← All sectors
Resilience Rulebook · By sector

Critical Infrastructure

Operational-resilience, incident-reporting and OT-security obligations across energy, water, transport, communications and ports — US sector regulators, the EU (NIS2, CER, CRA) and the UK.

A WSquare Advisory analysis In partnership with Resilis
For information purposes only. Automated, LLM-assisted triage reviewed by WSquare Advisory — not legal advice. Applicability is entity-by-entity; confirm against the source rule text.
Jurisdiction
Domain
Jur.RegulatorDomainObligation (with source quote)CitationStatus
EUEU_CERphysical securityStrategy on the resilience of critical entities (Art. 4)
“shall adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities (the ‘strategy’).”
Article 4, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall update their strategies at least every four years. (Art. 5) [adjacent]
“shall update their strategies at least every four years.”
Article 5, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall account for the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public heal (Art. 6)
“shall account for the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats or other antagonistic threats, including terrorist offences as provided for in Directi”
Article 6, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall establish a list of the critical entities identified pursuant to paragraph 2 and ensure that those critical entities are notified that they have been iden (Art. 7) [adjacent]
“shall establish a list of the critical entities identified pursuant to paragraph 2 and ensure that those critical entities are notified that they have been identified as critical entities within one month of that identification.”
Article 7, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall inform critical entities in the sectors set out in points 3, 4 and 8 of the table in the Annex that they have no obligations under Chapters III and IV, un (Art. 8) [adjacent]
“shall inform critical entities in the sectors set out in points 3, 4 and 8 of the table in the Annex that they have no obligations under Chapters III and IV, unless national measures provide otherwise.”
Article 8, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall support critical entities in enhancing their resilience. (Art. 10)
“shall support critical entities in enhancing their resilience.”
Article 10, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityRisk assessment by critical entities (Art. 12)
“shall ensure that critical entities carry out a risk assessment within nine months of receiving the notification referred to in Article 6(3), whenever necessary subsequently, and at least every four years, on the basis of Member State risk assessments and other relevant sources o”
Article 12, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityResilience measures of critical entities (Art. 13)
“shall ensure that critical entities take appropriate and proportionate technical, security and organisational measures to ensure their resilience, based on the relevant information provided by Member States on the Member State risk assessment and on the outcomes of the critical e”
Article 13, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityAre required to undergo such background checks, and laying down appropriate training requirements and qualifications; (Art. 14) [adjacent]
“are required to undergo such background checks, and laying down appropriate training requirements and qualifications;”
Article 14, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityIncident notification (Art. 15)
“shall ensure that critical entities notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services.”
Article 15, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityStandards In order to promote the convergent implementation of this Directive, Member States shall, where useful and wit (Art. 16) [adjacent]
“shall, where useful and without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European and international standards and technical specifications relevant to the security and resilience measures applicable to critical entit”
Article 16, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityIdentification of critical entities of particular European significance (Art. 17) [adjacent]
“shall be considered a critical entity of particular European significance where it: (a) has been identified as a critical entity pursuant to Article 6(1);”
Article 17, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityShall also inform the Critical Entities Resilience Group of the main findings of the advisory mission and the lessons learned with a view to promoting mutual le (Art. 19) [adjacent]
“shall also inform the Critical Entities Resilience Group of the main findings of the advisory mission and the lessons learned with a view to promoting mutual learning.”
Article 19, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityCommission support to competent authorities and critical entities (Art. 20) [adjacent]
“shall, where appropriate, support Member States and critical entities in complying with their obligations under this Directive.”
Article 20, Directive (EU) 2022/2557 (CER)final
EUEU_CERphysical securityTransposition (Art. 26) [adjacent]
“shall adopt and publish the measures necessary to comply with this Directive.”
Article 26, Directive (EU) 2022/2557 (CER)final
EUEU_CRAcyber ot securityProcurement or use of products with digital elements (Art. 5) [adjacent]
“shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purpose”
Article 5, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityEnhancing skills in a cyber resilient digital environment For the purposes of this Regulation and in order to respond to (Art. 10) [adjacent]
“shall promote measures and strategies aiming to: (a) develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity ”
Article 10, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityHigh-risk AI systems (Art. 12) [adjacent]
“shall be deemed to comply with the cybersecurity requirements set out in Article 15 of that Regulation where: (a) those products fulfil the essential cybersecurity requirements set out in Part I of Annex I;”
Article 12, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityObligations of manufacturers (Art. 13) [adjacent]
“shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I.”
Article 13, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityShall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated (Art. 14) [adjacent]
“shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA.”
Article 14, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityOther provisions related to reporting (Art. 17) [adjacent]
“shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.”
Article 17, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityShall not subject the notifying natural or legal person to increased liability. (Art. 18) [adjacent]
“shall not subject the notifying natural or legal person to increased liability.”
Article 18, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityPresumption of conformity (Art. 27) [adjacent]
“shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof.”
Article 27, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityNotifying authorities (Art. 36) [adjacent]
“shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and their monitoring, including compliance with Article 41.”
Article 36, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityInformation obligation on notifying authorities (Art. 38)
“shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of any changes thereto.”
Article 38, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityChanges to notifications (Art. 45) [adjacent]
“shall restrict, suspend or withdraw notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations.”
Article 45, Regulation (EU) 2024/2847final
EUEU_CRAcyber ot securityEvaluation and review (Art. 70) [adjacent]
“shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council.”
Article 70, Regulation (EU) 2024/2847final
EUEU_NCCScyber ot securityShall also apply to all entities who are not established in the Union but who deliver services to entities in the Union, provided they have been identified as h (Art. 4) [adjacent]
“shall also apply to all entities who are not established in the Union but who deliver services to entities in the Union, provided they have been identified as high or critical-impact entities by the competent authorities in accordance with Article 24(2).”
Article 4, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityTerms and conditions or methodologies or plans (Art. 6) [adjacent]
“shall develop, in cooperation with the EU DSO entity, proposals for the terms and conditions or methodologies pursuant to paragraph 2, or for plans pursuant to paragraph 3.”
Article 6, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityMonitoring (Art. 12)
“shall monitor the implementation of this Regulation in accordance with Article 32(1) of Regulation (EU) 2019/943 and Article 4(2) of Regulation (EU) 2019/942.”
Article 12, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityBenchmarking (Art. 13) [adjacent]
“shall establish a non-binding cybersecurity benchmarking guide.”
Article 13, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity risk assessment methodologies (Art. 18)
“shall submit a proposal for the cybersecurity risk assessment methodologies at Union level, at regional level and at Member State level.”
Article 18, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityUnion-wide cybersecurity risk assessment (Art. 19) [adjacent]
“shall, without prejudice to Article 22 of Directive (EU) 2022/2555, perform a Union-wide cybersecurity risk assessment and draw up a draft Union-wide cybersecurity risk assessment report.”
Article 19, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityShall include: (a) an assessment of the possible consequences of a cyber-attack using the metrics defined in the cybersecurity risk assessment methodology devel (Art. 20)
“shall include: (a) an assessment of the possible consequences of a cyber-attack using the metrics defined in the cybersecurity risk assessment methodology developed pursuant to Article 18(2), (3) and (4), and approved pursuant to Article 8;”
Article 20, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityRegional cybersecurity risk assessments (Art. 21) [adjacent]
“shall perform a regional cybersecurity risk assessment for each system operation region using the methodologies developed pursuant to Article 19, and approved pursuant to Article 8, to identify, analyse, and evaluate the risks of cyber-attacks affecting the operational security o”
Article 21, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityRegional cybersecurity risk mitigation plans (Art. 22)
“shall develop a regional cybersecurity risk mitigation plan for each system operation region.”
Article 22, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityShall provide to the Electricity Coordination Group a report on the outcome of the assessment of cybersecurity risks with regard to cross-border electricity flo (Art. 24) [adjacent]
“shall provide to the Electricity Coordination Group a report on the outcome of the assessment of cybersecurity risks with regard to cross-border electricity flows (the ‘comprehensive cross-border electricity cybersecurity risk assessment report’).”
Article 24, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity risk management at entity level (Art. 26)
“shall perform cybersecurity risk management for all its assets in its high-impact and critical-impact perimeters.”
Article 26, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityShall, within 12 months after the notification of the high-and critical-impact entities pursuant to Article 24(6), and every three years thereafter, provide to (Art. 27) [adjacent]
“shall, within 12 months after the notification of the high-and critical-impact entities pursuant to Article 24(6), and every three years thereafter, provide to the competent authority a report containing the following information: (1) a list of controls selected for the entity-le”
Article 27, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityComposition, functioning and review of the common electricity cybersecurity framework (Art. 28) [adjacent]
“shall be composed of the following controls and cybersecurity management system: (a) the minimum cybersecurity controls, developed in accordance with”
Article 28, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityShall apply the minimum cybersecurity controls pursuant to paragraph 1 point (a) within their high-impact perimeter. (Art. 29) [adjacent]
“shall apply the minimum cybersecurity controls pursuant to paragraph 1 point (a) within their high-impact perimeter.”
Article 29, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityDerogations from the minimum and advanced cybersecurity controls (Art. 30) [adjacent]
“shall decide whether a derogation from the minimum and advanced cybersecurity controls is to be granted.”
Article 30, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityVerification of the common electricity cybersecurity framework (Art. 31) [adjacent]
“shall be able to demonstrate its compliance with the cybersecurity management system and the minimum or advanced cybersecurity controls at the request of the competent authority.”
Article 31, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity management system (Art. 32) [adjacent]
“shall establish a cybersecurity management system, and review it every three years thereafter, to: (a) determine the scope of the cybersecurity management system considering interfaces and dependencies with other entities;”
Article 32, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityMinimum and advanced cybersecurity controls in the supply chain (Art. 33) [adjacent]
“shall develop a proposal for minimum and advanced cybersecurity controls in the supply chain that mitigate the supply chain risks identified in the Union-wide cybersecurity risk assessments, supplementing the minimum and advanced cybersecurity controls developed pursuant to Artic”
Article 33, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityMapping matrix for electricity cybersecurity controls against standards (Art. 34) [adjacent]
“shall develop a proposal for a matrix to map the controls set out in Article 28(1), points (a) and (b) against selected European and international standards as well as relevant technical specifications (‘the mapping matrix’).”
Article 34, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity procurement recommendations (Art. 35) [adjacent]
“shall develop, in a work programme to be established and updated each time a regional cybersecurity risk assessment report is adopted, sets of non-binding cybersecurity procurement recommendations that high-impact and critical-impact entities may use as a basis for the procuremen”
Article 35, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityGuidance on use of European cybersecurity certification schemes for procurement of ICT products, ICT services and ICT pr (Art. 36) [adjacent]
“shall closely cooperate with ENISA in providing the sector-specific guidance included in non-binding cybersecurity procurement recommendations pursuant to paragraph 1.”
Article 36, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityRules on information sharing (Art. 37) [adjacent]
“shall assess the level of confidentiality of that information and inform the entity about the outcome of its assessment without undue delay and not later than within 24 hours of receipt of the information;”
Article 37, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityShall disseminate that information or any other information of importance for preventing, detecting, responding to or mitigating the related risk to critical-im (Art. 38)
“shall disseminate that information or any other information of importance for preventing, detecting, responding to or mitigating the related risk to critical-impact and high-impact entities in its Member State and, where appropriate, to all concerned CSIRTs and to its national si”
Article 38, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityDetection of cyber-attacks and handling of related information (Art. 39)
“shall develop the necessary capabilities to handle detected cyber-attacks with the necessary support from the relevant competent authority, the ENTSO for Electricity and the EU DSO entity.”
Article 39, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCrisis management (Art. 40)
“shall jointly create an ad hoc cross-border crisis coordination group.”
Article 40, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity crisis management and response plans (Art. 41)
“shall in close cooperation with ENISA, the ENTSO for Electricity, the EU DSO entity, CS-NCAs, competent authorities, RP-NCAs, the NRAs and the NIS national cyber crisis management authorities, develop a Union-level cybersecurity crisis management and response plan for the electri”
Article 41, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity early alert capabilities for the electricity sector (Art. 42) [adjacent]
“shall cooperate with ENISA to develop Electricity Cybersecurity Early Alert Capabilities (ECEAC) as part as the assistance to Member States pursuant to Articles 6(2) and (7) of Regulation (EU) 2019/881.”
Article 42, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityCybersecurity exercises at entity and Member State levels (Art. 43)
“shall perform a cybersecurity exercise including one or more scenarios with cyber-attacks affecting cross-border electricity flows directly or indirectly and related to the risks identified during the cybersecurity risk assessments at Member State and entity levels in accordance ”
Article 43, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityRegional or cross regional cybersecurity exercises (Art. 44)
“shall organise a regional cybersecurity exercise.”
Article 44, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityOutcome of cybersecurity exercises at entity, Member State, regional or cross regional levels (Art. 45)
“shall participate in the cybersecurity exercises referred to in Article 43(1) and (2) and in Article 44(1) when they provide services for the critical-impact entity in the area corresponding with the scope of the relevant cybersecurity exercise.”
Article 45, Delegated Reg (EU) 2024/1366final
EUEU_NCCScyber ot securityPrinciples for the protection of exchanged information (Art. 46) [adjacent]
“shall ensure that information provided, received, exchanged or transmitted under this Regulation is accessible only on a need-to-know basis and in accordance with relevant Union and national rules on security of information.”
Article 46, Delegated Reg (EU) 2024/1366final
EUEU_NIS2cyber ot securitySector-specific Union legal acts (Art. 4) [adjacent]
“shall not apply to such entities.”
Article 4, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityNational cyber crisis management frameworks (Art. 9)
“shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities).”
Article 9, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityComputer security incident response teams (CSIRTs) (Art. 10)
“shall designate or establish one or more CSIRTs.”
Article 10, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityShall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance w (Art. 11)
“shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance with a well-defined process.”
Article 11, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityShall comply with the following requirements: (a) the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points (Art. 12)
“shall comply with the following requirements: (a) the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times;”
Article 12, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityCooperation at national level (Art. 13) [adjacent]
“shall cooperate with each other with regard to the fulfilment of the obligations laid down in this Directive.”
Article 13, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityCSIRTs network (Art. 15) [adjacent]
“shall be composed of representatives of the CSIRTs designated or established pursuant to Article 10 and the computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU).”
Article 15, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityEuropean cyber crisis liaison organisation network (EU-CyCLONe) (Art. 16) [adjacent]
“shall be composed of the representatives of Member States’ cyber crisis management authorities as well as, in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on services and activities falling within the scope of”
Article 16, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityShall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union, and a summar (Art. 19) [adjacent]
“shall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the EU Cybersecurity Technical Situation Reports on incidents and cyber”
Article 19, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityGovernance (Art. 20) [adjacent]
“shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with”
Article 20, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityShall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropri (Art. 22) [adjacent]
“shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.”
Article 22, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityReporting obligations (Art. 23)
“shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority in accordance with paragraph 4 of any incident that has a significant impact on the provision of their services as referred to in paragraph 3 (s”
Article 23, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityUse of European cybersecurity certification schemes (Art. 24) [adjacent]
“shall encourage essential and important entities to use qualified trust services.”
Article 24, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityCybersecurity information-sharing arrangements (Art. 29) [adjacent]
“shall ensure that entities falling within the scope of this Directive and, where relevant, other entities not falling within the scope of this Directive are able to exchange on a voluntary basis relevant cybersecurity information among themselves, including information relating t”
Article 29, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityVoluntary notification of relevant information (Art. 30) [adjacent]
“shall ensure that, in addition to the notification obligation provided for in Article 23, notifications can be submitted to the CSIRTs or, where applicable, the competent authorities, on a voluntary basis, by: (a) essential and important entities with regard to incidents, cyber t”
Article 30, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securitySupervisory and enforcement measures in relation to essential entities (Art. 32) [adjacent]
“shall ensure that the supervisory or enforcement measures imposed on essential entities in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.”
Article 32, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securitySupervisory and enforcement measures in relation to important entities (Art. 33) [adjacent]
“shall ensure that the competent authorities take action, where necessary, through ex post supervisory measures.”
Article 33, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityShall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for important entities. (Art. 34) [adjacent]
“shall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for important entities.”
Article 34, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityInfringements entailing a personal data breach (Art. 35) [adjacent]
“shall, without undue delay, inform the supervisory authorities as referred to in Article 55 or 56 of that Regulation.”
Article 35, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityPenalties Member States shall lay down rules on penalties applicable to infringements of national measures adopted pursu (Art. 36) [adjacent]
“shall lay down rules on penalties applicable to infringements of national measures adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented.”
Article 36, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityMutual assistance (Art. 37) [adjacent]
“shall cooperate with and assist each other as necessary.”
Article 37, Directive (EU) 2022/2555 (NIS2)final
EUEU_NIS2cyber ot securityTechnical and methodological requirements (Art. 2)
“shall ensure a level of security of network and information systems appropriate to the risks posed when implementing and applying the technical and methodological requirements of cybersecurity risk-management measures set out in the Annex to this Regulation.”
Article 2, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents (Art. 3)
“shall be considered to be significant for the purposes of Article 23(3) of Directive (EU) 2022/2555 with regard to the relevant entities where one or more of the following criteria are fulfilled: (a) the incident has caused or is capable of causing direct financial loss for the r”
Article 3, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securityShall not be considered to be significant incidents. (Art. 4)
“shall not be considered to be significant incidents.”
