members and also may divide the responsibility for compliance with its members. Based on that analysis, the Commission certified that the proposed rulemaking would not have a significant impact on a substantial number of small entities. 203 CIP NOPR at P 347. B. Comments 788. NRECA states that, for the most part, the CIP NOPR treats small entities in an appropriate manner. NRECA maintains that the approach of having the CIP and other Reliability Standards apply to small entities only if they have a material impact on the reliability of the Bulk-Power System is appropriate and consistent with the Commission's prior orders, the statute, and the ERO's Statement of Registry Criteria, and NRECA supports it fully, with the exception of the Commission's discussion of jointly-owned facilities, which is discussed with respect to CIP-004-1. 204 204 We discuss issues concerning jointly-owned facilities in section II.F.3.d above. 789. APPA/LPPC state that application of the NERC Statement of Compliance Registry Criteria has reduced the total number of public power utilities potentially subject to NERC's Reliability Standards from nearly 2,000 to approximately 326 discrete public power utilities, and APPA/LPPC agree with the Commission that NERC's compliance registry goes a long way toward mitigating the economic impact of the proposed rules on small entities. Nonetheless, APPA/LPPC disagree with the Commission's categorical statement that “the CIP Reliability Standards will not have a significant economic impact on a substantial number of small entities.” 790. According to APPA/LPPC, approximately 293 of the 326 public power systems included on the NERC compliance registry meet the SBA definition of a small electric utility. 205 Therefore, APPA/LPPC argue that the proposed regulations will have an impact on a substantial number of small entities. They maintain that the question is how significant that impact will in fact be. APPA/LPPC believe that some of these small entities will incur significant economic costs to comply with the CIP Reliability Standards. 206 205 The APPA/LPPC estimate is based on a comparison of public power systems listed on the NERC compliance registry as of September 2007 with Energy Information Administration Form 861 data for 2005 MWh sales to ultimate customers and sales for resale. The Commission estimates that “the CIP Reliability Standards will apply to approximately 632 small entities, consisting of 12 small investor-owned utilities and 620 small municipals and cooperatives.” 206 For example, APPA/LPPC state that many small distribution utilities with fewer than 50 employees may nonetheless own and operate 20 MVA generators. Many of these generators were constructed prior to the industry's adoption of a modern information technology infrastructure. A rigid implementation of the “technical feasibility” exception discussed above may lead to directives to adopt remediation plans that bring these units up to current industry standards. However, the costs required to retrofit such facilities to meet new cyber-security requirements may well force the owners to retire many of these units instead. APPA/LPPC at 30. 791. Despite these reservations, APPA/ LPPC believe that the broad contour of the rule contemplated by the CIP NOPR, subject to the changes they request in comments, satisfies the requirements of the RFA. APPA/LPPC state that they recognize that CIP Reliability Standards are necessary to ensure the reliable operation of the Bulk-Power System. While NERC's proposed standards will place the burden on many small entities to identify critical assets and critical cyber assets, this approach is far superior to a top-down approach to asset classification. Assuming small entities do have critical assets and critical cyber assets, they will have to take on significant burdens and incur significant costs to protect their critical cyber assets. However, APPA/LPPC state that NERC's proposed timeline for the implementation plan appears feasible. Moreover, they state that joint action agencies and other similar organizations may form joint registration organizations that accept compliance responsibilities for their members or provide compliance services to their members. 792. Arkansas Electric fully supports the comments submitted in this docket by NRECA. Arkansas Electric argues that, throughout the CIP NOPR, the Commission proposes significant changes to the Reliability Standards which will increase the amount of effort and expense required to comply. Arkansas Electric is concerned that the costs of these additional resources will be especially high for small entities, when viewed in a relative sense. Arkansas Electric is concerned that, even with the friendly tone that some state regulators have taken toward rate recovery for cyber security-related expenses, these dollars would still come from its members. Arkansas Electric respectfully asks the Commission to keep cooperatives and small entities in mind as it proposes changes to the CIP Reliability Standards. The resources available within such organizations to comply with the Reliability Standards are often quite limited. 793. California Cogeneration and Energy Producers argue that the eight cyber security Reliability Standards will impose significant new compliance costs on registered entities to the extent they identify critical cyber assets, under CIP-002-1. They suggest that the Commission should direct the ERO to develop pro forma models of protocols and methodologies to be used by entities to facilitate compliance. California Cogeneration submits that pro forma protocols could help mitigate the costs of compliance with the requirements of Reliability Standards CIP-003-1 through CIP-009-1. California Cogeneration points out that the CIP NOPR suggested that groups of entities could collaborate to reduce compliance costs; California Cogeneration argues that this approach could be expanded to include a formal role for NERC. 794. To maximize the effectiveness and the focus of the Reliability Standards, Energy Producers argues that NERC should revisit the NERC Functional Model to include a qualifying facility
