Update 2/25/2016: On Feb. 25, 2016, FERC approved the trade associations’ motion to delay CIP Version 5 enforcement from Apr. 1, 2016 to July 1, 2016, effectively retiring the V5 Standards before they ever go into effect, being replaced by the Standards approved in Order 822. The impact of this ruling on Responsible Entities with scheduled audits between April 1 and July 1 isn’t known at this time, but we expect those audits to happen as scheduled, with the focus of those audits to be determined since the Standards will not be enforceable until July 1.
Additionally and not directly related to the motion for delay, two additional motions were filed under Docket RM15-14-000, Order 822 approval, requesting a rehearing on the approval of Order 822. The motions were not filed by Registered Entities or any of their associations, but parties interested in the security and reliability of the Bulk Electric System. The main contention of these parties is FERC hasn’t fulfilled their obligations under Federal Power Act of 2005 “to provide for reliable operation of the bulk power system.” FERC will respond to the filings, but we don’t expect them to grant the requests.
There’s been a lot of movement on the recently approved modifications to the Critical Infrastructure Protection (CIP) Version 5 Standards and the subsequent motion to delay. Here’s a quick look at what’s unfolded over the past few days.
Responses to the Motion to Delay
One day after trade associations filed a motion to delay implementing the V5 Standards until July 1, 2016, NERC filed comments stating that a delay was unnecessary given that the most significant impact of the CIP V5 modifications enforceable on July 1 would be removing the “Identify, Access, and Correct” language. NERC also disputed the associations’ assertion that two sets of documents would need to be made and maintained since NERC had previously said it wouldn’t enforce the “Identify, Access and Correct” language between April 1 and July 1.
By the close of the comment period on Feb. 12, three additional comments had been filed, including additional comments from the trade associations, in response to NERC’s comments. All of the comments — except NERC’s — support the motion for a delay and indicate there would be additional burdens to the industry caused by having two implementation dates within a three-month window.
A Note on Initial Performance
One of the original items thought to increase the burden of having two versions becoming enforceable within three months was related to the “initial performance of periodic requirements.” The “initial performance” timers would initially start on April 1 for the Order 791 Standards, and then again on July 1 for the Order 822 Standards. After a careful review of the Implementation Plan in Exhibit B in the NERC filing, it was determined that the Standard Drafting Team (SDT) had worded the Implementation Plan so the “initial performance” items would not have to be repeated if the modifications did not become enforceable on Apr. 1, 2016.
If the “initial performance” items were to be repeated due to multiple enforcement dates, it would be reasonable to expect additional administrative burden, which would justify a request for a delay. Because the “initial performance” items require repeating, one of the original reasons we believed a delay was beneficial to the industry is no longer valid.
The question now is who benefits most from delaying implementation until July 1, 2016? The non-NERC filings indicate it would be for all Responsible Entities due to the two sets of processes and their associated documentation. It would also benefit Responsible Entities behind in their V5 implementation, since an enforcement date of April 1 would mean that for any requirement(s) not in compliance, the Responsible Entity would have to file Self-Reports, which could create a significant burden depending on the number to be filed.
Meeting the April 1 Deadline
There has been a lot of discussion regarding the ambiguity in the Standards delaying implementations, making the April 1 date difficult. But we’ve found that with a practical, common sense approach to those areas in question, it’s possible to meet the requirements in the provided time frame. Our team has worked with many Responsible Entities on their implementations and has encountered many unique situations that weren’t specifically addressed in the Standards. Working with the Responsible Entity and its Regional Entity, we believe we reached a defensible approach in the application of Standards, making them ready for April 1, 2016.
What will be the outcome in the motion for delay? With the majority of the comments in favor of a delay, and FERC putting into Order 822 that it would be willing to “consider a request to align the implementation dates of certain CIP Reliability Standards or another reasonable alternative approach to addressing potential implementation issues,” it appears FERC was already leaning in the direction of granting a delay if there was support for such a motion. Determining how FERC will rule on the motion is never an exact science, but we do believe the motion for delay will be granted. Even if a delay is approved, Burns & McDonnell will continue to advise clients to complete their programs by April 1, and then use the additional three months to prove and adjust their programs before July 1.
There’s sure to be many more developments in the coming weeks on this issue, so stay tuned to the blog for updates when FERC issues its ruling on the motion for a delay. And, as always, feel free to reach out with any questions.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.