Article 4, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to DNS service providers With regard to DNS service providers, an incident shall be co (Art. 5)
“shall be considered significant under Article 3(1)(g), where it fulfils one or more of the following criteria: (a) a recursive or authoritative domain name resolution service is completely unavailable for more than 30 minutes;”
Article 5, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to TLD name registries With regard to TLD name registries, an incident shall be consid (Art. 6) [adjacent]
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) an authoritative domain name resolution service is completely unavailable;”
Article 6, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to cloud computing service providers With regard to cloud computing service providers, (Art. 7)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a cloud computing service provided is completely unavailable for more than 30 minutes;”
Article 7, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to data centre service providers With regard to data centre service providers, an inci (Art. 8)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a data centre service of a data centre operated by the provider is completely unavailable;”
Article 8, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to content delivery network providers With regard to content delivery network provider (Art. 9)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a content delivery network is completely unavailable for more than 30 minutes;”
Article 9, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to managed service providers and managed security service providers With regard to man (Art. 10)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a managed service or managed security service is completely unavailable for more than 30 minutes;”
Article 10, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to providers of online marketplaces With regard to providers of online marketplaces, a (Art. 11)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) an online marketplace is completely unavailable for more than 5 % of an online marketplace’s users in the Union, or for more than 1 million of an online marketplace’s”
Article 11, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to providers of online search engines With regard to providers of online search engine (Art. 12) [adjacent]
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) an online search engine is completely unavailable for more than 5 % of that online search engine’s users in the Union, or for more than 1 million of that online searc”
Article 12, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to providers of social networking services platforms With regard to providers of socia (Art. 13) [adjacent]
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a social networking service platform is completely unavailable for more than 5 % of that social networking service platform’s users in the Union, or for more than 1 m”
Article 13, Implementing Reg (EU) 2024/2690final
EUEU_NIS2cyber ot securitySignificant incidents with regard to trust service providers With regard to trust service providers, an incident shall b (Art. 14)
“shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria: (a) a trust service is completely unavailable for more than 20 minutes;”
Article 14, Implementing Reg (EU) 2024/2690final
UKUK_NIScyber ot securityOES must take appropriate and proportionate technical and organisational measures to manage risks to the security of network and information systems on which their essential service relies.
“An OES must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.”
Regulation 10(1)final
UKUK_NIScyber ot securityOES must take appropriate and proportionate measures to prevent and minimise the impact of incidents on NIS used for essential service provision, with a view to ensuring continuity of those services.
“An OES must take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.”
Regulation 10(2)final
UKUK_NIScyber ot securityOES security measures must, having regard to the state of the art, ensure a level of NIS security appropriate to the risk posed. [adjacent]
“The measures taken under paragraph (1) must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.”
Regulation 10(3)final
UKUK_NIScyber ot securityOES must have regard to relevant guidance issued by the designated competent authority when fulfilling security duties under regulation 10(1) and (2).
“Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) and (2).”
Regulation 10(4)final
UKUK_NIScyber ot securityOES must notify the designated competent authority without undue delay and no later than 72 hours after awareness of any incident having a significant impact on the continuity of the essential service.
“An OES must notify the designated competent authority about any incident which has a significant impact on the continuity of the essential service... without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred.”
Regulation 11(1), 11(3)(b)(i)final
UKUK_NIScyber ot securityOES incident notification must include: operator name, services provided, time of incident, duration, nature and impact, any cross-border impact, and other helpful information.
“the operator's name and the essential services it provides; the time the NIS incident occurred; the duration of the NIS incident; information concerning the nature and impact of the NIS incident; information concerning any, or any likely, cross-border impact”
Regulation 11(3)(a)final
UKUK_NIScyber ot securityOES must assess incident significance by having regard to: number of users affected, duration of incident, and geographical area affected.
“In order to determine the significance of the impact of an incident an OES must have regard to the following factors— (a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; and (c) the geographical area affected by the incid”
Regulation 11(2)final
UKUK_NIScyber ot securityOES must have regard to competent authority guidance when carrying out incident notification duties under regulation 11(1)-(4). [adjacent]
“Operators of essential services must have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed by paragraphs (1) to (4).”
Regulation 11(12)final
UKUK_NIScyber ot securityRDSP must identify and take appropriate and proportionate measures to manage risks to the security of NIS on which it relies to provide digital services (online marketplace, search engine, cloud).
“A RDSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide, within the European Union, the following services— (a) online marketplace; (b) online search engine; or”
Regulation 12(1)final
UKUK_NIScyber ot securityRDSP security measures must ensure NIS security appropriate to risk (state of the art), prevent and minimise incident impact to ensure service continuity, and take into account: security of systems/facilities, incident handling, business continuity management, monitoring/auditing/testing, and compliance with international standards.
“prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services; and (c) take into account the following elements... (ii) incident handling; (iii) business continuity management; (iv) monitoring”
Regulation 12(2)final
UKUK_NIScyber ot securityRDSP must notify the Information Commissioner without undue delay and no later than 72 hours after awareness of any incident having a substantial impact on the provision of a digital service. [adjacent]
“A RDSP must notify the Information Commissioner about any incident having a substantial impact on the provision of any of the digital services... without undue delay and in any event no later than 72 hours after the RDSP is aware that an incident has occurred.”
Regulation 12(3), 12(6)(a)final
UKUK_NIScyber ot securityRDSP must assess whether incident impact is substantial by considering: number of users affected, duration, geographical area, extent of service disruption, economic/societal impact, and specified Article 4 situations per EU Regulation 2018/151.
“In order to determine whether the impact of an incident is substantial the RDSP must— (a) take into account the following parameters... (i) the number of users affected... (ii) the duration of the incident; (iii) the geographical area... (iv) the extent of the disruption... (v) t”
Regulation 12(7)final
UKUK_NIScyber ot securityRDSP incident notification must contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact. [adjacent]
“contain sufficient information to enable the Information Commissioner to determine the significance of any cross-border impact.”
Regulation 12(6)(b)final
UKUK_NIScyber ot securityRDSP incident notification must include: name and services, time of incident, duration, nature and impact, cross-border impact, and other helpful information.
“The notification mentioned in paragraph (3) must provide the following information— (a) the operator's name and the essential services it provides; (b) the time the NIS incident occurred; (c) the duration of the NIS incident; (d) information concerning the nature and impact of th”
Regulation 12(5)final
UKUK_NIScyber ot securityWhere an OES relies on a RDSP, the OES must notify the relevant competent authority about any significant impact on continuity of its essential service caused by an incident affecting the RDSP, as soon as it occurs.
“If an OES is reliant on a RDSP to provide an essential service, the operator must notify the relevant competent authority in relation to it about any significant impact on the continuity of the service it provides caused by an incident affecting the RDSP as soon as it occurs.”
Regulation 12(9)final
UKUK_NIScyber ot securityThe NIS national strategy must address measures relating to preparedness, response and recovery, including cooperation between public and private sectors.
“The NIS national strategy must, in particular, address the following matters— ... (c) the measures relating to preparedness, response and recovery, including cooperation between public and private sectors.”
Regulation 2(5)(c)final
UKUK_NIScyber ot securityThe designated CSIRT must monitor incidents, provide early warning/alerts about risks and incidents, and respond to incidents notified under regulations 11(5)(b) and 12(8).
“The CSIRT must— (a) monitor incidents in the United Kingdom; (b) provide early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents; (c) respond to any incident notified to it under regulation 11(5)(b) or regulation 12”
Regulation 5(2)(a)-(c)final
UKUK_NIScyber ot securityThe designated CSIRT must provide dynamic risk and incident analysis and situational awareness, and promote adoption of common/standardised incident and risk handling procedures and classification schemes. [adjacent]
“provide dynamic risk and incident analysis and situational awareness; ... promote the adoption and use of common or standardised practices for— (i) incident and risk handling procedures, and (ii) incident, risk and information classification schemes”
Regulation 5(2)(d), 5(2)(g)final
UKUK_NIScyber ot securityAfter receiving an OES incident notification, the competent authority must assess what further action is required and share NIS incident information with the CSIRT as soon as reasonably practicable. [adjacent]
“After receipt of a notification under paragraph (1), the competent authority must— (a) assess what further action, if any, is required in respect of that incident; and (b) share the NIS incident information with the CSIRT as soon as reasonably practicable.”
Regulation 11(5)final
UKUK_NIScyber ot securityAfter receiving RDSP incident notification, the Information Commissioner must share incident information with the CSIRT as soon as reasonably practicable. [adjacent]
“After receipt of a notification under paragraph (3) the Information Commissioner must share the incident notification with the CSIRT as soon as reasonably practicable.”
Regulation 12(8)final
UKUK_NIScyber ot securityThe CSIRT must inform relevant authorities in other Member States if a notified incident has a significant impact on the continuity of essential service provision in that Member State.
“After receipt of the NIS incident information under paragraph (5)(b), and based on that information, the CSIRT must inform the relevant authorities in a Member State if the incident has a significant impact on the continuity of an essential service provision in that Member State.”
Regulation 11(6)final
UKUK_NIScyber ot securityOES must comply with information notices from the competent authority requiring provision of information to assess NIS security and implementation of security policies, including inspection evidence. [adjacent]
“A designated competent authority may serve an information notice upon an OES requiring that person to provide it with information that it reasonably requires to assess— (a) the security of the OES's network and information systems; and (b) the implementation of the operator's sec”
Regulation 15(2)final
UKUK_NIScyber ot securityOES and RDSP must cooperate with inspections assessing compliance with security duties: pay costs, cooperate with inspectors, provide premises access, allow document inspection/copying/removal, and allow access to relevant personnel. [adjacent]
“the OES or RDSP (as the case may be) must— (a) pay the reasonable costs of the inspection; (b) co-operate with the person who is conducting the inspection... (c) provide the inspector with reasonable access to their premises; (d) allow the inspector to inspect, copy or remove suc”
Regulation 16(3)final
UKUK_NIScyber ot securityRDSP must comply with information notices from the Information Commissioner requiring information to assess NIS security and implementation of security policies, including inspection evidence. [adjacent]
“The Information Commissioner may serve upon a RDSP an information notice requiring that RDSP to provide the Information Commissioner with information that the Information Commissioner reasonably requires to assess— (a) the security of the RDSP's network and information systems; a”
Regulation 15(3)final
UKUK_NIScyber ot securityThe NIS national strategy must include a risk assessment plan identifying risks to NIS security across relevant sectors and digital services. [adjacent]
“The NIS national strategy must, in particular, address the following matters— ... (f) a risk assessment plan identifying any risks.”
Regulation 2(5)(f)final
UKUK_TELECOMcyber ot securityMaintain written plan to keep network operational if third-party supplier goods/services are interrupted; review plan regularly.
“ensure that there is in place at all times a written plan to maintain the normal operation of the public electronic communications network in the event that the supply, provision or making available of goods, services or facilities by a third party supplier is interrupted”
Regulation 7(5)final
UKUK_TELECOMcyber ot securityCreate and retain within the UK online (and, proportionately, offline) copies of information necessary to maintain normal network/service operation, replacing them with appropriate frequency.
“create or acquire, for the purposes mentioned in that paragraph, and to retain within the United Kingdom— (i) an online copy of information necessary to maintain the normal operation of the public electronic communications network or public electronic communications service, and ”
Regulation 9(2)(a) and 9(2)(b)final
UKUK_TELECOMcyber ot securityHave means and procedures to promptly identify a security compromise, assess its severity, impact and likely cause, and identify required mitigating actions.
“for promptly identifying the occurrence of any security compromise and assessing its severity, impact and likely cause, (ii) for promptly identifying any mitigating actions required as a result of the occurrence of any security compromise”
Regulation 9(2)(c)(i) and 9(2)(c)(ii)final
UKUK_TELECOMcyber ot securityHave procedures to deal with a security compromise within a reasonable period (risk-appropriate), and without causing further compromise.
“for dealing with the occurrence of a security compromise within a reasonable period appropriate to the assessed security risk of the network provider or service provider, and without creating any risk of a further security compromise occurring”
Regulation 9(2)(c)(iv)final
UKUK_TELECOMcyber ot securityIf unable to prevent adverse effects of a security compromise within 14 days of occurrence, prepare a written remediation plan stating how and when measures will be taken.
“if the network provider or service provider is unable to take steps for the purposes of preventing any adverse effects... within the period of 14 days beginning with the day on which it occurs, the network provider or service provider is able to prepare a written plan as to how a”
Regulation 9(2)(c)(v)final
UKUK_TELECOMcyber ot securityHave procedures to deal with unauthorised access to or control over security critical functions as soon as reasonably possible, without risk of further compromise, restoring authorised-only access.
“for dealing with any unauthorised access to, or control over, security critical functions by taking action as soon as reasonably possible, and without creating any risk of a further security compromise occurring, to ensure that only authorised users have access to the network or ”
Regulation 9(2)(c)(vi)final
UKUK_TELECOMcyber ot securityHave procedures to replace information damaged by security compromises using the retained backup copies.
“for replacing information damaged by security compromises with the information contained in the copy referred to in sub-paragraph (a)”
Regulation 9(2)(c)(vii)final
UKUK_TELECOMcyber ot securityHave procedures to prevent transmission of signals that give rise to the risk of a connected security compromise where a compromise creates that risk. [adjacent]
“where the occurrence of a security compromise gives rise to the risk of a connected security compromise, for preventing the transmission of signals that give rise to that risk”
Regulation 9(2)(c)(iii)final
UKUK_TELECOMcyber ot securityEstablish and regularly review a security policy that includes procedures for managing security incidents at varying levels of severity and a standardised categorisation system. [adjacent]
“ensure that the policy includes procedures for the management of security incidents, at varying levels of severity, (c) to have a standardised way of categorising and managing security incidents”
Regulation 10(2)(b) and 10(2)(c)final
UKUK_TELECOMcyber ot securityEnsure security policy provides for post-incident review of security incidents, with outcome considered at appropriate governance level and used to inform future policy.
“ensure that the policy provides for a post-incident review procedure in relation to security incidents and that the procedure involves consideration of the outcome of the review at an appropriate governance level and the use of that outcome to inform future policy”
Regulation 10(2)(e)final
UKUK_TELECOMcyber ot securityAssign board-level (or equivalent) responsibility for supervising implementation of the security policy and managing persons responsible for security measures. [adjacent]
“give a person or committee at board level (or equivalent) responsibility for— (i) supervising the implementation of the policy, and (ii) ensuring the effective management of persons responsible for the taking of measures”
Regulation 10(2)(f)final
UKUK_TELECOMcyber ot securityContract with third-party suppliers to require them to cooperate in resolving incidents that cause or contribute to a security compromise or increased risk thereof.
“takes appropriate measures to co-operate with the primary provider in the resolution of incidents which cause or contribute to the occurrence of a security compromise in relation to the primary provider's network or service or of an increased risk of such a compromise occurring”
Regulation 7(4)(a)(iv)final
UKUK_TELECOMcyber ot securityHave written plans to manage termination of and transition from supplier contracts while maintaining network/service security.
“to have appropriate written plans to manage the termination of, and transition from, contracts with third party suppliers while maintaining the security of the network or service”
Regulation 7(4)(c)final
UKUK_TELECOMcyber ot securityContract with third-party suppliers to require them to allow monitoring of all their activity in relation to the provider's network or service.
“takes appropriate measures to enable the primary provider to monitor all activity undertaken or arranged by the third party supplier in relation to the primary provider's network or service”
Regulation 7(4)(a)(iii)final
UKUK_TELECOMcyber ot securityEnsure all network connections and data sharing with or arranged by third-party suppliers are managed securely. [adjacent]
“to ensure that all network connections and data sharing with third party suppliers, or arranged by third party suppliers, are managed securely”
Regulation 7(4)(b)final
UKUK_TELECOMcyber ot securityIdentify and reduce risks of security compromises arising from third-party suppliers throughout the contract lifecycle including sub-contractors. [adjacent]
“take such measures as are appropriate and proportionate to identify and reduce the risks of security compromises occurring in relation to the public electronic communications network or public electronic communications service as a result of things done or omitted by third party ”
Regulation 7(1) and 7(3)final
UKUK_TELECOMcyber ot securityDesign and maintain the network so that a security compromise in one part does not propagate to other parts (network segmentation for resilience).
“take such measures as are appropriate and proportionate to ensure that the public electronic communications network or public electronic communications service is designed in such a way that the occurrence of a security compromise in relation to part of the network or service doe”
Regulation 3(5)final
UKUK_TELECOMcyber ot securityEnsure the network can be operated without reliance on persons, equipment or data outside the UK if necessary, and identify any risk that such operation may become necessary.
“is able, without reliance on persons, equipment or stored data located outside the United Kingdom, to identify the risks of security compromises occurring... if it should become necessary to do so, would be able to operate the network without reliance on persons, equipment or sto”
Regulation 3(3)(f)final
UKUK_TELECOMcyber ot securityHave in place means and procedures to isolate security critical functions from signals not believed on reasonable grounds to be safe.
“A network provider must have in place, and use where appropriate, means and procedures for isolating security critical functions from signals which the provider does not believe on reasonable grounds to be safe.”
Regulation 8(3)final
UKUK_TELECOMcyber ot securityMonitor and analyse security critical functions for anomalous activity and security compromises, using automated means where possible, and investigate anomalies.