(QF)category so that Reliability Standards specific to QFs can be developed to account for their unique operating characteristics. To ensure that the regulations effectively promote reliability while not imposing unreasonable costs, Energy Producers argues that the regulations should provide a rigorous definition of critical cyber assets. Such rigor would be provided, first, by retaining the definitions contained in the current draft of the regulations, and second, by providing greater specificity to the risk-based assessment required in CIP-002-1. 795. Iowa Municipals is concerned about the impact that the CIP Reliability Standards will have on smaller entities. While it is true that smaller entities can provide a cyber gateway to larger entities, and many smaller entities will be excluded through the identification of critical cyber assets, it is equally true that some smaller entities will, nonetheless, be subjected to the CIP Reliability Standards. The CIP NOPR pays insufficient attention to supporting compliance by smaller entities. Iowa Municipals makes some suggestions that will assist the Commission to enable smaller entities to comply with the Reliability Standards. 796. One area in which smaller entities' compliance efforts can be supported is through the self-certification process. Iowa Municipals supports the comments filed by MidAmerican that support a semi-annual certification process. As an enhancement to this process, Iowa Municipals recommends that the Commission require NERC to provide a “lessons learned” report to entities within 30 days of the certification deadline. This report has the potential of providing invaluable guidance and assistance to smaller entities. 797. Iowa Municipals also urges the Commission to support smaller entities' compliance efforts by providing either a longer compliance timetable, or providing temporary waivers upon an adequate showing of work to attain compliance. Further, Iowa Municipals suggests that compliance by smaller entities can be promoted by allowing smaller entities to walk in the footsteps of larger entities and reach compliance more quickly by taking advantage of lessons learned by others. Iowa Municipals also argues that following such a better path to compliance by smaller entities should ultimately provide a higher level of system protection. 798. The Southwest TDUs state that the CIP NOPR seems to be of two minds on how the impact of the CIP Reliability Standards might be addressed for smaller entities. On the one hand, the Commission proposes that NERC and the Regional Entities help the small entities by providing technical support to identify critical assets. On the other, the Commission acknowledges that these Reliability Standards could be made applicable down to the smallest entity, which appears to discount the economic impact on these entities required to be analyzed by the RFA because cyber security operations may actually be managed by a control area operator or other larger entity. Southwest TDUs argue that just because a larger entity is performing compliance does not mean the costs of compliance are not being passed on to the small entities. Indeed, there is every likelihood that that will be the case. Southwest TDUs maintain that it does not know how onerous a burden small entities face. The Commission must be ready to adjust the CIP requirements, if experience shows that the burden on small entities proves to be onerous. C. Commission Determination 799. As of October 2007, there are 1,772 registered entities, of which the Commission estimates that approximately 1,400 will be responsible for compliance with the CIP Reliability Standards. Of these, the Commission estimates that the CIP Reliability Standards would apply to approximately 632 small entities, consisting of 12 small investor-owned utilities and 620 small municipal and cooperatives. 800. Arkansas Electric raises concerns with the cost to small entities of the modifications directed by the Commission. These modifications will be made by the ERO through the Reliability Standards development process. Until NERC files any revised Reliability Standards, the Commission cannot estimate their burden on any user, owner or operator of the Bulk-Power System, including small entities. The Commission therefore does not believe it is appropriate to speculate on the cost of compliance with any modified Reliability Standard at this time. 801. The Commission does not believe it is appropriate to grant California Cogeneration's request that NERC develop pro forma models of protocols and methodologies to be used by entities to facilitate compliance. As discussed in the section regarding guidance, that level of detail could potentially introduce common vulnerabilities resulting from all small entities implementing the Reliability Standards using a nearly identical solution. With respect to California Cogeneration's suggestion that NERC should have a formal role in collaborating to reduce compliance costs, the Commission will not direct that at this time. However, NERC should consider providing information to such groups. Further, the Commission believes that requiring the ERO to develop guidance on how to comply with the Reliability Standards should facilitate compliance by small entities. 802. The Commission also declines to direct the ERO to include a QF category in the Functional Model, as requested by Energy Producers. The Commission believes that this request is outside the scope of this rulemaking, which only concerns the CIP Reliability Standards proposed by NERC. 803. The Commission does not believe it is necessary to allow small entities a longer compliance timetable or to provide temporary waivers upon an adequate showing of work to attain compliance. As we stated in the CIP NOPR, the burden to small entities is not great, but the economic impact is justified as necessary to protect cyber security assets that support Bulk-Power System reliability. Further, the Commission believes that allowing small entities to collectively select a single consultant to develop model software and programs to comply with the CIP Reliability Standard will allow the small entities to take advantage of any information known by larger entities or their consultants. 804. While Southwest TDUs are correct that the Commission acknowledges that the Reliability Standards could be made applicable down to the smallest entity, the Commission disagrees that this discounts the economic impact on these entities. As we stated in the CIP NOPR, to be included in the compliance registry, the ERO will have made a determination that a specific small entity has a material impact on the Bulk-Power System. A small entity placed on the compliance registry could then appeal the determination to the ERO and the Commission. 805. Further, Southwest TDUs argue that just because a larger entity is performing compliance does not mean the costs of compliance are not being passed on to the small entities. We agree; however, in allowing small entities to pool their resources and select a single consultant to develop model software and programs, each entity need not separately fund model software and programs development. Rather, that cost can be spread over several entities. 806. For the reasons stated in the CIP NOPR and above, the Commission certifies that this rule will not have a significant economic impact on a substantial number of small entities. Accordingly, no regulatory flexibility analysis is required. VI. Document Availability 807. In addition to publishing the full text of this document in the **Federal Register** , the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through FERC's Home Page ( *http://www.ferc.gov* ) and in FERC's Public Reference Room during normal business hours (8:30 a.m. to 5 p.m. Eastern time) at 888 First Street, NE., Room 2A, Washington, DC 20426. 808. From FERC's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 809. User assistance is available for eLibrary and the FERC's Web site during normal business hours from FERC's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or e-mail at *ferconlinesupport@ferc.gov* , or the Public Reference Room at
