Commission Information Collection Activities (Ferc-725b). Comment Request; Extension

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

June 12, 2026

Issuing agencies

Energy DepartmentFederal Energy Regulatory Commission

Abstract

In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC-725B, (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP)). This submission is for an extension request and changes to CIP-002-8. No comments were received on the 60-day notice.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 113 (Friday, June 12, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 113 (Friday, June 12, 2026)]
[Notices]
[Pages 35681-35684]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-11877]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC26-16-000; RD25-8-000]

Commission Information Collection Activities (Ferc-725b). Comment
Request; Extension

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of information collection and request for comments.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of the Paperwork Reduction
Act of 1995, the Federal Energy Regulatory Commission (Commission or
FERC) is soliciting public comment on the currently approved
information collection, FERC-725B, (Mandatory Reliability Standards,
Critical Infrastructure Protection (CIP)). This submission is for an
extension request and changes to CIP-002-8. No comments were received
on the 60-day notice.

DATES: Comments on the collection of information are due July 13, 2026.

ADDRESSES: Send written comments on FERC-725B to OMB through <a href="https://www.reginfo.gov/public/do/PRA/icrPublicCommentRequest?ref_nbr=">https://www.reginfo.gov/public/do/PRA/icrPublicCommentRequest?ref_nbr=</a> 202606-
1902-002. You can also visit <a href="https://www.reginfo.gov/public/do/PRAMain">https://www.reginfo.gov/public/do/PRAMain</a>
and use the drop-down under ``Currently under Review'' to select the
``Federal Energy Regulatory Commission'' where you can see the open
opportunities to provide comments. Comments should be sent within 30
days of publication of this notice.
Please submit a copy of your comments to the Commission via email
to <a href="/cdn-cgi/l/email-protection#7632170217351a13170417181513363033243558111900"><span class="__cf_email__" data-cfemail="f9bd988d98ba959c988b98979a9cb9bfbcabbad79e968f">[email&#160;protected]</span></a>. You must specify Docket No. (IC26-16-000)
and the FERC Information Collection number (FERC-725B) in your email.
If you are unable to file electronically, comments may be filed by USPS
mail or by hand (including courier) delivery:
<bullet> Mail via U.S. Postal Service Only: Federal Energy
Regulatory Commission, Secretary of the Commission, 888 First Street
NE, Washington, DC 20426.
<bullet> All other delivery methods: Federal Energy Regulatory
Commission, Secretary of the Commission, 12225 Wilkins Avenue,
Rockville, MD 20852.
Docket: To view comments and issuances in this docket, please visit
<a href="https://elibrary.ferc.gov/eLibrary/search">https://elibrary.ferc.gov/eLibrary/search</a>. Once there, you can also
sign up for automatic notification of activity in this docket.

FOR FURTHER INFORMATION CONTACT: Kayla Williams, (202) 502-6468.
<a href="/cdn-cgi/l/email-protection#1a5e7b6e7b59767f7b687b74797f5a5c5f4859347d756c"><span class="__cf_email__" data-cfemail="490d283d280a252c283b28272a2c090f0c1b0a672e263f">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION:
Title: FERC-725B (Mandatory Reliability Standards, Critical
Infrastructure Protection (CIP)).
OMB Control No.: 1902-0248.
Type of Request: Three-year extension of the FERC-725B information
collection requirements and implement changes due to updates to the
CIP-002-8.
Abstract: On August 8, 2005, Congress enacted the Energy Policy Act
of 2005.\1\ The Energy Policy Act of 2005 added a new section 215 to
the FPA,\2\ which requires a Commission-certified Electric Reliability
Organization to develop mandatory and enforceable Reliability
Standards,\3\ including requirements for cybersecurity protection,
which are subject to Commission review and approval. Once approved, the
Reliability Standards may be enforced by the Electric Reliability
Organization subject to Commission oversight, or the Commission can
independently enforce Reliability Standards.
---------------------------------------------------------------------------

\1\ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et
seq., 119 Stat. 594 (2005).
\2\ 16 U.S.C. 824o.
\3\ FPA section 215 defines Reliability Standard as a
requirement, approved by the Commission, to provide for reliable
operation of existing bulk-power system facilities, including
cybersecurity protection, and the design of planned additions or
modifications to such facilities to the extent necessary to provide
for reliable operation of the Bulk-Power System. However, the term
does not include any requirement to enlarge such facilities or to
construct new transmission capacity or generation capacity. Id. at
824o(a)(3).
---------------------------------------------------------------------------