“monitor and analyse the operation of security critical functions of the public electronic communications network or public electronic communications service for the purpose of identifying the occurrence of any security compromise, using automated means of monitoring and analysis ”
Regulation 6(2)final
UKUK_TELECOMcyber ot securityCarry out at appropriate intervals security tests (including simulated attack techniques) and ensure test design is not disclosed to those responsible for detection and response.
“carry out, or arrange for a suitable person to carry out, such tests in relation to the network or service as are appropriate and proportionate... The tests must involve simulating, so far as is possible, techniques that might be expected to be used by a person seeking to cause a”
Regulation 14(1), 14(2) and 14(3)final
UKUK_TELECOMcyber ot securityUndertake at least annual risk assessment producing a written assessment of overall security compromise risk for the next 12 months, incorporating results of reviews and tests. [adjacent]
“undertake at least once in any period of 12 months a review of the risks of security compromises occurring in relation to the network or service in order to produce a written assessment of the extent of the overall risk of security compromises occurring within the next 12 months”
Regulation 11(b)final
UKUK_TELECOMcyber ot securityApply available patches and mitigations within an appropriate period reflecting severity; where >14 days is chosen (or significant risk exists), decision must be recorded at appropriate governance level.
“deploy the patch or mitigation within such period as is appropriate in the circumstances having regard to the severity of the risk... decision as to what period the network provider or service provider considers appropriate... to be taken at an appropriate governance level and re”
Regulation 12(a), 12(b) and 12(c)final
UKUK_TELECOMcyber ot securityNotify another network/service provider of a security compromise where it may cause a connected security compromise in that provider's network or service. [adjacent]
“the relevant person must, so far as is appropriate and proportionate, provide information about the security compromise to the network provider or service provider in relation to the other network or service”
Regulation 15(1)final
UKUK_TELECOMcyber ot securityEnsure security data required for monitoring duties (access records, anomaly alerts) is held securely for at least 13 months. [adjacent]
“ensure that all data required for the purposes of a duty under paragraph (1) or sub-paragraphs (a) to (c) is held securely for at least 13 months”
Regulation 6(3)(e)final
USCISAcyber ot securityPromptly report cybersecurity incidents to CISA. [adjacent]
“it requires TSA-specified Owner/Operators of critical pipelines to promptly report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).”
TSA Security Directive Pipeline-2021-01 (ratified per 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityDesignate a Cybersecurity Coordinator available to TSA and CISA at all times to coordinate cybersecurity practices and address incidents. [adjacent]
“it requires those Owner/Operators to designate a Cybersecurity Coordinator who must be available to TSA and CISA at all times to coordinate cybersecurity practices and address any incidents that arise.”
TSA Security Directive Pipeline-2021-01 (ratified per 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityReview current cybersecurity practices against TSA Pipeline Security Guidelines, assess cyber risks, identify gaps, and develop remediation measures with a timeline. [adjacent]
“it requires Owner/Operators to review their current cybersecurity practices against TSA's Pipeline Security Guidelines related to cybersecurity and to assess cyber risks, identify any gaps, and develop necessary remediation measures, along with a timeline for achieving them.”
TSA Security Directive Pipeline-2021-01 (ratified per 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityImplement specified cybersecurity mitigation measures to reduce the risk of compromise from a cyberattack, drawing on NIST guidelines and CISA recommendations. [adjacent]
“Implement specified mitigation measures to reduce the risk of compromise from a cyberattack, drawing on guidelines published by the National Institute of Standards and Technology (NIST) and recommendations from CISA”
TSA Security Directive Pipeline-2021-02 (ratified 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityDevelop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or functional degradation of IT and OT systems in the event of a malicious cyber intrusion.
“Develop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or functional degradation of information technology and operational technology systems in the event of a malicious cyber intrusion”
TSA Security Directive Pipeline-2021-02 (ratified 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityTest the effectiveness of cybersecurity practices through an annual cybersecurity architecture design review conducted by a qualified third party. [adjacent]
“Test the effectiveness their cybersecurity practices through an annual cybersecurity architecture design review conducted by a third party.”
TSA Security Directive Pipeline-2021-02 (ratified 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityReport cybersecurity incidents to CISA within 12 hours of discovery. [adjacent]
“Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours”
TSA Security Directive Pipeline-2021-01 (ratified 49 U.S.C. 114(l)(2)); referenced in FR Doc 2021-20738 Background Section I.Afinal
USCISAcyber ot securityAppoint a cybersecurity coordinator who is available 24 hours a day, 7 days a week to coordinate with TSA and CISA during cyber incidents.
“appoint a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA”
TSA Security Directive Pipeline-2021-01 (ratified 49 U.S.C. 114(l)(2)); referenced in FR Doc 2021-20738 Background Section I.Afinal
USCISAcyber ot securityConduct a self-assessment of cybersecurity practices, identify gaps, and develop a remediation plan with timeline. [adjacent]
“conduct a self-assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation.”
TSA Security Directive Pipeline-2021-01 (ratified 49 U.S.C. 114(l)(2)); referenced in FR Doc 2021-20738 Background Section I.Afinal
USCISAcyber ot securityDesignate a Cybersecurity Coordinator available 24/7 to coordinate cybersecurity practices, manage cybersecurity incidents, and serve as principal contact with TSA and CISA. [adjacent]
“Designate a Cybersecurity Coordinator who is required to be available to TSA and CISA at all times (all hours/all days) to coordinate implementation of cybersecurity practices, manage cybersecurity incidents”
Security Directive 1580-21-01; Security Directive 1582-21-01 (ratified 6 CFR Ch. I / 49 CFR Ch. XII, FR Doc 2022-11018)final
USCISAcyber ot securityReport cybersecurity incidents to CISA as required by Security Directives 1580-21-01 and 1582-21-01. [adjacent]
“Report cybersecurity incidents to CISA”
Security Directive 1580-21-01; Security Directive 1582-21-01 (FR Doc 2022-11018)final
USCISAcyber ot securityConduct a Cybersecurity Vulnerability Assessment to identify gaps in current cybersecurity measures, identify remediation measures, and develop a remediation plan. [adjacent]
“Conduct a Cybersecurity Vulnerability Assessment to identify gaps in current cybersecurity measures, identify remediation measures, and develop a plan for the owner/operator to implement the remediation measures”
Security Directive 1580-21-01; Security Directive 1582-21-01 (FR Doc 2022-11018)final
USCISAcyber ot securityDevelop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption if IT or OT systems are affected by a cybersecurity incident.
“Develop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should their Information and/or Operational Technology systems be affected by a cybersecurity incident.”
Security Directive 1580-21-01; Security Directive 1582-21-01 (FR Doc 2022-11018)final
USCISAcyber ot securityDesignate a Cybersecurity Coordinator available 24/7 to coordinate with TSA and CISA, as required for critical pipeline owner/operators. [adjacent]
“appoint a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA”
Security Directive Pipeline-2021-01 / Pipeline-2021-01A (FR Doc 2022-11018)final
USCISAcyber ot securityReport cybersecurity incidents to CISA as required for critical pipeline owner/operators, using the updated definition of 'cybersecurity incident' introduced by Pipeline-2021-01A. [adjacent]
“Report cybersecurity incidents to CISA... updating the definition of cybersecurity incident applicable in the pipeline context to mirror the definition used by the subsequent security directives”
Security Directive Pipeline-2021-01A (FR Doc 2022-11018)final
USCISAcyber ot securityConduct a self-assessment of cybersecurity practices, identify any gaps, and develop a remediation plan with timeline for critical pipeline systems.
“conduct a self-assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation”
Security Directive Pipeline-2021-01 / Pipeline-2021-01A (FR Doc 2022-11018)final
USCISAcyber ot securityImplement specified mitigation measures to reduce the risk of compromise from a cyberattack on critical pipeline IT and OT systems.
“Implement specified mitigation measures to reduce the risk of compromise from a cyberattack”
Security Directive Pipeline-2021-02 / Pipeline-2021-02B (FR Doc 2022-11018)final
USCISAcyber ot securityDevelop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or functional degradation of IT and OT systems in the event of a malicious cyber intrusion.
“Develop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or functional degradation of information technology and operational technology systems in the event of a malicious cyber intrusion”
Security Directive Pipeline-2021-02 / Pipeline-2021-02B (FR Doc 2022-11018)final
USCISAcyber ot securityTest the effectiveness of cybersecurity practices through an annual cybersecurity architecture design review conducted by a qualified third party. [adjacent]
“Test the effectiveness of their cybersecurity practices through an annual cybersecurity architecture design review conducted by a third party.”
Security Directive Pipeline-2021-02 / Pipeline-2021-02B (FR Doc 2022-11018)final
USCISAotherContractors must report known or suspected incidents involving CUI to DHS, including subcontractors reporting to both DHS and the prime contractor. [adjacent]
“Made clear that both contractors and subcontractors are responsible for reporting known or suspected incidents to the Department; Made clear that subcontractors are required to notify the prime contractor that they have reported a known or suspected incident”
HSAR 3052.204-7X(c)final
USCISAotherContractors must implement incident response requirements as specified in clause 3052.204-7X(d), including post-incident activities.
“Identifies incident reporting requirements, including timelines and required data elements, inspection provisions, and post-incident activities”
HSAR 3052.204-7X(d)final
USCISAotherContractors must retain monitoring and packet capture data for at least 180 days following an incident. [adjacent]
“Increased the amount of time a vendor must retain monitoring/packet capture data from 90 days to 180 days”
HSAR 3052.204-7Xfinal
USCISAotherContractors operating Federal information systems (including contractor systems operated on behalf of DHS) must obtain an Authority to Operate (ATO) before operating such systems. [adjacent]
“Made the requirements of paragraph (c), Authority to Operate, into Alternate I to the basic clause...applicable when Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI”
HSAR 3052.204-7X Alternate Ifinal
USCISAotherContractors operating Federal information systems on behalf of DHS must comply with DHS Sensitive Systems Policy Directive 4300A and DHS 4300A Sensitive Systems Handbook. [adjacent]
“Alternate I to the basic clause is applicable when Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI...DHS Sensitive Systems Policy Directive 4300A and DHS 4300A Sensiti”
HSAR 3052.204-7X Alternate Ifinal
USCISAotherFederal information systems operated by contractors on behalf of DHS must implement security controls consistent with NIST SP 800-53. [adjacent]
“When the Government determines that a contractor information system is being operated on its behalf, that information system is considered a Federal information system and subject to the requirements of NIST SP 800-53, Security and Privacy Controls for Information Systems and Org”
HSAR 3052.204-7X Alternate Ifinal
USCISAotherContractors must undergo an independent assessment of information security controls for Federal information systems operated on behalf of DHS. [adjacent]
“The primary contributors to these costs are the independent assessment requirement and reporting and recordkeeping requirements...Agency specific requirements such as an independent assessment and security review are not in conflict with these requirements.”
HSAR 3052.204-7X Alternate Ifinal
USCISAcyber ot securityReport cybersecurity incidents to CISA within 24 hours after an incident is identified. [adjacent]
“increase in the amount of time covered entities have to report cybersecurity incidents to CISA from 12 hours to 24 hours after an incident is identified”
Security Directive Pipeline-2021-01B (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityAppoint a cybersecurity coordinator available 24/7 to coordinate with TSA and CISA. [adjacent]
“appoint a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA”
Security Directive Pipeline-2021-01B (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityConduct a self-assessment of cybersecurity practices, identify gaps, and develop a remediation plan with timeline. [adjacent]
“conduct a self-assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation”
Security Directive Pipeline-2021-01B (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityImplement network segmentation policies and controls so OT systems can safely operate if IT systems are compromised.
“Implement network segmentation policies and controls to ensure that the Operational Technology (OT) system can continue to safely operate in the event that an Information Technology (IT) system has been compromised”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityImplement access control measures to secure and prevent unauthorized access to critical cyber systems. [adjacent]
“Implement access control measures to secure and prevent unauthorized access to critical cyber systems”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityImplement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies affecting critical cyber system operations.
“Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityReduce risk of exploitation of unpatched systems by applying security patches and updates in a timely manner using a risk-based methodology. [adjacent]
“Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityEstablish and implement a TSA-approved Cybersecurity Implementation Plan describing specific cybersecurity measures and schedule for achieving required security outcomes. [adjacent]
“Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures employed and the schedule for achieving the security outcomes identified”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityDevelop and maintain an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption or significant capacity impact if IT/OT systems are affected by a cyber incident.
“Develop and maintain an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity...should the Information and/or Operational Technology systems...be affected by a cybersecurity inc”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityEstablish a Cybersecurity Assessment Program and submit an annual plan describing how the owner/operator will proactively assess cybersecurity measure effectiveness and identify/resolve vulnerabilities. [adjacent]
“Establish a Cybersecurity Assessment Program and submit an annual plan that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities”
Security Directive Pipeline-2021-02C (ratified under 49 U.S.C. 114(l)(2))final
USCISAcyber ot securityDesignate a Cybersecurity Coordinator available at all times to coordinate cybersecurity practices, manage cybersecurity incidents, and serve as principal contact with TSA and CISA. [adjacent]
“Designate a Cybersecurity Coordinator who is required to be available to TSA and CISA at all times (all hours/all days) to coordinate implementation of cybersecurity practices, manage cybersecurity incidents”
Security Directive 1580-21-01A; Security Directive 1582-21-01Afinal
USCISAcyber ot securityReport cybersecurity incidents to CISA. [adjacent]
“Report cybersecurity incidents to CISA”
Security Directive 1580-21-01A; Security Directive 1582-21-01Afinal
USCISAcyber ot securityConduct a Cybersecurity Vulnerability Assessment to identify gaps, remediation measures, and develop a plan to address identified vulnerabilities. [adjacent]
“Conduct a Cybersecurity Vulnerability Assessment to identify gaps in current cybersecurity measures, identify remediation measures, and develop a plan for the owner/operator to implement the remediation measures”
Security Directive 1580-21-01A; Security Directive 1582-21-01Afinal
USCISAcyber ot securityDevelop, continuously update, and maintain a Cybersecurity Incident Response Plan to reduce risk of operational disruption if IT or OT systems are affected by a cybersecurity incident.
“require covered entities to continuously update and maintain these plans, once developed... Develop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption should their Information and/or Operational Technology systems be affected”
Security Directive 1580-21-01A; Security Directive 1582-21-01Afinal
USCISAcyber ot securityImplement network segmentation policies and controls to ensure OT systems can continue to safely operate if IT systems are compromised.
“Implement network segmentation policies and controls to ensure that the Operational Technology (OT) system can continue to safely operate in the event that an Information Technology (IT) system has been compromised”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityImplement access control measures to secure and prevent unauthorized access to critical cyber systems. [adjacent]
“Implement access control measures to secure and prevent unauthorized access to critical cyber systems”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityImplement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies affecting critical cyber system operations.
“Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityReduce risk of exploitation of unpatched systems by applying security patches and updates to operating systems, applications, drivers, and firmware on critical cyber systems using a risk-based methodology. [adjacent]
“Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityEstablish and implement a TSA-approved Cybersecurity Implementation Plan describing specific cybersecurity measures employed and the schedule for achieving required security outcomes. [adjacent]
“Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures employed and the schedule for achieving the security outcomes identified”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityEstablish a Cybersecurity Assessment Program and submit an annual plan describing how the owner/operator will proactively and regularly assess cybersecurity measure effectiveness and identify and resolve vulnerabilities. [adjacent]
“Establish a Cybersecurity Assessment Program and submit an annual plan that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities”
Security Directive 1580/82-2022-01final
USCISAcyber ot securityPROPOSED: Covered entities must report covered cyber incidents to CISA within 72 hours after reasonably believing a covered cyber incident has occurred. [adjacent]
“covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents...CIRCIA requires covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurr”
6 CFR 226.3; 6 U.S.C. 681b(a)(1)proposed
USCISAcyber ot securityPROPOSED: Covered entities must report ransom payments made in response to a ransomware attack to CISA within 24 hours after the ransom payment has been made. [adjacent]
“ransom payments made in response to a ransomware attack within 24 hours after the ransom payment has been made”
6 CFR 226.3; 6 U.S.C. 681b(a)(2)proposed
USCISAcyber ot securityPROPOSED: Covered entities must submit a Supplemental Report to CISA upon discovering substantial new or different information related to a previously submitted CIRCIA Report. [adjacent]
“any substantial new or different information discovered related to a previously submitted report”
6 CFR 226.3; 6 U.S.C. 681b(a)(3)proposed
USCISAcyber ot securityPROPOSED: Covered entities must preserve specified data and records related to a covered cyber incident for the required preservation period. [adjacent]
“Section 226.13 of the proposed regulation sets forth the proposed data and records preservation requirements. It includes a recitation of the types of data and records that a covered entity must preserve; the required preservation period; the format or form in which the data and ”
6 CFR 226.13proposed
USCISAcyber ot securityPROPOSED: Covered entities must store, protect, and restrict use of preserved cyber incident data and records in accordance with regulatory requirements. [adjacent]
“the storage, protection, and allowable uses of the preserved data and records”
6 CFR 226.13proposed
USCISAcyber ot securityPROPOSED: Covered entities must provide required information content in Covered Cyber Incident Reports as enumerated in the proposed regulation. [adjacent]
“The information CISA proposes that covered entities must include in each of the four types of CIRCIA Reports is enumerated in Sec. Sec. 226.7 through 226.11”
6 CFR 226.7proposed
USCISAcyber ot securityPROPOSED: Covered entities must provide required information content in Ransom Payment Reports as enumerated in the proposed regulation. [adjacent]
“The information CISA proposes that covered entities must include in each of the four types of CIRCIA Reports is enumerated in Sec. Sec. 226.7 through 226.11”
6 CFR 226.8proposed
USCISAcyber ot securityPROPOSED: Covered entities must submit CIRCIA Reports using the web-based CIRCIA Incident Reporting Form on CISA's website or another CISA-approved manner and form. [adjacent]
“Section 226.6 of the proposed regulation sets forth the proposed manner and form of reporting, which CISA proposes to be through a web-based CIRCIA Incident Reporting Form available on CISA's website or in any other manner and form of reporting approved by the Director.”