(202)502-8371, TTY
(202)502-8659. E-mail the Public Reference Room at *public.referenceroom@ferc.gov* . VII. Effective Date and Congressional Notification 810. This Final Rule is effective April 7, 2008. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is a “major rule” as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. 207 The Commission will submit the Final Rule to both houses of Congress and to the General Accountability Office. 207 *See* 5 U.S.C. 804(2) (2007). List of Subjects in 18 CFR Part 40 Administrative practice and procedure, Electric power, Penalties, Reporting and recordkeeping requirements. By the Commission. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. E8-1317 Filed 2-6-08; 8:45 am] BILLING CODE 6717-01-P 73 26 Thursday, February 7, 2008 Proposed Rules Part III Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 249 Internal Control Over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers; Proposed Rule SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 210, 228, 229 and 249 [Release Nos. 33-8889; 34-57258; File No. S7-06-03] RIN 3235-AJ64 Internal Control Over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers AGENCY: Securities and Exchange Commission. ACTION: Proposed amendments of temporary rules. SUMMARY: We are proposing to amend temporary rules that were published on December 21, 2006, in Release No. 33-8760 [71 FR 76580]. These temporary rules require companies that are non-accelerated filers to include in their annual reports, pursuant to rules implementing Section 404(b) of the Sarbanes-Oxley Act of 2002, an attestation report of their independent auditor on internal control over financial reporting for fiscal years ending on or after December 15, 2008. Under the proposed amendments, a non-accelerated filer would be required to provide the auditor's attestation report on internal control over financial reporting in an annual report filed for fiscal years ending on or after December 15, 2009. DATES: Comments should be received on or before March 10, 2008. ADDRESSES: Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission's Internet comment form ( *http://www.sec.gov/rules/other.shtml* ); • Send an e-mail to *rule-comments@sec.gov* . Please include File Number S7-06-03 on the subject line; or • Use the Federal Rulemaking Portal ( *http://www.regulations.gov* ). Follow the instructions for submitting comments. Paper Comments • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090. All submissions should refer to File Number S7-06-03. This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( *http://www.sec.gov/rules/other.shtml* ). Comments are also available for public inspection and copying in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. FOR FURTHER INFORMATION CONTACT: Sean Harrison, Special Counsel, Office of Rulemaking, Division of Corporation Finance, at
(202)551-3430, U.S. Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-3628. SUPPLEMENTARY INFORMATION: We are proposing to amend the following forms and temporary rules: Rule 2-02T of Regulation S-X, 1 Item 308T of Regulation S-K, 2 and S-B, 3 Item 4T of Form 10-Q, 4 Item 3A(T) of Form 10-QSB, 5 Item 9A(T) of Form 10-K, 6 Item 8A(T) of Form 10-KSB, 7 Item 15T of Form 20-F, 8 and Instruction 3T of General Instruction B.(6) of Form 40-F. 9 1 17 CFR 210-2.02T. 2 17 CFR 229.308T. 3 17 CFR 228.310T. 4 17 CFR 249.308a. 5 17 CFR 249.308b. 6 17 CFR 249.310. 7 17 CFR 249.310(b). 8 17 CFR 249.220f. 9 17 CFR.249.240f. I. Background On December 15, 2006, 10 we extended the dates by which non-accelerated filers 11 must begin to comply with the internal control over financial reporting (“ICFR”) requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002. 12 Specifically, we postponed for five months, from fiscal years ending on or after July 15, 2007 to fiscal years ending on or after December 15, 2007, the date by which non-accelerated filers must begin to comply with the management report requirement in Item 308(a) of Regulation S-K. 13 We also postponed to fiscal years ending on or after December 15, 2008 the date by which non-accelerated filers must begin to comply with the auditor attestation report requirement in Item 308(b) of Regulation S-K. 14 We indicated that we would consider further postponing the auditor attestation report compliance date after considering the anticipated revisions to the Public Company Accounting Oversight Board's (“PCAOB”) Auditing Standard No. 2 (“AS No. 2”). 10 See Release No. 33-8760 (December 15, 2006) [71 FR 76580] (the “2006 Release”). 11 Although the term “non-accelerated filer” is not defined in our rules, we use it throughout this release to refer to an Exchange Act reporting company that does not meet the Rule 12b-2 definition of either an “accelerated filer” or a “large accelerated filer.” 12 15 U.S.C. 7262. 13 17 CFR 229.308(a). We effected the postponement, in part, by adding temporary Item 308T to Regulation S-K. We similarly added temporary Item 308T to Regulation S-B, but the Commission recently adopted amendments that will eliminate Regulation S-B effective March 15, 2009. See Release No. 33-8876 (December 19, 2007) [73 FR 934]. 14 17 CFR 229.308(b). In the 2006 Release, we cited two primary reasons for deferring implementation of the auditor attestation report requirement for an additional year after implementation of the management report requirement. First, we stated that the deferred implementation would afford non-accelerated filers and their auditors the benefit of anticipated changes by the PCAOB to AS No. 2, subject to Commission approval, as well as any implementation guidance that the PCAOB issued for auditors of smaller public companies. Second, we expected a deferred implementation of the auditor attestation requirement to save non-accelerated filers the full potential costs associated with the auditor's initial attestation to, and report on, management's assessment of ICFR during the period that changes to AS No. 2 were being considered and implemented, and the PCAOB was formulating guidance specifically for auditors of smaller public companies. Public commenters previously have asserted that the ICFR compliance costs are likely to be disproportionately higher for smaller public companies than larger ones, and that the auditor's fee represents a large percentage of those costs. 