NERC on Monday completed the second of two compliance filings directed by FERC earlier this year, detailing changes to its Rules of Procedure (ROP) intended to “reflect current business practices and provide further transparency to industry stakeholders” (RR19-7).
FERC ordered the ROP changes in January in response to NERC’s five-year performance assessment, expressing dissatisfaction with the transparency of the Electricity Information Sharing and Analysis Center (E-ISAC) considering it accounts for 28% of the ERO’s total 2020 budget. The commission requested that NERC clarify the E-ISAC’s relationship with the Electricity Subsector Coordinating Council (ESCC), correct inconsistencies in terminology used in the ROP and update other operational practices related to the ERO’s infrastructure security program. (See NERC Wins Another 5 Years as ERO.)
The compliance filing was originally due July 21, but NERC requested an extension in order to allow for the full 45-day stakeholder comment period, which FERC approved in March, followed by another delay because of the COVID-19 pandemic. (See NERC Board of Trustees/MRC Briefs: Aug. 20, 2020.)
The commission had ordered an additional compliance filing, submitted in June, discussing NERC’s oversight of its regional entities and the development process for reliability guidelines, as well as the role of the E-ISAC. (See NERC Clarifies Audits, E-ISAC in Filing.)
Registration and Certification Revisions
NERC’s planned changes include:
- revisions to the Registration and Certification Program in Section 500 (Organization registration and certification) and Appendices 2, 5A, 5B and 5C;
- updates to the infrastructure security program in Section 1003, including the E-ISAC; and
- modifications to the sanction guidelines in Appendix 4B.
The information security program and sanction guidelines updates were submitted for industry comment in May. (See NERC Seeks Comments on Proposed ROP Changes.)
The first set of changes, which primarily involve adding “more granularity” to registration-related provisions, is being published for the first time. These include sections involving joint registration organizations (JROs), to provide clarity to the requirements for JRO construction and operation; and coordinated functional registration (CFR) agreements, with greater specificity around the information required to make a CFR acceptable to NERC and the roles and responsibilities of parties to the agreement.
In addition, NERC proposes to “add more specificity to the minimum criteria for certification” by detailing that entities’ “tools, personnel, facilities and [processes] used to perform … tasks required by the applicable reliability standards will be evaluated.”
The organization also plans to remove a requirement in Appendix 5A that the Compliance and Certification Committee approve any revisions to registration and certification procedures before they are submitted to the board, while adding a new section to the same appendix specifying how entities maintain their certifications. Redundant language in Appendix 5B will be removed as well, and Appendix 5C will be changed to create better alignment with updated sections of the ROP.
E-ISAC, Sanctions, APB Clarified
Revisions to Section 1003 include the insertion of a paragraph describing the role of the E-ISAC and its place alongside the Department of Energy and ESCC in the U.S. national security framework and language emphasizing that NERC considers security an equal priority to reliability and resilience. References to the critical spare transformer program, the National Infrastructure Protection Plan and other organizations were deleted, as NERC is not involved in these activities anymore.
Changes to NERC’s sanction guidelines aim to emphasize the importance of fairness when determining penalty amounts, with reference to factors such as risk and severity level, as well as the role that nonmonetary sanctions may play in determining the final penalty amount. Additional language was inserted at FERC’s request requiring NERC and the REs to ensure that the size of the offender and its ability to pay are taken into account when setting penalties to ensure that violators do not see sanctions as “an economic choice or cost of doing business.”
In its January order, FERC also directed NERC to “clarify its processes regarding the development and issuance of All Points Bulletins,” part of the E-ISAC’s Critical Broadcast Program (CBP). NERC addressed this request in the last section of its Monday filing, describing the threshold for activating the CBP, procedures for approving activation, the target audience of the program, and methods and timing of communicating critical security information. In addition, the organization discussed the CBP’s relation with other information-sharing mechanisms, such as the NERC Alert process.