6 CFR 226.6proposed
USCISAcyber ot securityPROPOSED: Third parties that knowingly make a ransom payment on behalf of a covered entity must advise the covered entity of its ransom payment reporting obligations under CIRCIA. [adjacent]
“the proposed regulation also affirms the statutorily mandated obligation for a third party to advise the covered entity of its ransom payment reporting obligations under CIRCIA when the third party knowingly makes a ransom payment on behalf of a covered entity”
6 CFR 226.12(d); 6 U.S.C. 681b(d)(4)proposed
USCISAcyber ot securityPROPOSED: Covered entities using a third party to submit CIRCIA Reports must ensure submissions satisfy the covered entity's reporting obligations under applicable procedures and requirements. [adjacent]
“A covered entity may use a third party to submit a CIRCIA Report to CISA on the covered entity's behalf to satisfy the covered entity's reporting obligations. The proposed procedures and requirements for using a third party to submit a CIRCIA Report on behalf of the covered entit”
6 CFR 226.12proposed
USCISAcyber ot securityPROPOSED: Covered entities must comply with CISA Requests for Information (RFI) seeking information about a covered cyber incident or ransom payment not reported in accordance with regulatory requirements. [adjacent]
“CIRCIA authorizes CISA to use various mechanisms to obtain information from a covered entity about a covered cyber incident or ransom payment that was not reported in accordance with CISA's proposed regulatory reporting requirements...These mechanisms include the issuance of an R”
6 CFR 226.14; 6 U.S.C. 681dproposed
USCISAcyber ot securityPROPOSED: Covered entities must comply with administrative subpoenas issued by CISA for information about unreported covered cyber incidents or ransom payments. [adjacent]
“CIRCIA authorizes CISA to use various mechanisms to obtain information from a covered entity about a covered cyber incident or ransom payment that was not reported...These mechanisms include...the issuance of a subpoena”
6 CFR 226.15; 6 U.S.C. 681dproposed
USCISAcyber ot securityPROPOSED: Covered entities must become familiar with the CIRCIA regulation requirements, including definitions, applicability criteria, reporting deadlines, and data preservation obligations. [adjacent]
“The main industry cost drivers of this proposed rule are the initial costs associated with becoming familiar with the proposed rule, followed by the recurring data and records preservation requirements, and then reporting requirements.”
6 CFR 226.1; 226.2; 226.3; 226.5; 226.13proposed
USCISAcyber ot securityPROPOSED: Covered entities reporting under a substantially similar existing Federal requirement may qualify for the substantially similar reporting exception only where a CIRCIA Agreement exists between CISA and the other Federal agency. [adjacent]
“when a covered entity reports substantially similar information in a substantially similar timeframe to another Federal agency pursuant to an existing law, regulation, or contract when a CIRCIA Agreement is in place between CISA and the other Federal agency”
6 CFR 226.4proposed
USEPAotherDuring temporary disaster-recovery use, continue operating any installed control device unless it is infeasible to operate due to conditions in the disaster recovery area.
“If your CISWI or air curtain incinerator is equipped with a control device, you must continue to run that control device in order to qualify for this exclusion, unless the control device is infeasible to operate as a result of the disaster.”
40 CFR 60.2041(a)final
USEPAotherIf temporary disaster-recovery use of a CISWI or ACI will exceed 8 consecutive weeks, submit written notification to the Administrator by the date 8 weeks after the unit started operation requesting permission to continue.
“you must notify the Administrator that the temporary-use CISWI or air curtain incinerator will be used for more than 8 weeks and request permission to continue to operate the unit... submitted in writing by the date 8 weeks after you start operation.”
40 CFR 60.2041(c) and (c)(1)final
USEPAotherAfter timely notification, the operator may continue temporary disaster-recovery operation for an additional 8 weeks (16 weeks total) only if control devices continue to run as able; must cease or comply at 16 weeks unless EPA approves further extension in writing.
“you may continue to operate the CISWI or air curtain incinerator for another 8 weeks, which is a total of 16 weeks...so long as control devices continue to run as able...you must cease operation of the unit or comply with all requirements of this subpart, unless the Administrator”
40 CFR 60.2041(d) and (d)(1)final
USEPAotherDuring temporary disaster-recovery use under subpart DDDD (Emissions Guidelines), continue operating any installed control device unless infeasible due to disaster conditions.
“If your CISWI or air curtain incinerator is equipped with a control device, you must continue to run that control device in order to qualify for this exclusion, unless the control device is infeasible to operate as a result of the disaster.”
40 CFR 60.2556(a)final
USEPAotherIf temporary disaster-recovery use under subpart DDDD will exceed 8 weeks, submit written notification to the Administrator by 8 weeks after start of operation requesting continued operation.
“you must notify the Administrator that the temporary-use CISWI or air curtain incinerator will be used for more than 8 weeks and request permission to continue to operate the unit...submitted in writing by the date 8 weeks after you start operation.”
40 CFR 60.2556(c) and (c)(1)final
USEPAotherDuring temporary disaster-recovery use under Federal Plan subpart IIIa, continue operating any installed control device unless infeasible due to disaster conditions.
“If your CISWI or air curtain incinerator is equipped with a control device, you must continue to run that control device in order to qualify for this exclusion, unless the control device is infeasible to operate as a result of the disaster.”
40 CFR 62.14531a(a)final
USEPAotherIf temporary disaster-recovery use under Federal Plan subpart IIIa will exceed 8 weeks, submit written notification to the Administrator by 8 weeks after start of operation requesting continued operation.
“you must notify the Administrator that the temporary-use CISWI or air curtain incinerator will be used for more than 8 weeks and request permission to continue to operate the unit...submitted in writing by the date 8 weeks after you start operation.”
40 CFR 62.14531a(c) and (c)(1)final
USEPAotherOperation beyond 16 weeks under Federal Plan subpart IIIa requires written Administrator approval; operate only until the date specified in the approval without complying with other subpart requirements during approved period. [adjacent]
“If the Administrator has approved in writing your request to continue operation, then you may continue to operate the CISWI or air curtain incinerator...until the date specified in the approval.”
40 CFR 62.14531a(d)(2)final
USEPArisk resilience assessmentConduct a risk and resilience assessment covering malevolent acts, natural hazards, pipes, conveyances, physical barriers, source water, treatment, storage, distribution, electronic/computer/automated systems, monitoring, chemicals, and O&M.
“Each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system.”
42 U.S.C. 300i-2(a)(1)final
USEPArisk resilience assessmentSubmit certification to the EPA Administrator that the risk and resilience assessment has been completed, by the applicable statutory deadline based on population served.
“Each community water system described in paragraph (1) shall submit to the Administrator a certification that the system has conducted an assessment complying with paragraph (1).”
42 U.S.C. 300i-2(a)(3)(A)final
USEPArisk resilience assessmentReview the risk and resilience assessment at least once every 5 years after the initial certification deadline, revise if necessary, and submit a new certification to the EPA Administrator upon completion.
“Each community water system described in paragraph (1) shall review the assessment of such system conducted under such paragraph at least once every 5 years after the applicable deadline for submission of its certification.”
42 U.S.C. 300i-2(a)(3)(B)final
USEPArisk resilience assessmentPrepare or revise an Emergency Response Plan (ERP) that incorporates findings of the risk and resilience assessment, covering resilience strategies, cybersecurity, response procedures, equipment, impact mitigation, and detection strategies.
“Each community water system serving a population greater than 3,300 shall prepare or revise, where necessary, an emergency response plan that incorporates findings of the assessment conducted under subsection (a) for such system.”
42 U.S.C. 300i-2(b)final
USEPArisk resilience assessmentInclude in the Emergency Response Plan strategies and resources to improve physical security and cybersecurity resilience of the water system.
“strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;”
42 U.S.C. 300i-2(b)(1)final
USEPArisk resilience assessmentInclude in the Emergency Response Plan plans, procedures, and equipment to be implemented in the event of a malevolent act or natural hazard threatening safe drinking water delivery.
“plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water;”
42 U.S.C. 300i-2(b)(2)final
USEPArisk resilience assessmentInclude in the Emergency Response Plan actions, procedures, and equipment to mitigate the impact of a malevolent act or natural hazard on public health and water supply, including alternative source water options, intake relocation, and flood barriers.
“actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source ”
42 U.S.C. 300i-2(b)(3)final
USEPArisk resilience assessmentInclude in the Emergency Response Plan detection strategies for malevolent acts or natural hazards that threaten the security or resilience of the system.
“strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.”
42 U.S.C. 300i-2(b)(4)final
USEPArisk resilience assessmentCertify to the EPA Administrator that the Emergency Response Plan has been completed, as soon as reasonably possible after Oct 23 2018 but no later than 6 months after completion of the risk and resilience assessment.
“Each community water system shall certify to the Administrator, as soon as reasonably possible after October 23, 2018, but not later than 6 months after completion of the assessment under subsection (a), that the system has completed such plan.”
42 U.S.C. 300i-2(b)final
USEPArisk resilience assessmentCoordinate with local emergency planning committees (LEPCs) established under EPCRA when preparing or revising risk and resilience assessments or emergency response plans.
“Community water systems shall, to the extent possible, coordinate with existing local emergency planning committees established pursuant to the Emergency Planning and Community Right-To-Know Act of 1986 when preparing or revising an assessment or emergency response plan under thi”
42 U.S.C. 300i-2(c)final
USEPArisk resilience assessmentMaintain copies of the risk and resilience assessment and emergency response plan (including all revisions) for 5 years after the date of the applicable certification submission to the EPA Administrator.
“Each community water system shall maintain a copy of the assessment conducted under subsection (a) and the emergency response plan prepared under subsection (b) (including any revised assessment or plan) for 5 years after the date on which a certification of such assessment or pl”
42 U.S.C. 300i-2(d)final
USEPArisk resilience assessmentIf using alternative preparedness and operational resilience programs to satisfy §300i-2(a)-(b), comply with EPA-recognized technical standards and certify such compliance to the EPA Administrator.
“A community water system that is required to comply with the requirements of subsections (a) and (b) may satisfy such requirements by using and complying with technical standards that the Administrator has recognized under paragraph (2); and submitting to the Administrator a cert”
42 U.S.C. 300i-2(f)(1)final
USFCCcyber ot securityApplicants and licensees must certify that they have created, updated, and implemented a cybersecurity and physical security risk management plan and will take reasonable measures to protect systems from cybersecurity and physical security risks. [adjacent]
“require applicants and licensees to certify that they have created, updated, and implemented a cybersecurity and physical security risk management plan and will take reasonable measures to protect their systems and services from cybersecurity and physical security risks”
47 CFR Part 1 (Report and Order, Section III, para. 6)final
USFCCcyber ot securityApplicants must report whether or not they use and/or will use third-party foreign adversary service providers in the operation of the submarine cable. [adjacent]
“require applicants to provide detailed information about the submarine cable system and to report whether or not they use and/or will use third-party foreign adversary service providers in the operation of the submarine cable.”
47 CFR Part 1 (Report and Order, Section III, para. 6)final
USFCCcyber ot securityLicensees and common carriers must provide information about their SLTEs in the annual Capacity Holder Report, enabling the Commission to collect data for national security and public safety purposes. [adjacent]
“we require cable landing licensees and common carriers to provide certain information about their SLTEs in the Capacity Holder Report.”
47 CFR Part 43, Sec. 43.82 (Report and Order, Section III, para. 7)final
USFCCincident reportingDuring a DIRS activation, providers must still file in NORS any outage report whose deadline falls BEFORE the first DIRS daily-report deadline for that activation.
“as long as the first daily DIRS report for the activation is due before the NORS submission under section 4.9 of this chapter would be due for the outage”
47 CFR 4.18(b)final
USFCCincident reportingProviders may omit NORS filings during a DIRS activation only when the outage is timely reported in DIRS; all outage impacts NOT timely reported in DIRS must still be reported in NORS.
“are not required to make submissions in the Network Outage Reporting System (NORS) under this chapter pertaining to any outage...as long as...the outage is timely reported in DIRS.”
47 CFR 4.18(b)final
USFCCincident reportingProviders must continue to notify 911 special facilities of outages potentially affecting them within required timeframes (e.g., within 30 minutes) even during active DIRS activations; the NORS waiver does NOT extend to these notifications.
“providers must continue to comply with applicable 911 and 988 outage notification requirements during DIRS activations.”
47 CFR Part 4; Order Section B (47 CFR 4.18(b) waiver scope)final
USFCCincident reportingProviders must continue to notify 988 Suicide & Crisis Lifeline special facilities of outages potentially affecting them within required timeframes during DIRS activations; the NORS waiver does NOT cover these notifications.
“confirm that providers must continue to comply with applicable 911 and 988 outage notification requirements during DIRS activations.”
47 CFR Part 4; Order Section B (47 CFR 4.18(b) waiver scope)final
USFCCincident reportingNORS reports already filed before the first DIRS deadline must be retained on file and may NOT be withdrawn solely because DIRS has been activated in the outage area.
“we do not preclude communications service providers from withdrawing NORS reports if there are other reasons in addition to the activation of DIRS that support withdrawal...But absent some other reason...we find that the public interest is best served by maintaining such NORS rep”
47 CFR Part 4; Order Section Afinal
USFCCincident reportingProviders must ensure outages occurring OUTSIDE the geographic area of a DIRS activation are reported in NORS regardless of the DIRS activation; the NORS waiver applies only within the DIRS activation area.
“This waiver does not apply to outages occurring outside of the geographic area where DIRS is activated, nor does it apply to outages with notification deadlines that occur after DIRS is deactivated.”
47 CFR 4.18(b); Order Section Afinal
USFCCincident reportingProviders must file in NORS any outage whose NORS notification deadline falls after DIRS is deactivated; post-deactivation outages are not covered by the NORS waiver.
“nor does it apply to outages with notification deadlines that occur after DIRS is deactivated.”
47 CFR 4.18(b); Order Section Afinal
USFCCincident reportingCable, wireless, wireline, and interconnected VoIP providers must report infrastructure status information in DIRS daily when the Commission activates DIRS in geographic areas where they provide service, even if status has not changed from the prior day.
“requiring cable communications, wireless, wireline, and interconnected Voice over Internet Protocol (VoIP) providers to report their infrastructure status information in the Disaster Information Reporting System (DIRS) daily when the Commission activates DIRS”
47 CFR 4.18final
USFCCincident reportingSubject providers must submit a single final DIRS report within 24 hours of FCC deactivation of DIRS, detailing infrastructure status not yet fully restored and providing an estimated date of resolution for remaining outages.
“require Subject Providers to provide a final report to the Commission within 24 hours of the Commission's deactivation of DIRS...that details the state of their infrastructure at the time of DIRS deactivation and provides an estimated date of resolution of any remaining outages.”
47 CFR 4.18final
USFCCincident reportingSubject providers reporting in DIRS are exempt from concurrent NORS (Network Outage Reporting System) reporting obligations for outages that arise during the DIRS activation period and are timely reported in DIRS.
“Subject Providers will not be required to file reports of system outages in the FCC's Network Outage Reporting System (NORS) that arise during the DIRS activation and that are timely reported in DIRS.”
47 CFR 4.18final
USFCCotherCLAs and the Lead Administrator must create, update, and implement cybersecurity risk management plans identifying cyber risks, controls to mitigate them, and steps to ensure controls are applied effectively. [adjacent]
“we require that all CLAs and the Lead Administrator create, update, and implement cybersecurity risk management plans. Such a cybersecurity risk management plan must identify the cyber risks that the entity faces, the controls used to mitigate those risks”
47 CFR Part 8; DA-24-900A1, Section II.F (para. 30)final
USFCCotherCybersecurity risk management plans must describe how each entity employs organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems.
“The plans must also describe how each entity employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems.”
47 CFR Part 8; DA-24-900A1, Section II.F (para. 30)final
USFCCotherEach CLA and Lead Administrator applicant must submit an attestation with its application confirming it has already created and implemented—or upon selection will create and implement—a cybersecurity risk management plan. [adjacent]
“we additionally require each applicant seeking to serve as a CLA or Lead Administrator to submit with its application an attestation that it already has created and implemented--or upon selection will create and implement--a cybersecurity risk management plan”
47 CFR Part 8; DA-24-900A1, Section II.F (para. 32)final
USFCCotherCLAs and the Lead Administrator must make their cybersecurity risk management plans available to the Commission upon request. [adjacent]
“We also require that CLAs and the Lead Administrator make such cybersecurity risk management plans available to the Commission upon request.”