On February 3, 2006, the Commission issued Order No. 672,\4\
implementing FPA section 215. The Commission subsequently certified
NERC as the Electric Reliability Organization. The Reliability
Standards developed by NERC become mandatory and enforceable after
Commission approval and apply to users, owners, and operators of the
Bulk-Power System, as set forth in each Reliability Standard.\5\ The
CIP Reliability Standards require entities to comply with specific
requirements to safeguard critical cyber assets. These standards are
result-based and do not specify a technology or method to achieve
compliance, instead leaving it up to the entity to decide how best to
comply.
---------------------------------------------------------------------------

\4\ Rules Concerning Certification of the Elec. Reliability
Org.; and Procedures for the Establishment, Approval, and Enf't of
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17,
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
\5\ NERC uses the term ``registered entity'' to identify users,
owners, and operators of the Bulk-Power System responsible for
performing specified reliability functions with respect to NERC
Reliability Standards. See, e.g., Version 4 Critical Infrastructure
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr.
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability
Standards are various subsets of entities responsible for performing
various specified reliability functions. We collectively refer to
these as ``entities.''
---------------------------------------------------------------------------

On January 18, 2008, the Commission issued Order No. 706,\6\
approving the initial eight CIP Reliability Standards, CIP version 1
Standards, submitted by NERC. Subsequently, the Commission has approved
multiple versions of the CIP Reliability Standards submitted by NERC,
partly to address the evolving nature of cyber-related threats to the
Bulk-Power System. On November 22, 2013, the Commission issued Order
No. 791,\7\ approving CIP version 5

[[Page 35682]]

Standards, the last major revision to the CIP Reliability Standards.
The CIP version 5 Standards implement a tiered approach to categorize
assets, identifying them as high, medium, or low risk to the operation
of the Bulk Electric System (BES) \8\ if compromised. High impact
systems include large control centers. Medium impact systems include
smaller control centers, ultra-high voltage transmission, and large
substations and generating facilities. The remainder of the BES Cyber
Systems \9\ are categorized as low impact systems. Most requirements in
the CIP Reliability Standards apply to high and medium impact systems;
however, a technical controls requirement in Reliability standard CIP-
003, described below, applies only to low impact systems. Since 2013,
the Commission has approved new and modified CIP Reliability Standards
that address specific issues such as supply chain risk management,
cyber incident reporting, communications between control centers, and
the physical security of critical transmission facilities.\10\
---------------------------------------------------------------------------

\6\ Order No. 706, 122 FERC ] 61,040 at P 1.
\7\ Version 5 Critical Infrastructure Protection Reliability
Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ]
61,160 (2013), order on reh'g, Order No. 791-A, 146 FERC ] 61,188
(2014).
\8\ In general, NERC defines BES to include all Transmission
Elements operated at 100 kV or higher and Real Power and Reactive
Power resources connected at 100 kV or higher. This does not include
facilities used in the local distribution of electric energy. See
NERC, Bulk Electric System Definition Reference Document, Version 3,
at page iii (August 2018). In Order No. 693, the Commission found
that NERC's definition of BES is narrower than the statutory
definition of Bulk-Power System. The Commission decided to rely on
the NERC definition of BES to provide certainty regarding the
applicability of Reliability Standards to specific entities. See
Mandatory Reliability Standards for the Bulk-Power System, Order No.
693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ] 61,218, at PP 75, 79,
491, order on reh'g, Order No. 693-A, 72 FR 49717 (July 25, 2007),
120 FERC ] 61,053 (2007).
\9\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber
Assets logically grouped by a responsible entity to perform one or
more reliability tasks for a functional entity.'' NERC, Glossary of
Terms Used in NERC Reliability Standards, at 5 (2020), <a href="https://www.nerc.com/files/glossary_of_terms.pdf">https://www.nerc.com/files/glossary_of_terms.pdf</a> (NERC Glossary of Terms).
NERC defines BES Cyber Asset as
A Cyber Asset that if rendered unavailable, degraded, or misused
would, within 15 minutes of its required operation, mis-operation,
or non-operation, adversely impact one or more Facilities, systems,
or equipment, which, if destroyed, degraded, or otherwise rendered
unavailable when needed, would affect the reliable operation of the
Bulk Electric System. Redundancy of affected Facilities, systems,
and equipment shall not be considered when determining adverse
impact. Each BES Cyber Asset is included in one or more BES Cyber
Systems.
Id. at 4.
\10\ See, e.g., Order No. 791, 78 FR 72755; Revised Critical
Infrastructure Protection Reliability Standards, Order No. 822, 81
FR 4177 (Jan. 26, 2016), 154 FERC ] 61,037, reh'g denied, Order No.
822-A, 156 FERC ] 61,052 (2016); Revised Critical Infrastructure
Protection Reliability Standard CIP-003-7--Cyber Security--Security
Management Controls, Order No. 843, 163 FERC ] 61,032 (2018).
---------------------------------------------------------------------------