15 15 See, for example, letters of American Electronics Association, International Association of Small Broker-Dealers and Advisers, Small Business Entrepreneurship Council, and the Silicon Valley Leadership Group, Committee on Capital Markets Regulation on Release No. 33-8762 (December 20, 2006) [71 FR 77635], File No. S7-24-06. Furthermore, we have learned from commenters, including those participating in our roundtables on implementation of the ICFR requirements, that while companies incur increased internal costs in the first year of compliance, some of which are due to “deferred maintenance” items (for example, documentation, remediation, etc.), these costs may decrease in the second year. 16 Therefore, we anticipated that postponing the costs resulting from the auditor's attestation report until the second year would help non-accelerated filers to smooth the cost spike that many accelerated filers experienced in their first year of compliance with the Section 404 requirements. 16 Materials related to the Commission's 2005 Roundtable Discussion on Implementation of Internal Control Reporting Provisions and 2006 Roundtable on Second-Year Experiences with Internal Control Reporting and Auditing Provisions, including the archived roundtable broadcasts, are available at *http://www.sec.gov/spotlight/soxcomp.htm.* The compliance date extensions that we granted in 2006 were part of a series of actions that the Commission and PCAOB each announced that they intended to take to improve implementation of the internal control over financial reporting requirements. 17 These actions included: 17 See SEC Press Release 2006-75 (May 17, 2006), “SEC Announces Next Steps for Sarbanes-Oxley Implementation” and PCAOB Press Release (May 17, 2006), “Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements.” • Issuance by the Commission of interpretive guidance for management to assist management in complying with the ICFR evaluation and disclosure requirements; • Consideration of efforts by COSO to provide more guidance on how the COSO framework on internal control can be applied to smaller public companies; • The PCAOB's issuance, with Commission approval, of Auditing Standard No. 5 (“AS No. 5”), which replaced AS No. 2; • Reinforcement of auditor efficiency through PCAOB inspections and Commission oversight of the PCAOB's audit firm inspection program; • Development, or facilitation of development, of implementation guidance for auditors of smaller public companies; and • Continuation of PCAOB forums on auditing in the small business environment. On June 20, 2007, we approved the issuance of interpretive guidance 18 and adopted rule amendments 19 to help public companies strengthen their ICFR evaluations while reducing unnecessary costs. The interpretive release provided guidance for management on how to conduct an evaluation of the effectiveness of a company's ICFR. The guidance sets forth an approach by which management can conduct a top-down, risk-based evaluation of ICFR. 18 Release No. 33-8810 (Jun. 20, 2007) [72 FR 35324]. 19 Release No. 33-8809 (Jun. 20, 2007) [72 FR 35310]. The rule amendments, among other things, provided that an evaluation that complies with our interpretive guidance is one way to satisfy the annual ICFR evaluation requirement in Exchange Act Rules 13a-15(c) and 15d-15(c) [17 CFR 240.13a-15(c) and 240.15d-15(c)]. As discussed above, on July 25, 2007, we approved the PCAOB's AS No. 5, which replaced AS No. 2. The new standard sets forth the professional standards and related performance guidance for independent auditors to attest to, and report on, management's assessment of the effectiveness of ICFR. Our management guidance, in combination with AS No. 5, was intended to make ICFR audits and management evaluations of ICFR more cost-effective by being risk-based and scalable to a company's size and complexity. Although the PCAOB issued AS No. 5, and we approved it, according to our planned timetables, there still are some additional actions that the Commission and PCAOB intend to take that give us reason to propose a further extension of the auditor attestation report compliance date for non-accelerated filers. One of these actions is the PCAOB's issuance of final staff guidance on auditing ICFR of smaller public companies. On October 17, 2007, the PCAOB published preliminary staff guidance that demonstrates how auditors can apply the principles described in AS No. 5 and provides examples of approaches to particular issues that might arise in the audits of smaller, less complex public companies. 20 Topics discussed in the PCAOB's guidance include: Entity-level controls, risk of management override, segregation of duties and alternative controls, information technology controls, financial reporting competencies, and testing controls with less formal documentation. The PCAOB sought public comment on this guidance, and the comment period ended on December 17, 2007. 21 20 See “An Audit of Internal Control that is Integrated with an Audit of the Financial Statements: Guidance for Auditors of Smaller Companies,” (October 17, 2007), available at *www.pcaobus.org.* 21 The PCAOB has not announced when it plans to finalize this guidance. Another action involves a study that we are undertaking to determine whether the Section 404(b) auditor attestation requirement of the Sarbanes-Oxley Act is being implemented in a manner that will be cost-effective for smaller reporting companies. The study will pay special attention to those small companies that are complying with the ICFR requirements for the first time. This study of costs and benefits will include a Web-based survey of companies that are subject to the ICFR requirements as well as in-depth interviews with a subset of these companies. Our plan is to gather data from a large cross-section of companies about the costs and benefits of compliance with the ICFR requirements and to evaluate whether the new management guidance and AS No. 5 are having the intended effect of facilitating more cost-effective ICFR evaluations and audits. Because we intend to collect data based on companies' experiences, this study will be taking place in the coming months as companies for the first time prepare their financial statements and undergo external audits under the new AS No. 5 and/or conduct their internal ICFR evaluations with the aid of the new management guidance. We anticipate that the study and analysis of the results will be completed no earlier than the summer of 2008. We also note that others have expressed concerns about the orderly and efficient implementation of the ICFR requirements. 22 22 See, for example, the May 8, 2007, letter to Chairman Christopher Cox and Chairman Mark Olson from Senator John Kerry, Chairman, Senate Committee on Small Business and Entrepreneurship, and Senator Olympia Snowe, Ranking Member, Senate Committee on Small Business and Entrepreneurship, available at *http://sbc.senate.gov/lettersout/070508-SEC-PCAOB-HearingFollowUp.pdf* ; hearing on “Sarbanes-Oxley Section 404: New Evidence on the Costs for Small Businesses,” House Committee on Small Business (December 12, 2007); and the July 12, 2007, letter from Sharon Haeger, America's Community Bankers, on Release No. 34-55876 [72 FR 32340], File No. PCAOB 2007-02, available at *http://www.sec.gov/comments/pcaob-2007-02/pcaob200702.shtml.