47 CFR Part 8; DA-24-900A1, Section II.F (para. 32)final
USFCCotherCLA applicants must demonstrate knowledge of federal law and guidance governing the security and privacy of agency information systems. [adjacent]
“Knowledge of Federal law and guidance governing the security and privacy of agency information systems”
47 CFR Part 8; DA-24-900A1, Section IV.A (para. 34.i)final
USFCCotherCLA applicants must demonstrate the ability to securely handle large volumes of information, including a description of internal security practices. [adjacent]
“The ability to securely handle large volumes of information, including a description of Applicant's related internal security practices.”
47 CFR Part 8; DA-24-900A1, Section IV.A (para. 34.j)final
USFCCotherCLAs must collaborate with the Lead Administrator and other stakeholders to develop items to be submitted to the Commission within 90 days of election of the Lead Administrator as listed in 47 CFR 8.221(a)(4). [adjacent]
“Collaborating with the Lead Administrator and other stakeholders to develop those items to be submitted to the Commission within 90 days of election of the Lead Administrator, and listed in 47 CFR 8.221(a)(4)”
47 CFR 8.221(a)(4); DA-24-900A1, Section IV.A (para. 35.d)final
USFCCotherPilot participants must apply security updates and patches to Pilot-funded equipment and services to maintain protection as threat vectors evolve. [adjacent]
“The Commission also makes eligible security updates and patches, which will help to ensure that participants are protected even as threat vectors evolve over the course of the Pilot.”
47 CFR Part 54; FCC 24-63 para. 29final
USFCCotherPilot participants must obtain and deploy advanced/next-generation firewalls that limit network access and block malicious traffic, excluding basic E-Rate-funded firewall services from reimbursement claims. [adjacent]
“an 'advanced' or 'next-generation' firewall as 'equipment, services, or a combination of equipment and services that limits access between networks, excluding basic firewall services and components that are currently funded through the E-Rate program.'”
47 CFR Part 54; FCC 24-63 para. 32-33final
USFCCincident reportingReport infrastructure status information daily in DIRS when the Commission activates DIRS in geographic areas in which the provider offers service, even when reportable infrastructure has not changed from the prior day.
“Provide daily reports on their infrastructure status from the start of DIRS activation until DIRS has been deactivated.”
47 CFR 4.18(a)(1)final
USFCCincident reportingSubmit a single, final DIRS report within 24 hours of DIRS deactivation detailing infrastructure status at time of deactivation and estimated resolution dates for any remaining outages.
“Provide a single, final report to the Commission within 24 hours of the Commission's deactivation of DIRS...detailing the state of their infrastructure at the time of DIRS deactivation and an estimated date of resolution of any remaining outages.”
47 CFR 4.18(a)(2)final
USFCCincident reportingWhen unable to file DIRS reports due to extraordinary circumstances, notify the FCC Operations Center and make a filing as soon as capable, no later than the final deactivation report.
“providers should: (1) use the Operations Center or otherwise notify the Commission if they are unable to file; and (2) make a filing as soon as they are capable, but no later than the final report due upon deactivation of DIRS.”
47 CFR 4.18(a); Order Section Afinal
USFCCincident reportingDIRS reports must be based on information known by the provider at the time of submission, provided with a reasonable basis for believing the information is accurate.
“submissions made in DIRS under the rule adopted in the Order shall be based on information known by the provider at the time...submissions must be provided with a reasonable basis for believing the information therein is accurate.”
47 CFR 4.18(a); Order Section Afinal
USFCCincident reportingNORS reporting obligations for outages arising during a DIRS activation period are suspended, provided those outages are timely reported in DIRS; once filed in DIRS, the same outage need not be filed in NORS.
“providers who provide a DIRS report pursuant to paragraph (a) of this section are not required to make submissions in the Network Outage Reporting System (NORS)...pertaining to any incidents arising during the DIRS activation and that are timely reported in DIRS.”
47 CFR 4.18(b)final
USFCCincident reportingPROPOSED: TV and radio broadcasters must report network outages in NORS under a simplified reporting process tied to broadcast infrastructure type and modality.
“we propose requiring TV and radio broadcasters report in both NORS and DIRS subject to a simplified reporting process based on the type and modality of certain broadcast infrastructures.”
47 CFR Part 4, SFNPRM para. 11 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: TV and radio broadcasters must report operational status in DIRS during activations, including going silent within 24 hours of DIRS activation and resuming service within 24 hours of deactivation.
“Should we also require broadcasters to notify us within 24 hours of going silent when DIRS has been activated and within 24 hours of resuming service after DIRS activation has been lifted?”
47 CFR Part 4, SFNPRM para. 11 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Broadcasters must notify the FCC in NORS or DIRS when their ability to access FEMA IPAWS is disrupted, regardless of transmitter operational status.
“Should we require notice when a broadcaster's ability to access IPAWS is disrupted regardless of the operational status of the transmitter?”
47 CFR Part 4, SFNPRM para. 11 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: DBS, SDARS, FSS, and MSS satellite providers must report infrastructure outages in DIRS during activations, limited to key infrastructure under the provider's control.
“We seek comment on whether to require DBS providers, SDARS providers, Fixed Satellite Service (FSS) providers, and Mobile Satellite Service (MSS) providers report in DIRS.”
47 CFR Part 4, SFNPRM para. 15 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Satellite providers must file updated NORS outage reports using thresholds revised to reflect current satellite network technology, replacing the original 2004 thresholds. [adjacent]
“we seek comment on whether and how the NORS reporting thresholds for satellite providers should be modified to reflect technological changes to these networks since the Commission's original 2004 reporting rules were effectuated.”
47 CFR Part 4, SFNPRM para. 19 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: FirstNet (or AT&T on its behalf) must file outage reports with the FCC in NORS covering FirstNet-specific infrastructure and services.
“we seek comment on whether FirstNet, or AT&T, should file outage reports with the Commission in NORS with respect to FirstNet infrastructure and services.”
47 CFR Part 4, SFNPRM para. 24 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: FirstNet (or AT&T on its behalf) must file reports in DIRS during activations to provide situational awareness of FirstNet network status during disasters.
“as the related Second Report and Order adopts a mandatory obligation for subject providers to file in DIRS, we seek comment in this Second Further Notice on whether this obligation should be extended with regard to FirstNet.”
47 CFR Part 4, SFNPRM para. 24 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Mobile and fixed BIAS providers must submit outage reports to NORS when outages meet applicable thresholds, to enable monitoring of broadband network resilience.
“we renew our inquiry into whether BIAS providers should be required to submit outage reports in NORS... we believe that reported data to NORS and DIRS should also encompass disruptions to BIAS, including mobile and fixed wireless BIAS service.”
47 CFR Part 4, SFNPRM para. 29 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Mobile and fixed BIAS providers must report in DIRS during activations to provide real-time broadband network status during disasters.
“We also seek comment on whether participation in DIRS when activated should also be mandatory.”
47 CFR Part 4, SFNPRM para. 29 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: DIRS-subject providers must report the location of mobile recovery assets (COWs, COLTs) to the FCC, either as part of daily DIRS reporting or through alternate means.
“we seek comment on whether current or future providers who are subject to DIRS reporting requirements should be required to supply the Commission with information concerning the location of their mobile recovery assets, and specifically whether providers should be required to sup”
47 CFR Part 4, SFNPRM para. 34 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: DIRS-subject providers must report quantitative traffic metrics for mobile recovery assets (e.g., texts, voice minutes, broadband data over last 24 hours and cumulative since deployment).
“could providers report on select metrics such as the number of texts, voice minutes, broadband data provided by a recovery asset over the last 24 hours as well as the total data provided since that recovery asset was incorporated into that location.”
47 CFR Part 4, SFNPRM para. 34 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Mobile recovery asset location reports must indicate whether the assets support Wireless Emergency Alerts (WEA) to aid disaster communications planning.
“we further seek comment on whether the reporting should indicate whether the mobile recovery assets support WEAs, as we note in particular the ability to disseminate WEAs in disaster environments may be of critical importance.”
47 CFR Part 4, SFNPRM para. 37 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: DIRS-subject providers must submit 'after action' reports detailing network performance, resilience actions, pre-disaster response plan effectiveness, within 60 days of Bureau-issued Public Notice following DIRS deactivation.
“we seek comment as to whether providers subject to DIRS reporting requirements should be required to supply the Commission with 'after action' reports detailing more specifically how their networks fared after the event or exigency and the nature, timing, duration, and effectiven”
47 CFR Part 4, SFNPRM para. 39 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: BIAS providers' NORS outage reporting must capture disruptions from cybersecurity breaches, infrastructure damage from natural disasters, and operator misconfigurations that affect public safety communications.
“how an appropriate threshold would support the ability of the Commission to discern when outages or significant network degradation stemming from issues such as cybersecurity breaches, wire cuts, infrastructure damages from natural disasters, and/or operator errors or misconfigur”
47 CFR Part 4, SFNPRM para. 32 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingPROPOSED: Broadcasters must report in NORS outages affecting their ability to disseminate signals due to cybersecurity incursions, infrastructure failures, equipment failures, or power failures.
“the Commission has limited ability to know or understand on a timely basis when broadcast stations' facilities are impacted by infrastructure, equipment, or power failures, cybersecurity incursions or other issues that impact their ability to disseminate a signal.”
47 CFR Part 4, SFNPRM para. 10 (PS Docket Nos. 21-346, 15-80; FCC 24-5)proposed
USFCCincident reportingCovered 988 service providers must report outages that potentially affect 988 special facilities to the FCC's Network Outage Reporting System (NORS).
“the Commission requires covered 988 service providers...to report outages that potentially affect the 988 Lifeline to the Commission's Network Outage Reporting System (NORS)”
47 CFR 4.5(f)final
USFCCincident reportingOriginating service providers (cable, satellite, wireless, wireline, interconnected VoIP) must report outages that potentially affect 988 special facilities in NORS.
“requires cable, satellite, wireless, wireline, and interconnected VoIP providers to report in NORS outages that potentially affect the 988 special facilities”
47 CFR 4.5(f)final
USFCCincident reportingReportable 988 outages are those resulting in loss of ability of 988 Lifeline to receive, process, or forward calls, affecting at least 900,000 user-minutes and lasting at least 30 minutes.
“defines 'outages that potentially affect a 988 special facility' as events that result in the loss of the ability of the 988 Lifeline to receive, process, or forward calls, potentially affecting at least 900,000 user-minutes and lasting at least 30 minutes”
47 CFR 4.5(f)final
USFCCincident reportingCovered 988 service providers and originating service providers must directly notify SAMHSA, the VA, and the 988 Lifeline administrator within 30 minutes when an outage potentially affecting a 988 special facility occurs.
“requires covered 988 service providers to directly notify 988 special facilities about outages that potentially affect those facilities...within 30 minutes”
47 CFR 4.9(f)final
USFCCincident reportingFor outages lasting longer than 2 hours, providers must follow up with subsequent notifications of material information as soon as possible after discovery, continuing until outage is fully repaired and service restored.
“For outages lasting longer than 2 hours, the providers would follow-up with subsequent notifications of material information as soon as possible after discovery of the new material information, and continue providing additional material information until the outage is completely ”
47 CFR 4.9(f)final
USFCCincident reportingCovered 988 service providers and originating service providers must exercise special diligence to maintain accurate, up-to-date contact information for 988 special facilities (SAMHSA, VA, 988 Lifeline administrator). [adjacent]
“requires covered 988 service providers and originating service providers to exercise special diligence to maintain accurate, up-to-date contact information for 988 special facilities”
47 CFR 4.9(f)final
USFCCincident reportingReliance on a third-party service provider to manage, route, or contribute to 988 call processing does not relieve providers of their outage notification obligations to 988 special facilities.
“reliance upon a third-party service provider to manage, route, or otherwise contribute to 988 call processing does not relieve providers of the obligation to provide outage notification to 988 special facilities”
47 CFR 4.9(f)final
USFCCincident reportingProviders must use NORS (not email or alternative systems) for all 988 outage report filings, and must mark the 988 special facility checkbox for qualifying outages.
“The Commission declines to allow alternatives to NORS reporting...the Commission will add a checkbox to NORS so that reporting providers can clearly indicate whether a reported outage potentially affects a 988 special facility”
47 CFR 4.9(f)final
USFCCincident reportingSubmit a Notification to the FCC within 480 minutes (8 hours) of determining a submarine cable outage is reportable, transitioning to 240 minutes (4 hours) after three years. [adjacent]
“The Notification is due within 480 minutes (8 hours) of the time of determining that an event is reportable for the first three years...After three years...Notifications shall be due within 240 minutes (4 hours).”
47 CFR 4.15(b)(2)(ii)final
USFCCincident reportingSubmit an Interim Report to the FCC within 24 hours of receiving the Plan of Work for any submarine cable repair. [adjacent]
“The Interim Report is due within 24 hours of receiving the Plan of Work.”
47 CFR 4.15(b)(2)(iii)final
USFCCincident reportingSubmit a Final Outage Report to the FCC within seven days of completing any submarine cable repair. [adjacent]
“The Final Outage Report is due seven (7) days after the repair is completed.”
47 CFR 4.15(b)(2)(iv)final
USFCCincident reportingReport outages lasting 30 minutes or more on a submarine cable segment between SLTE endpoints, regardless of traffic rerouting, unless caused by announced planned maintenance with advance customer notification.
“An outage of a portion of submarine cable system between submarine line terminal equipment (SLTE)...occurs for 30 minutes or more...An 'outage' does not require reporting under this section if the outage is caused by announced planned maintenance.”
47 CFR 4.15(a)(1)(i) and 4.15(a)(2)final
USFCCincident reportingReport outages affecting any fiber pair lasting four hours or more, including those due to terminal equipment, regardless of the number of fiber pairs comprising total cable capacity.
“An outage of any fiber pair, including due to terminal equipment, on a cable segment occurs for four hours or more, regardless of the number of fiber pairs that comprise the total capacity of the cable segment.”
47 CFR 4.15(a)(1)(ii)final
USFCCincident reportingReport unplanned submarine cable outages to the FCC even when all traffic is successfully rerouted to an alternate path. [adjacent]
“'outage' is defined as a failure or significant degradation in the performance of a licensee's cable service regardless of whether the traffic can be re-routed to an alternate path.”
47 CFR 4.15(a)(1)final
USFCCincident reportingProvide advance notification to customers (including national security agencies) of planned maintenance outages and their expected duration as a condition for the planned-maintenance reporting exemption.
“An 'outage' does not require reporting under this section if the outage is caused by announced planned maintenance and the licensee notified its customers in advance of the planned maintenance and its expected duration.”
47 CFR 4.15(a)(2)final
USFCCincident reportingReport a planned maintenance outage that exceeds its announced duration if the excess time, standing alone, triggers the reporting thresholds (30 min SLTE or 4 hr fiber pair).
“if the planned maintenance duration surpasses the shortest announced duration for the planned maintenance and this additional time triggers the requirements in paragraph (a)(1)...the outage becomes reportable as of the time the maintenance exceeds the shortest announced duration.”
47 CFR 4.15(a)(2)final
USFCCincident reportingSubmit all outage reports (Notification, Interim, Final) electronically via Commission-approved web-based NORS templates; use email to FCC PSHSB Chief only if technical impediments prevent web submission during Notification stage.
“The Notification, Interim Report, and Final Outage Reports are to be submitted electronically to the Commission...If there are technical impediments to using the Web-based system during the Notification stage, then a written Notification to the Commission by email...is permitted.”
47 CFR 4.15(b)(2)(v)final
USFCCincident reportingInclude specified operational and location data in the Notification, including outage onset time, root cause if known, nearest landing station, approximate location, estimated duration, and contact information.
“Licensees shall provide: The name of the reporting entity; the name of the cable...date and time of onset of the outage, if known...a brief description of the event, including root cause if known; nearest cable landing station; best estimate of approximate location...best estimat”
47 CFR 4.15(b)(2)(ii)final
USFCCincident reportingInclude in the Final Outage Report the restoration method, duration of the event, and an attestation by an authorized signatory confirming the report is true, correct, and accurate under oath.
“The Final Report must also contain an attestation as described in paragraph (b)(2)(i)...Each Final report shall be attested...that the information contained therein is true, correct, and accurate to the best of his/her knowledge and belief.”
47 CFR 4.15(b)(2)(iv) and 4.15(b)(2)(i)final
USFCCincident reportingFor jointly-owned cables, licensees may designate a Responsible Licensee to file outage reports on behalf of all licensees, and must jointly notify the FCC PSHSB Cybersecurity and Communications Reliability Division in writing with contact details for all licensees.
“licensees of that cable may designate a Responsible Licensee that files outage reports under this rule on behalf of all licensees...must jointly notify the Chief of the Public Safety and Homeland Security Bureau's Cybersecurity and Communications Reliability Division of this deci”
47 CFR 4.15(b)(1)(i) and 4.15(b)(1)(ii)final
USFCCincident reportingWithdraw outage filings (Notification, Interim Report, or Final Report) if the licensee subsequently determines the event does not meet the outage definition in 47 CFR 4.15(a). [adjacent]
“in the event that a licensee determines that a Notification, Interim Report, or Final Report filed for an outage was not required because the licensee later determines that the event does not meet the outage definition in 47 CFR 4.15(a), the licensee may withdraw the filing.”
47 CFR 4.15(b) [implementing 47 CFR 4.15(a)]; see also Order on Reconsideration para. 15final
USFCCincident reportingService providers must submit a notification to NORS generally within two hours of determining that an outage is reportable, to provide the Commission with timely preliminary outage information.
“Service providers are required to submit a notification to NORS generally within two hours of determining that an outage is reportable to provide the Commission with timely preliminary information.”