On March 19, 2026, the order within RD25-8 approved Reliability
Standard CIP-002-8 related to the identification and categorization of
BES cyber systems and their associated BES cyber assets. The Commission
approved the proposed Reliability Standard CIP-002-8 pursuant to
section 215(d)(2) of the FPA because the Standard would advance
reliability by revising the threshold for applicable transmission
owners and transmission operators to categorize their BES cyber systems
based on the impact to their associated facilities, systems, and
equipment, which, if destroyed, degraded, misused, or otherwise
rendered unavailable would affect the reliability of the BES. Also, to
revise the definition of the term control center in the NERC Glossary
to alleviate confusion from a lack of common understanding of the term
``control'' as opposed to ``authority''.
The CIP Reliability Standards currently consist of 14 standards
specifying a set of requirements that entities must follow to ensure
the cyber and physical security of the Bulk-Power System. There is also
one physical security standard.
<bullet> CIP-002-8 (formerly CIP-002-7) A Bulk Electric System
Cyber System Categorization: requires entities to identify and
categorize BES Cyber Assets for the application of cyber security
requirements commensurate with the adverse impact that loss,
compromise, or misuse of those BES Cyber Systems could have on the
reliable operation of the BES.
<bullet> CIP-003-10 Security Management Controls: requires entities
to specify consistent and sustainable security management controls that
establish responsibility and accountability to protect BES Cyber
Systems against compromise that could lead to mis-operation or
instability in the BES.
<bullet> CIP-004-8 Personnel and Training: requires entities to
minimize the risk against compromise that could lead to mis-operation
or instability in the BES from individuals accessing BES Cyber Systems
by requiring an appropriate level of personnel risk assessment,
training, and security awareness in support of protecting BES Cyber
Systems.
<bullet> CIP-005-8 Electronic Security Perimeter(s): requires
entities to manage electronic access to BES Cyber Systems by specifying
a controlled Electronic Security Perimeter in support of protecting BES
Cyber Systems against compromise that could lead to mis-operation or
instability in the BES.
<bullet> CIP-006-7.1 Physical Security of Bulk Electric System
Cyber Systems: requires entities to manage physical access to BES Cyber
Systems by specifying a physical security plan in support of protecting
BES Cyber Systems against compromise that could lead to mis-operation
or instability in the BES.
<bullet> CIP-007-7.1 System Security Management: requires entities
to manage system security by specifying select technical, operational,
and procedural requirements in support of protecting BES Cyber Systems
against compromise that could lead to mis-operation or instability in
the BES.
<bullet> CIP-008-7.1 Incident Reporting and Response Planning:
requires entities to mitigate the risk to the reliable operation of the
BES as the result of a cybersecurity incident by specifying incident
response requirements.
<bullet> CIP-009-7.1 Recovery Plans for Bulk Electric System Cyber
Systems: requires entities to recover reliability functions performed
by BES Cyber Systems by specifying recovery plan requirements in
support of the continued stability, operability, and reliability of the
BES.
<bullet> CIP-010-5 Configuration Change Management and
Vulnerability Assessments: requires entities to prevent and detect
unauthorized changes to BES Cyber Systems by specifying configuration
change management and vulnerability assessment requirements in support
of protecting BES Cyber Systems from compromise that could lead to mis-
operation or instability in the BES.
<bullet> CIP-011-4.1 Information Protection: requires entities to
prevent unauthorized access to BES Cyber System Information by
specifying information protection requirements in support of protecting
BES Cyber Systems against compromise that could lead to mis-operation
or instability in the BES.
<bullet> CIP-012-2 Communications between Control Centers: requires
entities to protect the confidentiality and integrity of Real-time
Assessment and Real-time monitoring data transmitted between Control
Centers.
<bullet> CIP-013-3 Supply Chain Risk Management: requires entities
to mitigate cybersecurity risks to the reliable operation of the BES by
implementing security controls for supply chain risk management of BES
Cyber Systems.
<bullet> CIP-014-3 Physical Security: Set out to identify and
protect Transmission stations and Transmission substations, and their
associated primary control centers, that if rendered inoperable or
damaged as a result of a physical attack could result in instability,
uncontrolled separation, or Cascading within an Interconnection.

