By Rich Heidorn Jr.

FERC on Thursday gave final approval to a rule updating its processes for the handling of Critical Energy Infrastructure Information (CEII), a measure to protect the grid from terrorist attacks (RM16-15, RM15-25-001).

The rule (Order 833) is intended to comply with the Fixing America’s Surface Transportation (FAST) Act. Although the bill mainly dealt with highway funding, Congress added the CEII provisions (Section 215A of the Federal Power Act) following controversy over the agency’s security procedures.

The order establishes rules for designating information as CEII; prohibits unauthorized disclosure of CEII; and sets penalties for FERC employees who knowingly and willfully make unauthorized disclosures. FERC said the final rule “largely adopts” the proposals in its June Notice of Proposed Rulemaking. (See FERC Proposes Protections on CEII.)

In response to concerns raised by the Nuclear Regulatory Commission, FERC clarified that its rule “does not limit the discretion of other federal agencies to protect sensitive information in their custody” but provides a way for agencies to consult with the commission’s CEII coordinator.

“We believe this change strikes a reasonable balance by recognizing other federal agencies’ discretion to protect their information, while adhering to the statutory framework that limits CEII designation authority to the commission and” the Department of Energy, FERC said.

The commission also said it would make a change to clarify it has delegated to the General Counsel authority to decide appeals of CEII designations.

Penalties

The rules include sanctions for unauthorized disclosures of CEII by commission staff and a requirement to refer improper disclosures by commissioners to the Energy Department’s Inspector General. FERC commissioners and staff could face dismissal and criminal prosecution for improper disclosures.

The commission said it has already instituted requirements that former employees and commissioners certify that they are not unlawfully removing records from the agency and acknowledge potential criminal penalties for doing so.

The FAST Act’s CEII provisions were both a vindication and a rebuke of former FERC Chairman Jon Wellinghoff’s controversial campaign to raise awareness of the grid’s vulnerability to sabotage.

The sanctions for unauthorized release of CEII stemmed from Wellinghoff publicly discussing a confidential FERC analysis on the grid’s vulnerability to physical attacks. But the bill also included measures to protect the grid from terrorist attacks and natural disasters, giving the secretary of energy emergency powers and creating a Strategic Transformer Reserve. (See Transportation Bill Includes Grid Security Measures.)

Sharing, NERC Information

The rule requires recipients of CEII outside of FERC to sign nondisclosure agreements. FERC said it will continue to “balance the requestor’s need for the information against the sensitivity of the information.”

“The commission has utilized this balancing approach effectively in response to Critical Energy Infrastructure Information requests for almost 15 years.”

Order 833 also implements the commission’s June order giving FERC access to NERC’s transmission availability data system, generating availability data system and protection system misoperations databases. (See FERC to Look over NERC’s Shoulders on Reliability.)

The commission said it will treat information downloaded from NERC databases as nonpublic. It will evaluate whether it should be designated as CEII in response to a request for the information or if the commission determines such information should be disclosed.

FOIA Improvement Act

In a separate order, FERC also approved a final rule implementing the requirements of the FOIA Improvement Act of 2016 (RM17-5).

The law requires federal agencies to:

• Allow a minimum 90-day period for Freedom of Information Act requesters to file an administrative appeal — up from 45 days.
• Include in any FOIA denial letter a notice that the requester may seek dispute resolution services from the Office of Government Information Services in the National Archives and Records Administration.
• Provide requested information unless “the agency reasonably foresees that disclosure would harm an interest protected by an exemption” or “disclosure is prohibited by law.”
• Make reasonable efforts to segregate and release nonexempt material by redacting protected information in documents.
• Release records 25 years or older that would otherwise be subject to the deliberative process exemption.
• Make information that has been requested and disclosed three times publicly accessible in an electronic format.