47 CFR Part 4 (as discussed in 86 FR 22796-22797, para. 5)final
USFCCincident reportingService providers must submit an initial NORS report within three calendar days of the notification for reportable outages, followed by a final report within 30 calendar days.
“provide an initial report within three calendar days, followed by a final report with complete information on the outage within 30 calendar days of the notification”
47 CFR Part 4 (as discussed in 86 FR 22796-22797, para. 5)final
USFCCincident reportingService providers must adjust their NORS reporting processes to accommodate the Commission's updated NORS web-based form fields as modified by this rulemaking.
“The Second Report and Order requires service providers to make adjustments to their NORS reporting processes to accommodate the Commission's adjustments to its NORS web-based form pursuant to section 47 CFR 4.11.”
47 CFR 4.11 (as referenced in 86 FR 22796, PRA section)final
USFCCincident reportingParticipating agencies granted direct access to NORS and DIRS must treat all filings as confidential and not disclose them absent a Commission finding permitting disclosure. [adjacent]
“Treat NORS and DIRS filings as confidential and not disclose them, absent a finding by the Commission allowing the disclosure”
47 CFR 4.2 (as referenced in 86 FR 22798, paras. 14, 43)final
USFCCincident reportingParticipating agencies must limit direct NORS and DIRS database access to no more than five user accounts per agency. [adjacent]
“limiting access to five user accounts”
47 CFR 4.2 (as discussed in 86 FR 22801, para. 16)final
USFCCincident reportingParticipating agencies must complete initial and annual security training covering privileges and obligations under the NORS/DIRS information sharing framework. [adjacent]
“requiring initial and annual security training; requiring participating agencies to receive training on their privileges and obligations under the framework”
47 CFR 4.2 (as discussed in 86 FR 22801, paras. 16, 58)final
USFCCincident reportingParticipating agencies must report any known or reasonably suspected breach of protocol regarding NORS/DIRS data to the Commission and affected service providers. [adjacent]
“reporting any known or reasonably suspected breach of protocol to the Commission and service providers”
47 CFR 4.2 (as discussed in 86 FR 22801, para. 58)final
USFCCincident reportingParticipating agencies must certify, via a formal certification form, to requirements related to maintaining confidentiality and security of NORS and DIRS data as a condition of access. [adjacent]
“the new requirement that agencies file certification forms, pursuant to 47 CFR 4.2, to request access to NORS and DIRS reports”
47 CFR 4.2 (as referenced in 86 FR 22796, PRA section and para. 16)final
USFCCincident reportingParticipating agencies must limit NORS and DIRS access to events occurring only within their own jurisdiction. [adjacent]
“limiting agency access to events occurring within an agency's jurisdiction”
47 CFR 4.2 (as discussed in 86 FR 22801, para. 16)final
USFCCincident reportingParticipating agencies must make available for Commission inspection, upon request, a list of all localities for which the agency has disclosed NORS and DIRS data. [adjacent]
“each participating agency make available for Commission inspection, upon Commission request, a list of all localities for which the agency has disclosed NORS and DIRS data”
47 CFR 4.2 (as discussed in 86 FR 22802-22803, para. 53)final
USFCCincident reportingParticipating agencies must restrict their use of NORS and DIRS information solely to emergency management and first responder support functions; use for non-emergency regulatory purposes is expressly forbidden. [adjacent]
“We expressly forbid the use of NORS and DIRS information obtained through the procedures we adopt today for non-emergency-related regulatory purposes, including merger review, consumer protection activities, contract disputes with a state”
47 CFR 4.2 (as discussed in 86 FR 22800-22801, paras. 37-39)final
USFCCincident reportingParticipating agencies may share confidential NORS/DIRS information only with individuals who have a documented 'need to know' and are directly responsible for emergency management or first responder support functions.
“allow these agencies to share confidential information derived from NORS and DIRS filings with non-credentialed individuals at the participating agency and at non-participating agencies on a strict 'need to know' basis”
47 CFR 4.2 (as discussed in 86 FR 22798-22799, paras. 15, 32-33)final
USFCCincident reportingParticipating agencies must obtain read-only access to NORS and DIRS and are prohibited from manipulating or altering the data in those systems. [adjacent]
“participating state and Federal agencies be granted direct access to NORS and DIRS filings in a read-only manner to help prevent the improper manipulation of NORS and DIRS data”
47 CFR 4.2 (as discussed in 86 FR 22803-22804, para. 60)final
USFCCincident reportingEligible agencies must demonstrate a 'need to know' by citing statutes or regulatory authority establishing official duties directly responsible for emergency management and first responder support as part of the application for NORS/DIRS access. [adjacent]
“An agency applying for direct access to NORS and DIRS must demonstrate its 'need to know' by citing to statutes or other regulatory authority that establishes it has official duties making it directly responsible for emergency management and first responder support functions.”
47 CFR 4.2 (as discussed in 86 FR 22800, paras. 35-36)final
USFCCincident reportingParticipating agencies must certify they will take appropriate steps to safeguard NORS and DIRS information, including notifying the Commission of unauthorized or improper disclosure. [adjacent]
“requiring agencies to certify that they will take appropriate steps to safeguard the information contained in the filings, including notifying the Commission of unauthorized or improper disclosure”
47 CFR 4.2 (as discussed in 86 FR 22801, para. 16)final
USFCCincident reportingSubmarine cable licensees must report unplanned service outages greater than 30 minutes on a cable segment between SLTE, or greater than 4 hours when affecting a fiber pair, through the network outage reporting system (NORS).
“these licensees will need to report specific unplanned outages greater than 30 minutes on a portion of the cable system between submarine line terminal equipment (SLTE) or greater than four hours when it affects a fiber pair.”
47 CFR 4.15 (as amended by FCC 16-81 and FCC 19-138)final
USFCCincident reportingPROPOSED: Wireless providers must participate in and activate disaster roaming arrangements, including annual testing of roaming capabilities and coordination processes, to ensure seamless roaming before and during emergencies.
“we seek comment on improvements to the Framework to ensure roaming is operational prior to an event and seamless during emergencies--addressing both resiliency and restoration--such as annual testing of roaming capabilities and coordination processes.”
47 CFR Part 4, NPRM para. 18 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must submit reports to the Commission detailing implementation of the Framework in real time or in the aftermath of a disaster, including roaming activation/refusal and mutual aid activities.
“we seek comment on whether we should require wireless providers to submit reports to the Commission detailing implementation of the voluntary Framework in real time or in the aftermath of a disaster.”
47 CFR Part 4, NPRM para. 25 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers (cable, DBS, SDARS, TV/radio broadcasters, CMRS, wireless, wireline, VoIP) must file infrastructure status information in DIRS when the Commission activates DIRS in their service areas.
“should the Commission consider requiring the nation's service providers...to report their infrastructure status information in DIRS when the Commission activates DIRS in geographic areas in which they broadcast or otherwise provide service?”
47 CFR Part 4, NPRM para. 30 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Service providers with ongoing outages at the time of DIRS deactivation must report those continuing outages in NORS to maintain Commission situational awareness.
“Should providers with ongoing outages at the time of DIRS deactivation be required to report those outages in NORS?”
47 CFR Part 4, NPRM para. 33 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers must report broadband service outages in NORS to improve situational awareness during disasters.
“we seek comment on the public interest benefits and the costs of reporting of broadband service outages. Would such reporting likewise improve emergency managers' situational awareness during disasters?”
47 CFR Part 4, NPRM para. 31 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers must maintain and deploy adequate on-site backup power at critical network facilities to reduce frequency, duration, and severity of power-related communications service disruptions during disasters.
“we seek comment on what steps service providers would need to take with respect to backup power deployment to significantly reduce the number of communications disruptions caused by power outages. How many hours of on-site backup power would be appropriate at their facilities?”
47 CFR Part 4, NPRM paras. 41-42 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must foster mutual aid during disasters, including sharing physical assets, to ensure continuity of communications.
“we seek comment on how signatories fostered mutual aid, such as through sharing physical assets, during Hurricane Ida and other recent disasters, and how effective this mutual aid has been in ensuring continuity of communications.”
47 CFR Part 4, NPRM para. 19 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must place backup systems (e.g., Cells on Light Trucks) ready to deploy for vulnerable infrastructure to improve service restoration time during disasters.
“should the voluntary Framework include provisions regarding the placement of back-up systems, such as Cells on Light Trucks, so that they are ready to deploy for vulnerable infrastructure to improve service restoration time?”
47 CFR Part 4, NPRM para. 24 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Framework participants must ensure backhaul redundancy and resiliency, including addressing concentration risk such as limits on the number of cell sites operating on a single backhaul fiber link.
“Should the Framework include provisions that address backhaul redundancy and resiliency? For example, could the Framework address a limit on the number of cell sites operating on a single backhaul fiber link?”
47 CFR Part 4, NPRM para. 24 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers and power companies must coordinate before, during, and after disasters to minimize communications service outages caused by power outages.
“we seek to identify actions the Commission, communications providers, and power companies can cooperatively take to encourage and increase coordination in the power and communications sectors before, during, and after an emergency or disaster.”
47 CFR Part 4, NPRM para. 40 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Covered 911 service providers must implement enhanced backup power measures to ensure PSAPs and 911 networks remain operational during and after disasters.
“Are there steps the Commission can take, such as revisions to our resiliency rules (see, e.g., 47 CFR parts 4, 9) or encouraging of voluntary measures, to make it more likely that PSAPs will have the necessary resources to continue service during and after disasters?”
47 CFR 9.19(b), NPRM para. 45 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must include provisions to restore or prioritize text-to-911 capability during disasters in areas where the PSAP is text-capable.
“Should the Framework include requirements for restoration or prioritization of text-to-911 capability in areas where the PSAP is text-capable, as text-to-911 can be an important communications solution in emergencies?”
47 CFR Part 4, NPRM para. 24 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must coordinate with local governments, establishing processes for sharing real-time restoration status and maintaining formal relationships with local agencies before, during, and after emergencies.
“Should providers establish processes for sharing real-time restoration efforts? Should the Framework include coordination obligations and particular coordination activities or best practices?”
47 CFR Part 4, NPRM para. 20 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: All communications service providers, not just those accepting USF Stage 2 funding, must report infrastructure status in DIRS upon activation, including smaller providers in rural and hard-to-access areas.
“the Commission has observed that, while the nation's large providers typically elect to voluntarily report in DIRS, smaller providers often do not...reduces the Commission's situational awareness...in locations served by smaller providers, which are often vulnerable rural or othe”
47 CFR Part 4, NPRM para. 28 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must expand the scope of Framework participation to include smaller wireless providers, backhaul providers, cable, wireline, broadcast, satellite, and VoIP providers to enhance network resiliency.
“Are there steps the Commission can take to encourage voluntary participation beyond the scope of the existing signatories, such as to include smaller wireless providers, or entities beyond the mobile-wireless industry, such as facilities-based backhaul providers, covered 911 serv”
47 CFR Part 4, NPRM para. 16 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers must implement alternative backup power solutions (beyond on-site generators) to reduce frequency, duration, and severity of power-related communications disruptions.
“We also seek comment on any alternatives to on-site backup power that have also proven successful or have the potential to reduce the frequency, duration, or severity of disruptions to communications services caused by power outages.”
47 CFR Part 4, NPRM para. 44 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: The Commission would codify the practice of suspending NORS reporting requirements for providers reporting in DIRS during activation, providing regulatory clarity on provider obligations during disasters.
“we seek comment on whether to codify in our part 4 rules the Commission's typical practice of granting to providers a waiver of their NORS reporting requirements when they report the outage in DIRS.”
47 CFR Part 4, NPRM para. 32 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must establish minimum timeframes for responding to disaster roaming requests and criteria for determining technical feasibility of roaming, with transparent communication of infeasibility determinations.
“should there be minimum timeframes by which a provider must respond to a disaster roaming request? Are there conditions or other criteria that could be incorporated into the Framework to determine that, once met, roaming should be available automatically in qualifying disaster ar”
47 CFR Part 4, NPRM para. 18 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Wireless providers must ensure emergency roaming is automatically and seamlessly accessible to user devices without requiring user action, and verify readiness through testing.
“Should there be any improvement in the standards or their implementations to ensure the emergency roaming is automatically and seamlessly accessible to user devices without requiring any action from the user? Can providers' readiness to execute such disaster-triggered roaming be ”
47 CFR Part 4, NPRM para. 18 (PS Docket No. 21-346)proposed
USFCCincident reportingPROPOSED: Communications service providers must develop and implement measures to ensure 911 communications remain operational, including network hardening and resilient equipment, not relying solely on backup power.
“Is the deployment of on-site backup power sufficient to keep networks online in view of other potentially independent factors that may cause a network to fail during a disaster, e.g., lack of hardened and resilient network equipment? If it is not sufficient, what other steps shou”
47 CFR Part 4, NPRM para. 42 (PS Docket No. 21-346)proposed
USFCCoperational resiliencePROPOSED: Mobile carriers receiving transitional support must maintain a Disaster Preparation and Response Plan.
“Mobile support recipients are also required to file reports and data regarding the use of support for hardening networks and 5G technology deployment, and to maintain a Disaster Preparation and Response Plan.”
47 CFR Part 54, FNPRM para. 11proposed
USFCCoperational resiliencePROPOSED: Mobile carriers receiving transitional support must report network security controls implemented and demonstrate they are commensurate with established best practices or a recognized risk management framework. [adjacent]
“a mobile carrier report and explain the network security controls that it has implemented and how they are commensurate with established best practices or an established risk management framework.”
47 CFR Part 54, FNPRM para. 12proposed
USFCCoperational resiliencePROPOSED: Mobile carriers receiving transitional support must report instances of unauthorized access to their systems and services to the Commission. [adjacent]
“it should also require that mobile carriers report and explain to the Commission instances of unauthorized access to their systems and services.”
47 CFR Part 54, FNPRM para. 12proposed
USFCCoperational resiliencePROPOSED: Mobile carriers receiving transitional support must limit use of support to restoring, hardening, or expanding 5G-capable networks to ensure network resilience.
“the Commission proposes to limit transitional support to restoring, hardening, or expanding networks with 5G-capable networks, and to end use of this support for 4G LTE.”
47 CFR Part 54, FNPRM para. 9proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving additional phase-down support must limit use of that support to resiliency and redundancy measures and must at least maintain their current footprint for voice and broadband services.
“an incumbent LEC must limit its use of the phase-down support to resiliency and redundancy measures...and that the incumbent LEC must at least maintain its current footprint for voice and broadband services.”
47 CFR Part 54, FNPRM para. 17proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving additional phase-down support must maintain their Disaster Preparation and Preparedness Plan.
“The Commission seeks comment on requiring an incumbent LEC receiving additional phase-down support to maintain its Disaster Preparation and Preparedness Plan.”
47 CFR Part 54, FNPRM para. 17proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving phase-down support must submit a spending plan to the Wireline Competition Bureau for approval covering use of support for redundancy and resiliency measures.
“An incumbent LEC interested in receiving this support would be required to submit a spending plan for its use of phase-down support for redundancy and resiliency measures to the Wireline Competition Bureau (the Bureau) for approval.”
47 CFR Part 54, FNPRM para. 18proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving phase-down support must provide an annual report to the Commission on how phase-down support was spent on resiliency and redundancy measures, consistent with the Bureau-approved plan.
“the incumbent LEC would be required to provide the Commission with a report of how the phase-down support was spent on resiliency and redundancy measures consistent with the Bureau-approved plan.”
47 CFR Part 54, FNPRM para. 18proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving phase-down support must submit a certification pursuant to 47 CFR 54.313(n) confirming support was used only for authorized resiliency and redundancy purposes. [adjacent]
“along with a certification pursuant to section 54.313(n) of the Commission's rules that the support was used only for authorized purposes.”
47 CFR Part 54, FNPRM para. 18proposed
USFCCoperational resiliencePROPOSED: Incumbent LECs receiving phase-down support may use support to purchase and maintain generators to address power failures as part of network resilience and continuity.
“use of transitional phase-down support to purchase and maintain generators to address power failures would be appropriate under the Commission's proposal.”
47 CFR Part 54, FNPRM para. 17proposed
USFCCoperational resiliencePROPOSED: Fixed support winners (competitive process) must ensure network resiliency and redundancy as part of their buildout obligations, including network diversity and backup power per the Disaster Preparation and Response Plan.
“part of the Disaster Preparation and Response Plan adopted by the 2019 PR USVI Order includes ensuring network diversity and backup power.”
47 CFR Part 54, FNPRM para. 17proposed
USFCCcyber ot securityPROPOSED: EAS Participants and Participating CMS Providers must annually certify to having a cybersecurity risk management plan in place and employing sufficient security controls to ensure the confidentiality, integrity, and availability of their alerting systems.
“requiring EAS Participants and Participating CMS Providers to annually certify to having a cybersecurity risk management plan in place and employing sufficient security controls to ensure the confidentiality, integrity, and availability of their respective alerting systems”
47 CFR Parts 10 and 11 (proposed); PS Docket No. 22-329; FCC 22-82proposed
USFCCcyber ot securityPROPOSED: EAS Participants must report any incident of unauthorized access to their EAS equipment, communications systems, or services to the Commission via NORS within 72 hours of when the entity knew or should have known the incident occurred.