[[Page 35683]]

<bullet> CIP-015-1 Internal Network Security Monitoring: purpose is
to improve the probability of detecting anomalous or unauthorized
network activity in order to facilitate improved response and recovery
from an attack.
The CIP Reliability Standards, viewed as a whole, implement a
defense-in-depth approach to protecting the security of BES Cyber
Systems at all impact levels.\11\ The CIP Reliability Standards are
objective-based and allow entities to choose compliance approaches best
tailored to their systems.\12\
---------------------------------------------------------------------------

\11\ Order No. 822, 154 FERC ] 61,037 at 32.
\12\ Order No. 706, 122 FERC ] 61,040 at 72.

FERC-725B--(Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards) for IC26-16-000 (Renewal)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual number Average burden per Total annual burden
Number and type of of responses Total number of responses response (hours) & cost (hours) & total
respondent \13\ per respondent per response annual cost \14\ ($)
(1)...................... (2) (1) * (2) = (3).......... (4)...................... (3) * (4) = (5)
--------------------------------------------------------------------------------------------------------------------------------------------------------
CIP-002-8........................ 1,573.................... 1 1,573.................... 2 hrs.; $194............. 3,146 hrs.;
$305,162.
100...................... 1 100...................... 4 hrs.; $388............. 400 hrs.; $38,800.
CIP-003-10, CIP-004-8, CIP-005-8, 100...................... 4 400 (per standard)....... 600 hrs.; $46,380........ 240,000 hrs.,
CIP-006-7.1, CIP-007-7.1, CIP- $18,552,000.
008-7.1, CIP-009-7.1, CIP-010-5,
CIP-011-4.1.
CIP-013-3........................ 400...................... 1 400...................... 30 hrs.; $2,319.......... 12,000 hrs.;
$927,600.
CIP-014-3........................ 321...................... 1 321...................... 2 hrs.; $154.6........... 642 hrs.;
$49,626.60.
CIP-012-2........................ 724...................... 1 724...................... 83 hrs.; $6,415.90....... 60,092 hrs.;
$4,645,111.60.
CIP-15-1......................... 400...................... 6 2,400.................... 56.67 hrs. $4,380.59..... 136,008 hrs.;
$10,513,418.40.
Total Burden One time burden for 4,000 (400 per standard). 1 4,000 (400 per standard). 577 (57.7 per standard).. 230,800 (23,080 per
years 1-3 from recently approved standard).
RM24-8 affecting the following
CIP Standards: CIP2-7, CIP-003-
10, CIP-004-8, CIP-005-8, CIP-
006-7.1, CIP-007-7.1, CIP-008-
7.1, CIP-009-7.1, CIP-010-5, CIP-
011-4.1, and CIP-013-3.
----------------------------------------------------------------------------------------------------------------------
Total Burden of FERC-725B ......................... .............. 15,091................... ......................... 683,088 hrs.;
Renewal. $52,802,702.40.
--------------------------------------------------------------------------------------------------------------------------------------------------------

RD25-8 (Changes):
---------------------------------------------------------------------------

\13\ The number of respondents is based on the NERC Compliance
Registry as of June 22, 2025. Currently there are 1,508 unique NERC
Registered, subtracting 16 Canadians Entities yields 1492 U.S.
entities.
\14\ The estimates for cost per hour are $77.30/hour (averaged
based on the following occupations):
<bullet> Manager (Occupational Code: 11-0000): $83.41/hour; and
<bullet> Electrical Engineer (Occupational Code 17-2071):
$71.19/hour. The estimated hourly cost (salary plus benefits) is a
combination of the following categories from the Bureau of Labor
Statistics (BLS) website, May 2025 <a href="http://www.bls.gov/oes/current/naics2_22.htm">http://www.bls.gov/oes/current/naics2_22.htm</a>.
---------------------------------------------------------------------------