* If we do not adopt the proposed amendments, non-accelerated filers will have to begin complying with the auditor attestation requirement for fiscal years ending on or after December 15, 2008. To accomplish this, in 2008, many non-accelerated filers would need to engage their independent auditors to perform integrated audits of their financial statements and ICFR. Without an extension, these companies may begin to incur costs before we have an opportunity to observe whether further action to improve the effectiveness and efficiency of Section 404 implementation is warranted. Therefore, we believe that an additional one-year deferral of the auditor attestation requirement would be appropriate so that these companies do not incur unnecessary compliance costs before we have the benefit of the study. An additional one-year deferral will allow the PCAOB additional time during 2008 to promulgate its guidance for ICFR audits of smaller public companies, as well as additional time for the auditors of non-accelerated filers to incorporate such guidance in their planning and conduct of their ICFR audits during 2009. II. Proposed Extension of Auditor Attestation Compliance Date for Non-Accelerated Filers We propose to amend Item 308T of Regulation S-K, Rule 2-02T of Regulation S-X, and Forms 10-Q, 10-K, 20-F and 40-F to require non-accelerated filers to provide their auditor's attestation in their annual reports filed for fiscal years ending on or after December 15, 2009. If we adopt the proposed amendments, a non-accelerated filer would continue to be required to state in its management report on ICFR that the company's annual report does not include an auditor attestation report. 23 23 See Item 308T(a)(4) of Regulation S-K, Item 15T(b)(4) of Form 20-F and General Instruction B.(6)(3T) of Form 40-F. In the 2006 Release, we also adopted a temporary amendment that provided that the management report included in a non-accelerated filer's annual report that did not contain the auditor's attestation report would be deemed “furnished” rather than “filed” and not be subject to liability under Section 18 of the Exchange Act. 24 We acknowledged in that release non-accelerated filers filing only a management report during their first year of compliance with the Section 404(a) requirements may become subject to more second-guessing as a result of separating the management report from the auditor's attestation. As proposed, the amendments would maintain this distinction. 24 Section 18 of the Exchange Act [15 U.S.C. 78r] imposes liability on any person who makes or causes to be made in any application or report or document filed under the Act, or any rule thereunder, any statement that “was at the time and in the light of the circumstances under which it was made false or misleading with respect to any material fact.” As a result of the temporary Item 308T of Regulation S-K and S-B and the temporary amendments to Forms 20-F and 40-F, however, during the applicable periods, management's report would be subject to liability under this section only in the event that a non-accelerated filer specifically states that the report is to be considered “filed” under the Exchange Act or incorporates it by reference into a filing under the Securities Act or the Exchange Act. Request for Comment We request and encourage any interested person to submit comments regarding the proposed amendments to extend the auditor attestation report compliance date described above. In particular, we solicit comment on the following questions: • Is it appropriate to provide a further extension of the auditor attestation requirement for non-accelerated filers as proposed? If so, should we postpone this requirement for an additional year as proposed, or would a longer or shorter timeframe be more appropriate? • How would the proposed extension affect investors in non-accelerated filers? • Would the proposed additional deferral of the auditor's attestation report requirement make the application of the Section 404 requirements more or less efficient and effective for non-accelerated filers? • Should management's report on ICFR be “filed” rather than “furnished” during the second year of the non-accelerated filer's compliance with the ICFR requirements under Section 404(a) if we adopt the proposed extension? III. Paperwork Reduction Act In connection with our original proposal and adoption of the rules and amendments implementing the Section 404 requirements, we submitted cost and burden estimates of the collection of information requirements of the amendments to the Office of Management and Budget (“OMB”). We published a notice requesting comment on the collection of information requirements in the proposing release for the rule amendments. We submitted these requirements to the OMB for review in accordance with the Paperwork Reduction Act of 1995 (“PRA”) 25 and received approval of these estimates. We do not believe that the proposed extension will result in any change in the collection of information requirements of the amendments implementing Section 404. Therefore, we are not revising our PRA burden and cost estimates submitted to the OMB. 25 44 U.S.C. 3501 *et seq.* and 5 CFR 1320.11. IV. Cost-Benefit Analysis A. Benefits The proposed amendments would postpone for one year the date by which a non-accelerated filer would be required to include in its annual report an auditor attestation report on management's assessment of internal control over financial reporting. As a result, all non-accelerated filers would be required to complete only management's assessment in their first and second year of their compliance with the Section 404 requirements. We plan to conduct a study to assess whether the Section 404(b) auditor attestation requirement of the Sarbanes-Oxley Act is being implemented in a manner that will be cost-effective for smaller reporting companies. Our management guidance and the new auditing standard were designed to make management evaluations and ICFR audits more cost-effective. We believe that an additional one-year deferral of the auditor attestation report requirement would benefit non-accelerated filers by helping smaller companies avoid incurring unnecessary compliance costs as we determine whether further action to improve the effectiveness and efficiency of Section 404 implementation is warranted. In addition, we believe that non-accelerated filers may experience the following additional benefits from the proposed extension: • Auditors of non-accelerated filers would have significantly more time to conform their ICFR audit approach to meet the requirements of AS No. 5, and to consider the PCAOB's guidance for auditors of smaller public companies; and • Non-accelerated filers would have additional time to focus