Implementing new statutory authority, FERC proposes revised regulations to secure and share Critical Electric Infrastructure Information and penalize its unauthorized disclosure.
On June 16, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR)[1] proposing to amend its regulations that pertain to the designation, sharing, and protection of Critical Energy Infrastructure Information. The Commission’s proposed revisions aim to comply with the directives in the Fixing America’s Surface Transportation Act (FAST Act), which added Section 215A to the Federal Power Act and directed the Commission to revise its regulations to protect “Critical Electric Infrastructure Information.” If approved, the proposed rule would amend the Commission’s regulations to make Critical Energy Infrastructure Information a subset of Critical Electric Infrastructure Information (referred to collectively as “Critical Energy/Electrical Infrastructure Information” or “CEII.” The regulations would also establish a process for designating and sharing CEII and enable the Commission to impose sanctions for any unauthorized CEII disclosures by Commission personnel.
Comments on the NOPR are due 45 days following its publication in the Federal Register.
Background
Critical Energy Infrastructure Information includes certain engineering, vulnerability, or design information that, if available to bad actors, could be used to threaten the reliability of critical infrastructure. Although FERC currently has existing rules and regulations pertaining to Critical Energy Infrastructure Information, those protections are often maligned as ineffective. Accordingly, Section 61003 of the FAST Act directs the Commission to provide criteria and procedures for designating information as CEII to prohibit the “unauthorized” disclosure of CEII and to develop sanctions for Commission personnel who “knowingly and willfully” engage in an unauthorized CEII disclosure. The law also requires the Commission to implement rules for the voluntary sharing of CEII in the event of a grid emergency. We discuss the NOPR’s proposals to implement those directives below.
Revised CEII Definition
The Commission proposed to modify the definition of CEII in its regulations pertaining to critical infrastructure information. The FAST Act introduced the new term “Critical Electric Infrastructure Information,” which includes information regarding the bulk-power system as well as information that would otherwise fall under the Commission’s existing CEII definition. The Commission proposed to refer to the information under the new regulations as “Critical Energy/Electric Infrastructure Information” and to continue using the abbreviation CEII, which in the past referred solely to Critical Energy Infrastructure Information.
CEII Designation Process
Currently, the Commission accepts, on average, more than 7,000 documents designated as Critical Energy Infrastructure Information each year, and submissions are designated as soon as they are submitted through FERC’s online system. The FAST Act directed the Commission to promulgate criteria and procedures to standardize the designation of CEII and more precisely justify the need for that designation. To meet this requirement, the NOPR proposes to require additional justifying information from submitters of CEII, such as the requested duration for the CEII designation and an explanation for the period proposed. Submitters would also have to segregate and identify non-CEII that does not require designation. The NOPR proposes to apply the segregation requirement to Commission-generated CEII as well. In addition, the NOPR proposes to subject Commission-generated information to more scrutiny by requiring the existing Critical Energy Infrastructure Information Coordinator within the agency to determine whether information meets the definition of CEII and how long the CEII designation should last. Under the FAST Act, any CEII designation by the Commission is subject to judicial review by a federal district court. The NOPR proposes to incorporate this provision in the Commission’s regulations but also proposes to require an individual who challenges a designation determination to first seek an administrative appeal with the Commission’s General Counsel before proceeding to court review.
The FAST Act also placed a limitation of five years on the designation of CEII, unless specifically redesignated by the Commission or the Secretary of Energy. To avoid the impracticable task of reviewing the thousands of Critical Energy Infrastructure Information documents currently stored within the Commission’s system for redesignation, the NOPR proposes to require CEII recipients to continue to protect CEII-marked information past the expiration of the designation and to receive Commission authorization before making any disclosure of such information. The NOPR proposes to allow the Commission to remove CEII designation once it determines that the information could no longer be used to “impair the security or reliability of the bulk-power system or distribution facilities.”
Commission Duties and Sanctions for Unauthorized Disclosure
The FAST Act requires the Commission to bolster its protections to prevent the unauthorized disclosure of CEII. To that end, the Commission proposed enhanced controls for Commission employees and for external recipients of CEII. To address controls for Commission employees, Commission staff is developing an information governance policy that includes guidelines on how CEII should be handled and kept secure. The NOPR proposes to require the Commissioners, Commission staff, and contractors to comply with those guidelines. For external recipients, the NOPR proposes to augment the nondisclosure agreement (NDA) currently required under the Commission’s regulations. The proposed revisions would require NDAs to restrict the use of CEII to the purpose for which it was requested and the disclosure of CEII to individuals on a need-to-know basis. The revised NDA would also include requirements on handling and destroying CEII and would make compliance with the new NDA requirements auditable by Commission staff.
To further ensure that CEII will be adequately protected, the FAST Act requires the Commission to ensure that appropriate sanctions are in place for the unauthorized, knowing, and willful disclosure of CEII by Commissioners and Commission staff. The language proposed in the NOPR lacks specificity on how those sanctions will be determined, stating only that the Commission will “take responsibility for investigating and, as necessary, imposing sanctions on its employees and agents.” The NOPR clarified that sanctions could include adverse personnel action, including suspension or removal. Notably, the NOPR asserts that the Commission cannot sanction its own Commissioners, who are presidential appointees. Thus, the NOPR proposes to refer to the US Department of Energy’s Inspector General any knowing and willful CEII disclosure by a Commissioner, the same entity that investigated FERC’s alleged mishandling of sensitive information in the past.
Information Sharing
The NOPR proposes to amend the Commission’s regulations to prevent the disclosure of CEII under the Freedom of Information Act (FOIA), as CEII is exempt from FOIA requests under the FAST Act. But not all of the law’s provisions seek to limit access to information. The FAST Act also encourages voluntary sharing of CEII with individuals and organizations as needed to ensure that energy infrastructure is protected. In the NOPR, the Commission noted that it already has the authority under its existing regulations to release information to carry out its jurisdictional responsibilities. The NOPR proposes to amend that language to permit the Commission to release information in furtherance of other agencies’ responsibilities and to condition such voluntary release on certain usage restrictions (i.e., the recipient must have no other legitimate need for CEII but to address critical infrastructure protection). The NOPR suggests that the Commission will endeavor to provide notice “where practicable” to the submitter of CEII when that information is shared voluntarily with another organization. However, the NOPR does not propose to make such notice mandatory because doing so may impair the Commission’s ability to timely respond to CEII requests during a grid emergency.
Comment Procedures
Comments on the NOPR are due 45 days following its publication in the Federal Register and may be filed electronically on the Commission’s website.
[1] View the NOPR