The Commission bases its paperwork burden estimates on the
additional paperwork burden presented by the proposed revisions to
Reliability Standard CIP-002-8. Reliability Standards are objective-
based and allow entities to choose compliance approaches best tailored
to their systems. The NERC Compliance Registry, as of June 2025,
identifies approximately 1,673 \15\ U.S. entities that are subject to
mandatory compliance with Reliability Standards.
---------------------------------------------------------------------------

\15\ The ``Number of Entity'' data is compiled from the June
2025 edition of the NERC Compliance Registry.
---------------------------------------------------------------------------

Of this total, we estimate that 1,573 entities will face a minor
increase in paperwork burden of two hours each for a total burden hours
increase of 3,146 at $97 \16\ per hour for $194 per entity and a total
$305,162 burden for the first year and ongoing burdens in addition to
the burden already accounted for in the OMB control number for CIP
Reliability Standards.
---------------------------------------------------------------------------

\16\ The hourly cost for wages is based in part on the average
of the occupational categories from the Bureau of Labor Statistics
website (<a href="http://www.bls.gov/oes/current/naics2_22.htm">http://www.bls.gov/oes/current/naics2_22.htm</a>) plus
benefits: Legal (Occupation Code: 23-0000): $162.66; Electrical
Engineer (Occupation Code: 17-2071): $79.31; Office and
Administrative Support (Occupation Code: 43-0000): $48.59 ($162.66 +
$79.31 + $48.59) / 3 = $96.85. The figure is rounded to $97.00 for
use in calculating wage figures in this Order.
---------------------------------------------------------------------------

Additionally, we estimate that another 100 entities will have a
burden of four hours each for a total burden hour increase of 400 at
$97 per hour for a total burden of $38,800 for the first year and no
ongoing burdens in addition to the burden already accounted for in the
OMB control number for CIP Reliability Standards.

Changes for CIP-002-8 in FERC-725B--(Mandatory Reliability Standards for Critical Infrastructure Protection
[CIP] Reliability Standards)
----------------------------------------------------------------------------------------------------------------
Number and Average burden Total one-time
type of Annual number Total number per response burden (hours)
respondent of responses of responses (hours) & cost & total annual
\17\ per respondent per response cost \18\ ($)
(1) (2) (1) * (2) = (4)............. (3) * (4) = (5)
(3)
----------------------------------------------------------------------------------------------------------------
CIP-002-8.................... 1,573 1 1,573 2 hrs.; $194.... 3,146 hrs.;
$305,162.
100 1 100 4 hrs.; $388.... 400 hrs.;
$38,800.
----------------------------------------------------------------------------------

[[Page 35684]]

Total for one time burden 1,673 .............. 1,673 ................ 3,546 hrs.;
for CIP-002-8. $343,962.
----------------------------------------------------------------------------------------------------------------

The responses and burden hours for Years 1-3 will total
respectively as follows:
---------------------------------------------------------------------------

\17\ The number of respondents is based on the NERC Compliance
Registry as of June 22, 2025. Currently there are 1,508 unique NERC
Registered, subtracting 16 Canadians Entities yields 1492 U.S.
entities.
\18\ The estimates for cost per hour are $77.30/hour (averaged
based on the following occupations):
<bullet> Manager (Occupational Code: 11-0000): $83.41/hour; and
<bullet> Electrical Engineer (Occupational Code 17-2071):
$71.19/hour. The estimated hourly cost (salary plus benefits) is a
combination of the following categories from the Bureau of Labor
Statistics (BLS) website, May 2025 <a href="http://www.bls.gov/oes/current/naics2_22.htm">http://www.bls.gov/oes/current/naics2_22.htm</a>.
---------------------------------------------------------------------------

<bullet> Year 1-3 each: for proposed Reliability Standard CIP-002-8
will be 557.67 responses; 1,182 hours;
<bullet> The annual cost burden for each Year 1-3 is $101,803 for
proposed Reliability Standard CIP-002-8.
Comments: Comments are invited on: (1) whether the collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimate of the burden and
cost of the collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information collection; and (4) ways to
minimize the burden of the collection of information on those who are
to respond, including the use of automated collection techniques or
other forms of information technology.

Dated: June 9, 2026.
Debbie-Anne A. Reese,
Secretary.
[FR Doc. 2026-11877 Filed 6-11-26; 8:45 am]
BILLING CODE 6717-01-P

</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on June 12, 2026.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.