“requiring EAS Participants to report any incident of unauthorized access of their EAS equipment, communications systems, or services...to the Commission via NORS within 72 hours of when it knew or should have known that an incident has occurred”
47 CFR Part 11 (proposed); PS Docket No. 22-329; FCC 22-82proposed
USFCCcyber ot securityPROPOSED: EAS Participants must report unauthorized access incidents regardless of whether the compromise resulted in the transmission of a false alert, and must provide details concerning the incident. [adjacent]
“any incident involving the unauthorized access to EAS equipment, communications systems, or services, regardless of whether the event resulted in the transmission of a false alert would require EAS Participants to report the unauthorized access to the Commission”
47 CFR Part 11 (proposed); PS Docket No. 22-329; FCC 22-82proposed
USFCCcyber ot securityPROPOSED: Participating CMS Providers must take steps to ensure that only valid alerts are displayed on consumer mobile devices (i.e., alerts from valid base stations only). [adjacent]
“requiring that mobile devices only present WEA alerts from valid base stations”
47 CFR Part 10 (proposed); PS Docket No. 22-329; FCC 22-82proposed
USFCCcyber ot securityPROPOSED: The cybersecurity risk management plan must contain, among other things, a description of how organizational resources are employed to ensure the confidentiality, integrity, and availability of the alerting system. [adjacent]
“The cybersecurity risk management plan must contain among other things, a description of how organizational resources are employed to ensure the confidentiality, integrity, and availability of the alerting system.”
47 CFR Parts 10 and 11 (proposed); PS Docket No. 22-329; FCC 22-82proposed
USFCCincident reportingCovered 911 service providers and OSPs must gather and maintain up-to-date contact information for 911 special facilities in areas they serve, using special diligence annually to confirm accuracy. [adjacent]
“We require covered 911 service providers and OSPs to annually use special diligence to obtain a 911 special facility's contact information and maintain it up-to-date.”
47 CFR 4.9(a)(4); 47 CFR 9.19(d)(4) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must notify potentially affected 911 special facilities of outages as soon as possible, but no later than 30 minutes after discovering an outage that potentially affects a 911 special facility.
“OSPs and covered 911 service providers shall transmit initial 911 special facility notifications as soon as possible, but no later than 30 minutes after discovering that they have experienced an outage that potentially affects a 911 special facility.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must provide follow-up outage notifications to 911 special facilities with all available material information no later than two hours after the initial notification, and continue updates until the outage is fully resolved.
“will communicate additional material information to potentially affected 911 special facilities as the information becomes available, but no later than two hours after the initial notification.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include a standardized set of informational elements in all 911 special facility outage notifications, including unique outage ID, provider contact info, outage start time, services affected, geographic area, expected restoration time, best-known cause, and notification type.
“we should require covered 911 service providers and OSPs to provide the following material informational elements in their 911 special facility outage notifications: An identifier unique to each outage; The name, telephone number, and email address at which the notifying service ”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must transmit 911 special facility outage notifications by telephone AND in writing via electronic means, unless an alternative method is mutually agreed upon in writing in advance with the 911 special facility.
“OSPs shall transmit their 911 special facility notifications by telephone and in writing via electronic means in the absence of another method mutually agreed upon in writing in advance by the 911 special facility and the provider.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers must file annual 911 reliability certifications with the FCC addressing the reliability of their 911 systems and retain supporting records for two years.
“continue to require covered 911 service providers to file 911 reliability certifications annually. We find that maintaining an annual frequency for 911 reliability certification is necessary to ensure that our 911 network remains resilient and robust.”
47 CFR 9.19(d)(4)final
USFCCincident reportingCovered 911 service providers and OSPs that rely on third-party service providers to manage, route, or contribute to 911 call processing remain responsible for notifying 911 special facilities within 30 minutes of outage discovery, even if discovery is first made by the third party.
“reliance upon a third-party service provider to manage, route, or otherwise contribute to 911 call processing does not relieve a service provider of its obligation to notify 911 special facilities about outages that potentially affect them within 30 minutes of when the outage is ”
47 CFR 4.9(h) [delayed indefinitely]; 47 CFR 4.9(g)(1)(i)final
USFCCincident reportingOSPs and covered 911 service providers must notify 911 special facilities of outages that potentially affect 911 service even when the outage is a general network outage, not limited to 911-specific services, if that outage prevents delivery of 911 calls.
“When general outages do 'potentially affect a 911 special facility,' however, service providers, including interconnected VoIP providers, must notify 911 special facilities.”
47 CFR 4.9(g)(1)(i); 47 CFR 4.9(h)final
USFCCincident reportingVoIP providers must notify 911 special facilities of outages that potentially affect them, and cannot rely on third-party 911 routing partners to discharge this obligation.
“47 CFR 4.9(g)(1)(i) requires VoIP providers to notify 911 special facilities of outages that potentially affect them... reliance upon a third-party service provider... does not relieve a covered 911 service provider or an OSP, including an interconnected VoIP provider, of the obl”
47 CFR 4.9(g)(1)(i)final
USFCCincident reportingCovered 911 service providers and OSPs must provide all available material outage information to 911 special facilities within 30 minutes of discovery, even if not all required informational elements are yet available, and must not delay notification until complete information is gathered.
“Service providers must provide 911 special facilities with all available material information they have about the outage 30 minutes from the time of discovery, even if the service provider does not have available all the informational elements described above.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingAfter initial notification, covered 911 service providers and OSPs must continue providing material outage updates as information becomes available until the outage is completely repaired and service is fully restored, including a final restoration notification.
“for outages that last longer than two hours, a service provider's obligation to continue to follow up with additional material information as soon as possible after it becomes available continues until the outage is completely repaired and service is fully restored.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include the outage's best-known cause in 911 special facility notifications; where national security concerns exist, providers may describe the cause at a general level (hardware, software, or network related).
“Including 'best known cause' as an informational element is necessary because, if known, the cause of the outage can provide guidance which might assist the 911 special facility in mitigating the effect of the outage.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include in outage notifications the expected date and time of service restoration and a statement indicating whether the notification is initial, an update, or the provider's final assessment.
“The expected date and time of restoration, including a notation of the relevant time zone... A statement of whether the message is the notifying service provider's initial notification to the 911 special facility, an update to an initial notification, or a message intended to be ”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include a unique outage identifier in each 911 special facility outage notification to enable tracking across multiple notifications for the same event.
“An identifier unique to each outage... Commenters overwhelmingly support covered 911 service providers' and OSPs' use of a standardized set of informational elements in their 911 outage reports.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include in outage notifications a statement of the outage's expected impact on the 911 special facility, including potential loss of ALI/ANI or call delivery issues.
“A statement of the notifying service provider's expectations for how the outage potentially affects the 911 special facility (e.g., dropped calls or missing metadata could include an intermittent, partial, or complete loss of Automatic Location Identification (ALI) or Automatic N”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must provide outage notifications to 911 special facilities identifying the geographic area affected by the outage.
“The geographic area affected by the outage... Commenters overwhelmingly support covered 911 service providers' and OSPs' use of a standardized set of informational elements in their 911 outage reports.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers must address third-party 911 service provider outage notification responsibilities in their 911 service contracts with third parties to ensure compliance with PSAP notification obligations.
“We expect service providers to address these responsibilities within their 911 service contracts with third parties as needed.”
47 CFR 4.9(h) [delayed indefinitely]; paragraph 14 of FCC 22-88final
USFCCincident reportingCovered 911 service providers and OSPs must notify 911 special facilities about outages that potentially affect them regardless of whether the outage is discovered before or after it is resolved, to preserve incentives for rapid outage investigation.
“We also decline the request of CTIA and others to clarify that an OSP is under no obligation to notify a 911 special facility if the OSP discovers an outage only after it has been resolved.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingWireless and satellite providers are exempt from filing network outage reports for outages potentially affecting all 'special offices and facilities' as defined in 47 CFR 4.5(b), not just airports. [adjacent]
“we amend our part 4 rules to expand the outage reporting exemption for satellite and wireless providers to include all 'special offices and facilities' as defined in Sec. 4.5(b), as adopted in the 2016 Part 4 Order.”
47 CFR 4.9(c)(2); 47 CFR 4.9(e)(1) [effective March 17, 2023]final
USFCCincident reportingCovered 911 service providers and OSPs must include the type of communications services affected in their 911 special facility outage notifications.
“The type of communications service(s) affected... Commenters overwhelmingly support covered 911 service providers' and OSPs' use of a standardized set of informational elements in their 911 outage reports.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include their name and contact information (name, telephone number, email) for follow-up in every 911 special facility outage notification.
“The name, telephone number, and email address at which the notifying service provider can be reached for follow-up; The name of the service provider(s) experiencing the outage.”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingCovered 911 service providers and OSPs must include the date and time of outage commencement (with time zone notation) in all 911 special facility outage notifications.
“The date and time when the incident began (including a notation of the relevant time zone).”
47 CFR 4.9(h) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingProviders must maintain records supporting compliance with the elements of the 911 reliability certification and retain those records for two years, regardless of whether a certification filing is due in a given year. [adjacent]
“Whether or not a covered 911 service provider is required to file an annual certification in a given year, it would still be required to create and maintain records supporting compliance with the elements of the 911 reliability certification and retain those records for two years”
47 CFR 9.19(d)(4)final
USFCCincident reportingCovered 911 service providers and OSPs must report outages meeting threshold criteria that potentially affect 911 special facilities in Initial Communications Outage Reports to the FCC within 72 hours and Final Reports within 30 days of discovering the outage.
“Not later than 72 hours after discovering the outage, the provider shall submit electronically an Initial Communications Outage Report to the Commission. Not later than 30 days after discovering the outage, the provider shall submit electronically a Final Communications Outage Re”
47 CFR 4.9(a)(4) [delayed indefinitely per amendatory instruction 3]final
USFCCincident reportingSubmarine cable licensees must file mandatory outage reports (Notification, Interim Report, and Final Report) for outages of a certain scope and duration via the Network Outage Reporting System (NORS).
“a submarine cable licensee must file a Notification, Interim Report, and Final Report in the manner prescribed in 47 CFR 4.15.”
47 CFR 4.15final
USFCCincident reportingCable providers must submit electronic Notification to FCC within 120 minutes of discovering a qualifying outage (≥30 min duration meeting threshold criteria).
“All cable communications providers shall submit electronically a Notification to the Commission within 120 minutes of discovering that they have experienced...an outage of at least 30 minutes duration”
47 CFR 4.9(a)final
USFCCincident reportingCable providers must submit an Initial Communications Outage Report within 72 hours and a Final Report within 30 days of discovering a qualifying outage. [adjacent]
“Not later than 72 hours after discovering the outage, the provider shall submit electronically an Initial Communications Outage Report...Not later than 30 days after discovering the outage, the provider shall submit electronically a Final Communications Outage Report.”
47 CFR 4.9(a)final
USFCCincident reportingWireline providers must submit electronic Notification within 120 minutes, Initial Report within 72 hours, and Final Report within 30 days of discovering a qualifying outage.
“All wireline communications providers shall submit electronically a Notification to the Commission within 120 minutes of discovering...an outage of at least 30 minutes duration...Not later than 72 hours...Initial...Not later than 30 days...Final.”
47 CFR 4.9(f)final
USFCCincident reportingWireless providers must submit electronic Notification within 120 minutes, Initial Report within 72 hours, and Final Report within 30 days of discovering a qualifying outage.
“All wireless service providers shall submit electronically a Notification to the Commission within 120 minutes of discovering...an outage of at least 30 minutes duration...Not later than 72 hours...Initial...Not later than 30 days...Final.”
47 CFR 4.9(e)(1), 4.9(e)(4)final
USFCCincident reportingSS7 providers must submit electronic Notification within 120 minutes of discovering a qualifying outage, and Initial/Final Reports within 72 hours/30 days respectively.
“Signaling System 7 (SS7) providers shall submit electronically a Notification to the Commission within 120 minutes of discovering...an outage of at least 30 minutes duration...Not later than 72 hours...Initial...Not later than thirty days...Final.”
47 CFR 4.9(d)final
USFCCincident reportingSatellite operators/providers must submit electronic Notification within 120 minutes of discovering a qualifying satellite outage (transponder, beam, inter-satellite link, gateway failure), plus Initial and Final Reports.
“All satellite operators shall submit electronically a Notification to the Commission within 120 minutes of discovering...an outage of at least 30 minutes duration that manifests itself as a failure of any of the following key system elements.”
47 CFR 4.9(c)(1), 4.9(c)(2), 4.9(c)(3)final
USFCCincident reportingInterconnected VoIP providers must submit Notification within 240 minutes for 911/988 facility-affecting outages, or within 24 hours for other qualifying outages; Final Report within 30 days.
“Within 240 minutes of discovering...an outage...that potentially affects a 911 special facility...or within 24 hours of discovering...an outage...that potentially affects at least 900,000 user minutes...results in complete loss of service.”
47 CFR 4.9(g)(1), 4.9(g)(2)final
USFCCincident reportingAll covered providers must notify potentially affected 911 special facilities within 30 minutes of discovering a qualifying 911-affecting outage, via telephone and electronic writing.
“providers shall provide a 911 outage notification to a potentially affected 911 special facility as soon as possible, but no later than within 30 minutes of discovering...an outage that potentially affects a 911 special facility.”
47 CFR 4.9(h)(4)final
USFCCincident reportingCovered providers must send a follow-up notification to 911 facilities no later than 2 hours after initial contact, then continue until full service restoration.
“cable, satellite, wireless, wireline and interconnected VoIP providers shall send the first follow-up notification to potentially affected 911 special facilities no later than two hours after the initial contact.”
47 CFR 4.9(h)(5)final
USFCCincident reportingAll covered providers must maintain and annually confirm current 911 special facility contact information for outage notification purposes.
“providers shall exercise special diligence to identify, maintain, and, on an annual basis, confirm current contact information appropriate for 911 outage notification for each 911 special facility that serves areas that the service provider serves.”
47 CFR 4.9(h)(1)final
USFCCincident reporting911 outage notifications must include all available material information: unique ID, provider contact, outage start time, services affected, geographic area, restoration estimate, cause, and impact statement.
“'material information' includes the following, where available: An identifier unique to each outage...date and time when the incident began...types of communications service(s) affected...geographic area affected...Expected date and time of restoration...best-known cause.”
47 CFR 4.9(h)(2)final
USFCCincident reportingCovered 988 service providers must notify affected 988 special facilities within 30 minutes of discovering a qualifying outage, via telephone and electronic writing.
“Covered 988 service providers shall provide an outage notification to a potentially affected 988 special facility as soon as possible, but no later than within 30 minutes of discovering...an outage that potentially affects a 988 special facility.”
47 CFR 4.9(i)(4)final
USFCCincident reportingCovered 988 service providers must send a follow-up notification to 988 facilities no later than 2 hours after initial contact, then continue updates until full restoration.
“providers shall send the first follow-up notification to potentially affected 988 special facilities no later than two hours after the initial contact...continue to provide material information...until the outage is completely repaired and service is fully restored.”
47 CFR 4.9(i)(5)final
USFCCincident reportingCovered 988 providers must maintain and annually confirm current contact information for 988 special facilities for outage notification purposes.
“covered 988 service providers shall exercise special diligence to identify, maintain, and, on an annual basis, confirm current contact information appropriate for outage notification for each 988 special facility that serves areas that the service provider serves.”
47 CFR 4.9(i)(1)final
USFCCincident reportingSubmarine cable licensees must submit a Notification within 480 minutes (first 3 years) or 240 minutes (after 3 years) of determining a reportable outage.
“The Notification is due within 480 minutes (8 hours) of the time of determining that an event is reportable for the first three years from the effective date of these rules. After three years...Notifications shall be due within 240 minutes (4 hours).”
47 CFR 4.15(b)(2)(ii)final
USFCCincident reportingSubmarine cable licensees must submit an Interim Report within 24 hours of receiving the Plan of Work for a reportable outage.
“The Interim Report is due within 24 hours of receiving the Plan of Work. The Interim Report shall be submitted in good faith.”
47 CFR 4.15(b)(2)(iii)final
USFCCincident reportingSubmarine cable licensees must submit a Final Outage Report within 7 days after repair is completed, including root cause, location, duration, and restoration method.
“The Final Outage Report is due seven (7) days after the repair is completed...Licensees shall provide: the name of the reporting entity; the name of the cable; the date and time of onset of the outage...root cause...restoration method.”
47 CFR 4.15(b)(2)(iv)final
USFCCincident reportingFacilities-based mobile wireless providers must provide emergency roaming under disaster arrangements (RuDs) when technically feasible during ESF-2, DIRS activation, or Commission-declared disaster events.
“Provide for reasonable roaming under disaster arrangements (RuDs) when technically feasible, where: A requesting provider's network has become inoperable and the requesting provider has taken all appropriate steps to attempt to restore its own network.”
47 CFR 4.17(a)(i)final
USFCCincident reportingFacilities-based mobile wireless providers must establish mutual aid arrangements with other providers for sharing physical assets and consultation during disasters.
“Establish mutual aid arrangements with other facilities-based mobile wireless providers for providing aid upon request to those providers during emergencies, where such agreements address the sharing of physical assets and commit to engaging in necessary consultation.”
47 CFR 4.17(a)(ii)final
USFCCincident reportingFacilities-based mobile wireless providers must conduct annual testing of roaming capabilities and coordination processes with providers that may foreseeably roam during disasters.
“Providers subject to the requirements of paragraph (a) of this section are required to perform annual testing of their roaming capabilities and related coordination processes, with such testing performed bilaterally with other providers that may foreseeably roam.”