on their approach for evaluating and reporting on the effectiveness of ICFR. This may facilitate their efforts to develop best practices and efficiencies in preparing the management report prior to becoming subject to the auditor attestation report requirement. B. Costs If we adopt the proposed amendments, investors in non-accelerated filers will have to wait longer than they would in the absence of the proposed extension for the assurances provided by the attestation report by the companies' auditor on management's report on ICFR and the added investor confidence that could result. The proposed amendments may increase the risk that, without the auditor's attestation, some non-accelerated filers may erroneously conclude that the company's ICFR is effective, when an ICFR audit might reveal that it is not. In addition, some companies may conduct an assessment that is not as thorough, careful and as appropriate to the company's circumstances as they would perform if the auditor were also conducting an audit of ICFR. The proposed amendments may also increase the risk that weaknesses in a company's ICFR will go undetected for a longer period of time. We request data to quantify the potential costs and benefits described above. We seek estimates of these costs and benefits, as well as any costs and benefits that we have not identified that may result from the adoption of these proposed amendments. We also request qualitative feedback on the nature of the potential benefits and costs described above and any benefits and costs we may have overlooked. V. Consideration of Impact on the Economy, Burden on Competition and Promotion of Efficiency, Competition and Capital Formation For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, or “SBREFA,” 26 we solicit data to determine whether the proposals constitute a “major” rule. Under SBREFA, a rule is considered “major” where, if adopted, it results or is likely to result in: 26 5 U.S.C. 603. • An annual effect on the economy of $100 million or more (either in the form of an increase or a decrease); • A major increase in costs or prices for consumers or individual industries; or • Significant adverse effects on competition, investment or innovation. We request comment on the potential impact of the proposals on the economy on an annual basis. Commenters are requested to provide empirical data and other factual support for their views if possible. Section 23(a)(2) of the Exchange Act 27 also requires us, when adopting rules under the Exchange Act, to consider the impact that any new rule would have on competition. Section 23(a)(2) prohibits us from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. In addition, Section 2(b) 28 of the Securities Act and Section 3(f) 29 of the Exchange Act require us, when engaging in rulemaking where we are required to consider or determine whether an action is necessary or appropriate in the public interest, to also consider whether the action will promote efficiency, competition, and capital formation. 27 15 U.S.C. 78w(a). 28 15 U.S.C. 77b(b). 29 15 U.S.C. 78c(f). We believe that taking additional time to evaluate how efficiently the Section 404(b) process is being implemented reduces the possibilities of needless inefficiencies and transition costs for non-accelerated filers. Further, if the costs incurred by companies are unnecessarily high, companies may find it difficult to grow and may experience barriers to capital formation. We expect that this additional one-year delay of the auditor attestation report requirement will make the implementation process more efficient and less costly for non-accelerated filers, which should promote efficiency and capital formation. It is possible that a competitive impact could result from the differing treatment of non-accelerated filers and larger companies that already have been complying with the Section 404 requirements, but we do not expect that the extension will have any measurable effect on competition. We solicit public comment that will assist us in assessing the impact that the proposed amendments could have on competition, efficiency and capital formation. VI. Initial Regulatory Flexibility Analysis This Initial Regulatory Flexibility Analysis (“IRFA”) has been prepared in accordance with the Regulatory Flexibility Act. 30 This IRFA involves proposed amendments to temporary rules Item 308T of Regulation S-K and S-B, Rule 2-02T of Regulation S-X, Item 4T of Form 10-Q, Item 3A(T) of Form 10-QSB, Item 9A(T) of Form 10-K, Item 8A(T) of Form 10-KSB, Item 15T of Form 20-F, and Instruction 3T of General Instruction B.(6) of Form 40-F. A non-accelerated filer is currently required to start providing its auditor's attestation report on ICFR in its annual report for fiscal years ending on or after December 15, 2008. We propose to amend these forms and temporary rules to require a non-accelerated filer to start providing its auditor's attestation report on ICFR in annual reports for fiscal years ending on or after December 15, 2009. 30 5 U.S.C. 601. A. Reasons for the Proposed Amendments The Commission plans to complete a study of the costs and benefits of companies' Section 404 implementation. We are proposing to defer the implementation of the auditor attestation report requirement for non-accelerated filers for an additional year for the following reasons, among others discussed above: • To enable non-accelerated filers more time to prepare and gain efficiencies in the review and evaluation of the effectiveness of internal control over financial reporting; • To provide the Commission with time to review the findings of its study and to consider whether further action to improve the effectiveness and efficiency of Section 404 implementation is warranted; • To provide the PCAOB additional time to promulgate its guidance for ICFR audits of smaller public companies; and • To provide the auditors of non-accelerated filers additional time to consider such guidance. B. Objectives The proposed amendments aim to further the goals of the Sarbanes-Oxley Act to enhance the quality of public company disclosure concerning the company's internal control over financial reporting and increase investor confidence in the financial markets. C. Legal Basis We are issuing the proposals under the authority set forth in Section 19 of the Securities Act, Sections 3, 12, 13, 15, 23 and 36 of the Exchange Act, and Sections 3(a) and 404 of the Sarbanes-Oxley Act. D. Small Entities Subject to the Proposed Amendments The proposed changes would affect some issuers that are small entities. Exchange Act Rule 0-10(a) 31 defines an issuer, other than an investment company, to be a “small business” or “small organization” if it had total assets of $5 million or less on the last day of its most recent fiscal year. We estimate that there are approximately 1,100 issuers, other than registered investment companies, that may be considered small entities. The proposed amendments would apply