LegiStorm

Summary:
Highlights

GAO reviewed the Federal Energy Regulatory Commission's (Commission) new rule on mandatory reliability standards for critical infrastructure protection. GAO found that (1) the final rule approves eight Critical Infrastructure Protection Reliability Standards and these eight reliability standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements safeguarding critical assets against malicious cyber attacks; and (2) the Commission complied with the applicable requirements in promulgating the rule.





View Decision
Department of Energy, Federal Energy Regulatory Commission: Mandatory Reliability Standards for Critical Infrastructure Protection, GAO-08-493R, February 21, 2008 B-316012 February 21, 2008 The Honorable Jeff Bingaman Chairman The Honorable Pete V. Domenici Ranking Minority Member Committee on Energy and Natural ResourcesUnited States Senate The Honorable John D. Dingell Chairman The Honorable Joe Barton Ranking Minority Member Committee on Energy and Commerce House of Representatives Subject: Department of Energy, Federal Energy Regulatory Commission: Mandatory Reliability Standards for Critical Infrastructure Protection Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Energy, Federal Energy Regulatory Commission (Commission), entitled –Mandatory Reliability Standards for Critical Infrastructure Protection— (Docket No. RM06-22-000). We received the rule on January 24, 2008. It was published in the Federal Register as a final rule on February 7, 2008. 73 Fed. Reg. 7368. This rule has a stated effective date of April 7, 2008. The final rule approves eight Critical Infrastructure Protection Reliability Standards submitted to the Commission by the North American Electric Reliability Corporation. These eight reliability standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements safeguarding critical assets against malicious cyber attacks. Enclosed is our assessment of the Commission's compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. Our review indicates that the Commission complied with the applicable requirements. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Michael R. Volpe, Assistant General Counsel, at (202) 512-8236. signed Robert J. Cramer Associate General Counsel Enclosure cc: Christy Walsh Office of the General Counsel Energy Markets Federal Energy Regulatory Commission Department of Energy ENCLOSURE REPORT UNDER 5 U.S.C. sect. 801(a)(2)(A) ON A MAJOR RULE ISSUED BY THE DEPARTMENT OF ENERGY, FEDERAL ENERGY REGULATORY COMMISSION ENTITLED "MANDATORY RELIABILITY STANDARDS FOR CRITICAL INFRASTRUCTURE PROTECTION" (DOCKET NO. RM06-22-000) (i) Cost-benefit analysis The Federal Energy Regulatory Commission (Commission) projects that the costs for compliance will exceed $100 million as an initial matter, although the Commission adopted a number of measures to mitigate many of the additional burdens associated with complying with these standards. In the final rule the Commission only included the cost of the information collection requirements, which are discussed below. The Commission did not include in this final rule its estimate of the cost of substantial compliance with the Critical Infrastructure Protection Reliability Standards. (ii) Agency actions relevant to the Regulatory Flexibility Act, 5 U.S.C. sections 603-605, 607, and 609 The Commission determined that this final rule will not have a significant economic impact on a substantial number of small entities. (iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. sections 1532-1535 As an independent regulatory agency, the Commission is not subject to Title II of the Unfunded Mandates Reform Act of 1995. 2 U.S.C. sect. 658. (iv) Other relevant information or requirements under acts and executive orders Administrative Procedure Act, 5 U.S.C. sections 551 et seq. The final rule was issued using the notice and comment procedures of the Administrative Procedure Act. 5 U.S.C. sect. 553. On August 6, 2007, the Commission published a Notice of Proposed Rulemaking in the Federal Register. 72 Fed. Reg. 43,970. In response to the notice, the Commission received about 70 comment letters, to which the Commission responded in the final rule. 72 Fed. Reg. 7370?7447 (Feb. 7, 2008). Paperwork Reduction Act, 44 U.S.C. sections 3501-3520 This final rule contains information collection requirements that the Commission submitted to the Office of Management and Budget (OMB) for review under the Act. The information collection requirement has the OBM Control Number of 1902-0248 and the Commission estimates that the annual cost of this requirement will be $24,758,800. Statutory authorization for the rule This final rule was promulgated under the authority of section 215 of the Federal Power Act. 16 U.S.C. sect. 824o. Executive Order No. 12,866 As this final rule is promulgated by an independent regulatory agency, it is not subject to the review requirements of the order.



Downloads





Full Report (4 pages)