On September 23, 2020, staff from the North American Electric Reliability Corporation (“NERC”) and FERC (collectively, “Joint Staff”) issued a second joint white paper that reversed previous recommendations regarding publicly disclosing the identities of entities accused of Critical Infrastructure Protection (“CIP”) violations. As stated in the Second Joint Whitepaper, the previous recommendation to publicly disclose CIP violator names and other information raised “substantial risks to the security of the Bulk-Power System.” Accordingly, the Second Joint Whitepaper stated that from now on, NERC will request that CIP noncompliance filings be treated as Critical Energy/Electric Infrastructure Information (“CEII”). FERC Staff will also designate such filings as CEII in their entirety. Additionally, because of the risk associated with the disclosure of CIP noncompliance information, NERC will no longer publicly post redacted versions of CIP noncompliance filings and submittals.
The first joint white paper, published in August of 2019, proposed that NERC submissions of CIP Notices of Penalty (“NOP”) consist of a public cover letter that disclosed the name of the violator, the CIP Reliability Standard(s) violated (but not the specific requirement(s)), and the penalty amount. Under that original proposal, NERC would submit the remainder of the CIP NOP filing, with details of the violation(s), mitigation activity, and potential vulnerabilities to cyber systems, as a non-public attachment along with a request that such information be designated CEII.
Joint Staff received numerous comments on the First Joint White Paper, many of which argued that the proposed disclosures increased risk to the security of the Bulk-Power System. Those commenters asserted that adversaries could still use the limited information proposed for disclosure in CIP noncompliance filings to better target compliance problem areas and threaten the reliable operation of the Bulk-Power System
After reviewing the comments, Joint Staff reversed course in their Second Joint Whitepaper. Specifically, Joint Staff agreed that disclosing CIP violator names and other information found in CIP noncompliance filings raises “substantial risks” to grid security. According to Joint Staff, protecting CIP noncompliance filings is consistent with FERC Order No. 672, as well as with Freedom of Information Act Exemptions 3 (records specifically exempted by statute), 4 (trade secret and commercial or financial information), and 7(F) (law enforcement information). Joint Staff asserted that protecting CIP noncompliance filings would also be compliant with the FAST Act, which expressly prohibits FERC from disclosing information that it designates as CEII.
Accordingly, the Second Joint Whitepaper concluded that, going forward, both NERC and FERC would treat CIP noncompliance submissions including NOPs as CEII in their entirety. Moreover, because of the risk associated with disclosing CIP noncompliance information, NERC will no longer publicly post redacted versions of CIP noncompliance filings and submittals.
Click here to read the second joint white paper.