to any small entity that is subject to reporting under either Section 13(a) or 15(d) of the Exchange Act. 31 17 CFR 240.0-10(a). E. Reporting, Recordkeeping, and Other Compliance Requirements The proposed amendments would alleviate reporting and compliance burdens by postponing by an additional year the date by which non-accelerated filers must begin to comply with the auditor attestation report on ICFR in their annual reports. F. Duplicative, Overlapping, or Conflicting Federal Rules The ICFR requirements do not duplicate, overlap, or conflict with other federal rules. G. Significant Alternatives The Regulatory Flexibility Act directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the proposed amendments, we considered the following alternatives: • Establishing different compliance or reporting requirements or timetables that take into account the resources available to small entities; • Clarifying, consolidating or simplifying compliance and reporting requirements under the rules for small entities; • Using performance rather than design standards; and • Exempting small entities from all or part of the requirements. The proposed amendments would establish a different compliance and reporting timetable for small entities. We believe that the proposed amendments would promote the primary goal of enhancing the quality of reporting and increasing investor confidence in the fairness and integrity of the securities markets. Therefore we do not believe exempting small entities from the proposed amendments would be appropriate. H. Solicitation of Comments We encourage the submission of comments with respect to any aspect of this Initial Regulatory Flexibility Analysis. In particular, we request comments regarding: • The number of small entity issuers that may be affected by the proposed amendments; • The existence or nature of the potential impact of the proposed amendments on small entity issuers discussed in the analysis; and • How to quantify the impact of the proposed amendments. Commenters are asked to describe the nature of any impact and provide empirical data supporting the extent of the impact. Such comments will be considered in the preparation of the Final Regulatory Flexibility Analysis, if we adopt the proposed amendments, and will be placed in the same public file as comments on the proposed amendments themselves. VII. Statutory Authority and Text of the Proposed Amendments The amendments described in this release are being proposed under the authority set forth in Section 19 of the Securities Act, Sections 3, 12, 13, 15, 23 and 36 of the Exchange Act, and Sections 3(a) and 404 of the Sarbanes-Oxley Act. List of Subjects 17 CFR Part 210 Accountants, Accounting, Reporting and recordkeeping requirements, Securities. 17 CFR Part 228 Reporting and recordkeeping requirements, Securities, Small businesses. 17 CFR Parts 229 and 249 Reporting and recordkeeping requirements, Securities. Text of Proposed Amendments For the reasons set out in the preamble, the Commission proposes to amend title 17, chapter II, of the Code of Federal Regulations as follows: PART 210—FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY POLICY AND CONSERVATION ACT OF 1975 1. The authority citation for part 210 continues to read as follows: Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 78c, 78j-1, 78 *l* , 78m, 78n, 78o(d), 78q, 78u-5, 78w(a), 78 *ll* , 78mm, 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-37(a), 80b-3, 80b-11, 7202, 7218 and 7262, unless otherwise noted. 2. Section 210.2-02T is amended by: a. Removing paragraphs
(a)and (b), and redesignating paragraphs
(c)and
(d)as paragraphs
(a)and (b); b. Revising the date “December 15, 2008” in newly redesignated paragraph
(a)to read “December 15, 2009”; and c. Revising newly redesignated paragraph (b). The revision reads as follows: § 210.2-02T Accountants' reports and attestation reports on internal control over financial reporting.
(b)This section expires on June 30, 2010. PART 228—INTEGRATED DISCLOSURE SYSTEM FOR SMALL BUSINESS ISSUERS 2. The authority citation for part 228 continues to read, in part, as follows: Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 77sss, 78 *l* , 78m, 78n, 78o, 78u-5, 78w, 78 *ll* , 78mm, 80a-8, 80a-29, 80a-30, 80a-37, 80b-11, and 7201 *et seq.* , and 18 U.S.C. 1350. § 228.308T [Amended] 3. Section 228.308T is amended by revising the date “December 15, 2008” in the “Note to Item 308T” to read “March 15, 2009”. PART 229—STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975—REGULATION S-K 4. The authority citation for part 229 continues to read, in part, as follows: Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77nnn, 77sss, 78c, 78i, 78j, 78 *l* , 78m, 78n, 78o, 78u-5, 78w, 78 *ll* , 78mm, 80a-8, 80a-9, 80a-20, 80a-29, 80a-30, 80a-31(c), 80a-37, 80a-38(a), 80a-39, 80b-11, and 7201 *et seq.* ; and 18 U.S.C. 1350, unless otherwise noted. § 228.309T [Amended] 5. Section 229.308T is amended by: a. Revising the date “December 15, 2008” in the “Note to Item 308T” to read “December 15, 2009”; and b. Revising the date “June 30, 2009” in paragraph
(c)to read “June 30, 2010”. PART 249—FORMS, SECURITIES EXCHANGE ACT OF 1934 6. The general authority citation for part 249 is revised to read as follows: Authority: 15 U.S.C. 78a *et seq.* and 7201 *et seq.* ; and 18 U.S.C. 1350, unless otherwise noted. 7. Form 20-F (referenced in § 249.220f), Part II, Item 15T is amended by: a. Revising the date “December 15, 2008” in paragraph
(2)to the “Note to Item 15T” to read “December 15, 2009”; and b. Revising the date “June 30, 2009” in paragraph
(d)to read “June 30, 2010”. Note: The text of Form 20-F does not, and this amendment will not, appear in the Code of Federal Regulations. 8. Form 40-F (referenced in § 249.240f) is amended by: a. Revising the date “December 15, 2008” in “Instruction 3T(2)” to the “Instructions to paragraphs (b), (c),
(d)and
(e)of General Instruction B.(6)” to read “December 15, 2009”; and b. Revising the date “June 30, 2009” in the paragraph following “Instruction 3T” to the “Instructions to paragraphs (b), (c),
(d)and
(e)of General Instruction B.(6)” to read “June 30, 2010”. Note: The text of Form 40-F does not, and this amendment will not, appear in the Code of Federal Regulations. 9. Form 10-Q (referenced in § 249.308a) is amended by revising Item 4T to Part I to read as follows: Note: The text of Form 10-Q does not, and this amendment will not, appear in the Code of Federal Regulations. Form 10-Q Part I—Financial Information Item 4T. Controls and Procedures
(a)If the registrant is neither a large accelerated filer nor an accelerated filer as those terms are defined in § 240.12b-2 of this chapter, furnish the information required by Items 307 and 308T(b) of Regulation S-K (17 CFR 229.307 and 229.308T(b)) with respect to a quarterly report that the registrant is required to file for a fiscal year ending on or after December 15, 2007 but before December 15, 2009.
