On December 7, the Energy Bar Association sponsored a discussion on FERC-led audits of entities’ compliance with the North American Electric Reliability Corporation’s (NERC’s) critical infrastructure protection (CIP) Reliability Standards. Staff members from FERC and NERC led the discussion and fielded questions from industry participants. This session provided the first public peek into the process for the CIP audits.
While FERC has the authority to conduct its CIP audits with or without NERC and the regional entities charged with front-line enforcement of the Reliability Standards, the panelists explained that FERC wanted to coordinate with NERC and the regional entities to leverage their collective compliance and enforcement experience.
Based on the sparse information provided by the panelists, the details and processes governing these new FERC-led CIP audits are still evolving. But FERC staff did indicate that the Commission may rely on existing compliance tracking tools used by NERC and the regional entities. These include the Reliability Standard Audit Worksheets (RSAWs) used in normal reliability audits, as well as NERC Evidence Request Spreadsheets for assembling and organizing long lists of compliance data.
The panelists indicated that FERC’s current focus will be on entities’ implementation of the Version 5 CIP Standards that became effective last summer, but also suggested that the audits’ focus may expand to include compliance with Order 693 (i.e., non-CIP) Reliability Standards.
Takeaways
Despite the general information provided in yesterday’s session, many questions remain. Given the sensitive nature of these cybersecurity audits, FERC staff did not provide concrete details on the process for conducting the audits, their length, or best practices for audited entities. FERC staff stressed that its CIP audit program is in a preliminary stage and that the Federal Power Act prohibits the release of information pertaining to an ongoing audit in the absence of a Commission or court order.
It also remains to be seen how FERC will respond to industry concerns over confidentiality. Some of the information likely to be provided to FERC during CIP audits will qualify as Critical Energy/Electric Infrastructure Information (CEII), a term introduced under the Fixing America’s Surface Transportation (FAST) Act.