(b)This temporary Item 4T will expire on June 30, 2010. 10. Form 10-QSB (referenced in § 249.308b) is amended by revising Item 3A(T) to Part I to read as follows: Note: The text of Form 10-QSB does not, and this amendment will not, appear in the Code of Federal Regulations. Form 10-QSB Part I—Finanacial Information Item 3A(T). Controls and Procedures
(a)Furnish the information required by Items 307 and 308T(b) of Regulation S-B (17 CFR 228.307 and 228.308T(b)) with respect to a quarterly report that the small business issuer is required to file for a fiscal year ending on or after December 15, 2007 but before October 31, 2008. 11. Form 10-K (referenced in § 249.310) is amended by: a. Revising the date “December 15, 2008” in paragraph
(a)to Item 9A(T) to Part II to read “December 15, 2009”; and b. Revising the date “June 30, 2009” in paragraph
(b)to Item 9A(T) to Part II to read “June 30, 2010”. Note: The text of Form 10-K does not, and this amendment will not, appear in the Code of Federal Regulations. 12. Form 10-KSB (referenced in § 249.310b) is amended by revising the date “December 15, 2008” in paragraph
(a)to Item 8A(T) to Part II to read “March15, 2009”. Note: The text of Form 10-KSB does not, and this amendment will not, appear in the Code of Federal Regulations. By the Commission. Dated: February 1, 2008. Nancy M. Morris, Secretary. [FR Doc. E8-2211 Filed 2-6-08; 8:45 am] BILLING CODE 8011-01-P 73 26 Thursday, February 7, 2008 Presidential Documents Part IV The President Notice of February 6, 2008—Continuation of the National Emergency Relating to Cuba and of the Emergency Authority Relating to the Regulation of the Anchorage and Movement of Vessels Title 3— The President Notice of February 6, 2008 Continuation of the National Emergency Relating to Cuba and of the Emergency Authority Relating to the Regulation of the Anchorage and Movement of Vessels On March 1, 1996, by Proclamation 6867, a national emergency was declared to address the disturbance or threatened disturbance of international relations caused by the February 24, 1996, destruction by the Cuban government of two unarmed U.S.-registered civilian aircraft in international airspace north of Cuba. In July 1996 and on subsequent occasions, the Cuban government stated its intent to forcefully defend its sovereignty against any U.S.- registered vessels or aircraft that might enter Cuban territorial waters or airspace while involved in a flotilla or peaceful protest. Since these events, the Cuban government has not demonstrated that it will refrain from the future use of reckless and excessive force against U.S. vessels or aircraft that may engage in memorial activities or peaceful protest north of Cuba. On February 26, 2004, by Proclamation 7757, the scope of the national emergency was expanded in order to deny monetary and material support to the repressive Cuban government, which had taken a series of steps to destabilize relations with the United States, including threatening to abrogate the Migration Accords with the United States and to close the United States Interests Section. Further, Cuba's most senior officials repeatedly asserted that the United States intended to invade Cuba, despite explicit denials from the U.S. Secretaries of State and Defense that such action is planned. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing the national emergency with respect to Cuba and the emergency authority relating to the regulation of the anchorage and movement of vessels set out in Proclamation 6867 as amended and expanded by Proclamation 7757. This notice shall be published in the **Federal Register** and transmitted to the Congress. GWBOLD.EPS THE WHITE HOUSE, February 6, 2008. [FR Doc. 08-595 Filed 2-6-08; 11:19 am]
Connectionstraces to 51
Traces to 51 documents
U.S. Code
CFR
36 references not yet in our index
  • 26 USC 2813
  • 29 CFR 90.18(c)
  • 30 CFR 44
  • 17 CFR 240.19
  • 17 CFR 240.15
  • 17 CFR 240.10
  • 17 CFR 240.200-203
  • 17 CFR 242.200-203
  • 17 CFR 242.202
  • Pub. L. 87-256
  • 22 CFR 62
  • Pub. L. 104-319
  • 79 Stat. 985
  • Pub. L. 110-21
  • 49 CFR 391.41(b)(10)
  • 49 CFR 381
  • 49 CFR 391.41
  • 49 CFR 604
  • 50 USC 1701-06
  • 18 CFR 40
  • 582 F.2d 259
  • 692 F.2d 880
  • 316 F.3d 1192
  • 355 F.3d 802
  • 281 F. Supp. 2
  • 5 CFR 1320.11
  • 18 CFR 308.4
  • 5 USC 601-612
  • 5 USC 601-604
  • 17 CFR 210
  • 17 CFR 228.310
  • 17 CFR 249.220
  • 17 CFR 249.240
  • 17 CFR 240.13
  • 17 CFR 228
  • 17 CFR 228.307
Citation graph
cites case law
Notices
Notice of petitions for modification of existing mandatory safety standards
U.S.C.§ 2273
C.F.R.§ 44.10
C.F.R.§ 75.311
C.F.R.§ 75.360
C.F.R.§ 75.350
C.F.R.§ 75.1400
C.F.R.§ 1910.7
U.S.C.§ 78s
U.S.C.§ 78c
F. App'x582 F.2d 259
F. App'x692 F.2d 880
F. App'x316 F.3d 1192
Cites 87 · showing 12Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.