47 CFR 4.17(b)final
USFCCincident reportingFacilities-based mobile wireless providers must submit reports to FCC within 60 days detailing implementation of Mandatory Disaster Response Initiative provisions after each disaster.
“Providers...are required to submit reports to the Commission detailing the timing, duration, and effectiveness of their implementation of the Mandatory Disaster Response Initiative's provisions...within 60 days of when the Public Safety and Homeland Security Bureau issues a Publi”
47 CFR 4.17(c)final
USFCCincident reportingCable, Wireline, Wireless, and VoIP providers must submit daily DIRS infrastructure status reports during DIRS activation, even when status is unchanged from prior day.
“Cable Communications, Wireline, Wireless, and Interconnected VoIP providers shall be required to report their infrastructure status information each day in the Disaster Information Reporting System (DIRS) when the Commission activates DIRS...even when their reportable infrastruct”
47 CFR 4.18(a)(1)final
USFCCincident reportingCable, Wireline, Wireless, and VoIP providers must submit a single final DIRS report within 24 hours of DIRS deactivation, including infrastructure state and estimated resolution dates.
“Provide a single, final report to the Commission within 24 hours of the Commission's deactivation of DIRS...detailing the state of their infrastructure at the time of DIRS deactivation and an estimated date of resolution of any remaining outages.”
47 CFR 4.18(a)(2)final
USFCCincident reportingIXC/LEC tandem providers must report qualifying outages (≥30 min, ≥90,000 blocked calls or ≥667 OC3-minutes), using real-time or historic traffic data, with notifications and Initial/Final Reports.
“Providers must report IXC and LEC tandem outages of at least 30 minutes duration in which at least 90,000 calls are blocked or at least 667 OC3-minutes are lost...Providers may use historic carried call load data.”
47 CFR 4.9(b)final
USFERCcyber ot securityResponsible entities adopting virtualization must comply with 11 modified CIP Reliability Standards (CIP-002-7 through CIP-013-3) governing cyber security of BES Cyber Systems in virtualized environments. [adjacent]
“we approve the 11 proposed modified CIP Reliability Standards as just, reasonable, not unduly discriminatory or preferential, and in the public interest.”
18 CFR Part 40; Order No. 919, Section II.A, Para. 17final
USFERCcyber ot securityResponsible entities must maintain documentation adequate to demonstrate compliance with the 11 approved virtualization CIP Reliability Standards. [adjacent]
“Responsible entities, however, will be required to maintain documentation adequate to demonstrate compliance with the Reliability Standards approved by this final rule.”
Order No. 919, Section III, Para. 43final
USFERCcyber ot securityNERC must develop a clear set of criteria promoting consistency to ensure responsible entities understand the parameters for invoking the per system capability exception, documentation requirements, and the obligation to implement alternative mitigation. [adjacent]
“a clear set of criteria that promote consistency and ensure that responsible entities understand the parameters for invoking the per system capability exception, documentation requirements, and the obligation to implement alternative mitigation”
Order No. 919, Section II.B, Para. 33(1); Para. 34final
USFERCcyber ot securityNERC must develop mandatory reporting requirements to the ERO Enterprise for responsible entities that invoke the per system capability exception language, covering the relevant CIP standard/requirement, need for exception, and alternative mitigation description. [adjacent]
“mandatory reporting requirements to the ERO Enterprise (i.e., the relevant Regional Entity, NERC, or both) for responsible entities that invoke the per system capability language”
Order No. 919, Section II.B, Para. 33(2); Para. 36final
USFERCcyber ot securityResponsible entities that invoke the per system capability exception must report to the ERO Enterprise, including the relevant CIP Reliability Standard and Requirement, explanation of the need for the exception, and description of alternative mitigation. [adjacent]
“including the relevant CIP Reliability Standard and Requirement, an explanation of the need for the exception, description of alternative mitigation, and any other fields of information that NERC determines are useful for monitoring exceptions”
Order No. 919, Section II.B, Para. 36final
USFERCcyber ot securityResponsible entities invoking the per system capability exception must implement alternative mitigation measures that achieve the underlying security objective of the applicable CIP Requirement. [adjacent]
“the obligation to implement alternative mitigation... we believe that clear guidance is vital to ensure (1) that responsible entities properly identify, document and mitigate per system capability exceptions”
Order No. 919, Section II.B, Para. 33(1); Para. 34final
USFERCcyber ot securityNERC must submit an annual report to the Commission with anonymized, aggregated data on responsible entity usage of per system capability exceptions, beginning 12 months after mandatory compliance. [adjacent]
“NERC must submit an annual report to the Commission that provides adequate data and analysis on responsible entity usage of the per system capability exception... filed with the Commission 12 months after compliance with the 11 virtualization Reliability Standards becomes mandato”
Order No. 919, Section II.B, Para. 33(3); Para. 37-38final
USFERCcyber ot securityNERC's annual report to the Commission must include: total entities with active per system capability exceptions, total exceptions by region, comparison to prior period, categorization by applicable CIP Requirements, types of assets with new exceptions, and types of mitigation employed. [adjacent]
“The total number of registered entities with active per system capability exceptions... Categorization of active per system capability exceptions by applicable Requirements covered... Generalized discussion indicating the types of assets and/or systems... Discussion on types of m”
Order No. 919, Section II.B, Para. 37final
USFERCcyber ot securityNERC must ensure the per system capability exception program criteria are available in time for early adoption of the 11 proposed CIP Reliability Standards by responsible entities choosing to comply early. [adjacent]
“we also direct NERC to ensure the per system capability exception program with the above criteria is available in time for the early adoption of the 11 proposed CIP Reliability Standards by responsible entities that choose to comply early.”
Order No. 919, Section II.B, Para. 35final
USFERCcyber ot securityResponsible entities must comply with CIP-008-7.1 (Cyber Security—Incident Reporting and Response Planning) as modified for virtualized environments.
“CIP-008-7.1 (Cyber Security--Incident Reporting and Response Planning)”
Order No. 919, Section II.A, Para. 17; CIP-008-7.1final
USFERCcyber ot securityResponsible entities must comply with CIP-007-7.1 (Cyber Security—Systems Security Management) as modified to manage security of virtualized BES Cyber Systems. [adjacent]
“CIP-007-7.1 (Cyber Security--Systems Security Management)”
Order No. 919, Section II.A, Para. 17; CIP-007-7.1final
USFERCcyber ot securityResponsible entities must comply with CIP-005-8 (Cyber Security—Electronic Security Perimeter(s)) as modified to accommodate non-perimeter security models for virtualized environments. [adjacent]
“CIP-005-8 (Cyber Security--Electronic Security Perimeter(s))”
Order No. 919, Section II.A, Para. 17; CIP-005-8final
USFERCcyber ot securityResponsible entities must comply with CIP-010-5 (Cyber Security—Configuration Change Management and Vulnerability Assessments) as modified to address dynamic configuration management in virtualized environments. [adjacent]
“CIP-010-5 (Cyber Security--Configuration Change Management and Vulnerability Assessments)”
Order No. 919, Section II.A, Para. 17; CIP-010-5final
USFERCcyber ot securityResponsible entities must comply with CIP-013-3 (Cyber Security—Supply Chain Risk Management) as modified for virtualized environments, managing third-party and ICT supply chain risks. [adjacent]
“CIP-013-3 (Cyber Security--Supply Chain Risk Management)”
Order No. 919, Section II.A, Para. 17; CIP-013-3final
USFERCcyber ot securityResponsible entities must comply with CIP-006-7.1 (Cyber Security—Physical Security of BES Cyber Systems) as modified to address physical security in virtualized environments. [adjacent]
“CIP-006-7.1 (Cyber Security--Physical Security of BES Cyber Systems)”
Order No. 919, Section II.A, Para. 17; CIP-006-7.1final
USFERCcyber ot securityResponsible entities that invoke the per system capability exception must document the system's capability limitation and demonstrate during compliance monitoring that the incapability prevents implementing the required control. [adjacent]
“the Responsible Entity will need to document the limit to the system's capability and demonstrate during compliance monitoring activities that the system's incapability prevents the Responsible Entity from implementing the control within the requirement.”
Order No. 919, Section I.D, Para. 11; Section II.B, Para. 34final
USFERCcyber ot securityNERC must develop mandatory reporting requirements through Align or another mechanism collecting from entities: the relevant CIP standard/requirement, explanation of exception need, description of alternative mitigation, and other fields useful for monitoring. [adjacent]
“the ERO Enterprise must develop mandatory reporting requirements through a request for data--through Align or another reporting mechanism--on basic information from entities using the per system capability exceptions”
Order No. 919, Section II.B, Para. 36final
USFERCcyber ot securityEstablish and implement documented cyber security policies and processes for low impact BES Cyber Systems covering physical security, electronic access, and incident response controls. [adjacent]
“Reliability Standard CIP-003-11, Requirement R2 and Section 4 of Attachment 1 require entities to have Cyber Security Incident Response plans for low impact BES Cyber Systems, including identification, classification, and response to Cyber Security Incidents.”
CIP-003-11 Requirement R2final
USFERCcyber ot securityImplement physical security controls for assets containing low impact BES Cyber Systems as specified in Attachment 1, Section 2. [adjacent]
“R2, Attachment 1, Section 2, Physical Security Controls.”
CIP-003-11 Requirement R2, Attachment 1, Section 2final
USFERCcyber ot securityImplement electronic access controls for low impact BES Cyber Systems as specified in Attachment 1, Section 3. [adjacent]
“R2, Attachment 1, Section 3, Electronic Access Controls.”
CIP-003-11 Requirement R2, Attachment 1, Section 3final
USFERCcyber ot securityAuthenticate remote users accessing assets containing low impact BES Cyber Systems with external routable connectivity. [adjacent]
“adding controls to authenticate remote users, protecting authentication information in transit, and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity.”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1final
USFERCcyber ot securityProtect authentication information in transit for remote access to low impact BES Cyber Systems. [adjacent]
“protecting the authentication information in transit”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.1final
USFERCcyber ot securityImplement controls addressing Section 3.1.2 requirements for electronic access to low impact BES Cyber Systems (estimated 20 hours implementation burden per entity). [adjacent]
“R2, Attachment 1, Section 3.1.2....... 1,673 1 1,673 20 hrs.; $1,940”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.2final
USFERCcyber ot securityImplement controls addressing Section 3.1.3 requirements for electronic access to low impact BES Cyber Systems (estimated 60 hours implementation burden per entity). [adjacent]
“R2, Attachment 1, Section 3.1.3....... 1,673 1 1,673 60 hrs.; $5,820”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.3final
USFERCcyber ot securityImplement controls addressing Section 3.1.4 requirements for electronic access to low impact BES Cyber Systems (estimated 60 hours implementation burden per entity). [adjacent]
“R2, Attachment 1, Section 3.1.4....... 1,673 1 1,673 60 hrs.; $5,820”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.4final
USFERCcyber ot securityImplement controls addressing Section 3.1.5 requirements for electronic access to low impact BES Cyber Systems. [adjacent]
“R2, Attachment 1, Section 3.1.5....... 1,673 1 1,673 1 hr.; $97”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.5final
USFERCcyber ot securityImplement controls addressing Section 3.1.6 requirements for electronic access to low impact BES Cyber Systems. [adjacent]
“R2, Attachment 1, Section 3.1.6....... 1,673 1 1,673 1 hr.; $97”
CIP-003-11 Requirement R2, Attachment 1, Section 3.1.6final
USFERCcyber ot securityImplement controls addressing Section 3.2 requirements for electronic access to low impact BES Cyber Systems. [adjacent]
“R2, Attachment 1, Section 3.2......... 1,673 1 1,673 1 hr.; $97”
CIP-003-11 Requirement R2, Attachment 1, Section 3.2final
USFERCcyber ot securityDetect malicious communications to or from assets containing low impact BES Cyber Systems with external routable connectivity, expanded beyond vendor-based electronic access to all traffic. [adjacent]
“The expansion of detection requirements to include all traffic into or out of a low impact BES Cyber System, as opposed to just detecting malicious traffic in vendor-based electronic access.”
CIP-003-11 Requirement R2, Attachment 1, Section 3final
USFERCcyber ot securityEstablish and maintain Cyber Security Incident Response plans for low impact BES Cyber Systems covering identification, classification, and response to Cyber Security Incidents.
“Reliability Standard CIP-003-11, Requirement R2 and Section 4 of Attachment 1 require entities to have Cyber Security Incident Response plans for low impact BES Cyber Systems, including identification, classification, and response to Cyber Security Incidents.”
CIP-003-11 Requirement R2, Attachment 1, Section 4final
USFERCcyber ot securityMaintain documentation adequate to demonstrate compliance with CIP-003-11 for periodic NERC/FERC audits. [adjacent]
“Responsible entities, however, will be required to maintain documentation adequate to demonstrate compliance with the Reliability Standard approved by this final rule.”
18 CFR Part 40; CIP-003-11 (Order No. 918, Information Collection Statement para. 26)final
USFERCcyber ot securityPROPOSED: Entities with assets containing low impact BES Cyber Systems must document and maintain plans that include controls specified in Attachment 1 of CIP-003-11.
“requires entities with assets containing low impact BES Cyber Systems to document and maintain plans that include controls specified in Attachment 1 of the Standard.”
CIP-003-11 Requirement R1 / R2; 18 CFR Part 40proposed
USFERCcyber ot securityPROPOSED: Entities must implement controls to detect malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity. [adjacent]
“proposed Attachment 1, Section 3.1.2 would expand the scope of Reliability Standard CIP-003 to include all communications, rather than only vendor specific communications.”
CIP-003-11 Attachment 1, Section 3.1.2proposed
USFERCcyber ot securityPROPOSED: Entities must implement controls to authenticate users prior to permitting access to networks containing low impact BES Cyber Systems or Shared Cyber Infrastructure supporting a low impact BES Cyber System. [adjacent]
“proposed Attachment 1, Section 3.1.3 would mitigate the risk of unauthenticated access to networks on which low impact BES Cyber Systems reside; specifically, it would require entities to implement controls to authenticate users prior to permitting access.”
CIP-003-11 Attachment 1, Section 3.1.3proposed
USFERCcyber ot securityPROPOSED: Entities must protect user authentication information while in transit between a remote user's Cyber Asset and the asset containing low impact BES Cyber Systems or the entity's authentication system. [adjacent]
“proposed Attachment 1, Section 3.1.4 would require responsible entities to protect their user authentication information while in transit between a remote user's Cyber Asset and either the asset containing the low impact BES Cyber Systems or the entity's authentication system.”
CIP-003-11 Attachment 1, Section 3.1.4proposed
USFERCcyber ot securityPROPOSED: Entities must implement electronic access controls covering all electronic access (not just vendor remote access) to assets containing low impact BES Cyber Systems. [adjacent]
“NERC also states that the proposed changes remove the word 'remote' from the phrase 'electronic remote access' as the section would now include all electronic access.”
CIP-003-11 Attachment 1, Section 3proposed
USFERCcyber ot securityPROPOSED: Entities must create one or more documented process(es) implementing the security management controls required under CIP-003-11 Requirement R2. [adjacent]
“Create one or more documented process(es) (R2).”
CIP-003-11 Requirement R2proposed
USFERCcyber ot securityPROPOSED: Entities must implement physical security controls for assets containing low impact BES Cyber Systems as specified in Attachment 1, Section 2. [adjacent]
“R2, Attachment 1, Section 2, Physical Security Controls.”
CIP-003-11 Attachment 1, Section 2proposed
USFERCcyber ot securityPROPOSED: Entities must revise their cyber security policies, plans, and procedures to reflect the new controls introduced by CIP-003-11. [adjacent]
“NERC explains that its proposed implementation plan reflects the time needed for entities to: (1) revise their cyber security policy, plan, and procedures.”
CIP-003-11 Requirement R1; 18 CFR Part 40proposed
USFERCcyber ot securityPROPOSED: Implement CIP-008-7.1 Incident Reporting and Response Planning, updated to address cyber security incidents in virtualized and shared cyber infrastructure environments.
“CIP-008-7.1 (Cyber Security--Incident Reporting and Response Planning)”
18 CFR Part 40; CIP-008-7.1proposed
USFERCcyber ot securityPROPOSED: Implement CIP-007-7.1 Systems Security Management with security objective of preventing unneeded routable protocol network accessibility in virtualized environments, replacing prior port/service disabling requirement. [adjacent]
“proposed Reliability Standard CIP-007-7.1, Requirement R1, holds the security objective of preventing unneeded routable protocol network accessibility, thereby accommodating more varied security controls.”
18 CFR Part 40; CIP-007-7.1, Requirement R1proposed
USFERCcyber ot securityPROPOSED: Implement CIP-005-8 Electronic Security Perimeter(s) to secure communications to and from BES Cyber Systems, accommodating both perimeter-based and policy-based security models for virtualized environments. [adjacent]
“NERC proposed to revise the standard to focus on the security objective of securing communications to and from BES Cyber Systems.”
18 CFR Part 40; CIP-005-8, Requirements R1.3, R1.4, R2proposed
USFERCcyber ot securityPROPOSED: Implement CIP-010-5 Configuration Change Management and Vulnerability Assessments using forward-looking change authorization approach accommodating dynamic virtualized environments, beyond baseline-only configuration management. [adjacent]
“proposed revisions to the Standards would let responsible entities focus more on a forward-looking authorization of a change rather than a backward-looking baseline update for compliance purposes.”
18 CFR Part 40; CIP-010-5, Requirements R2.1, R3.2proposed
USFERCcyber ot securityPROPOSED: Implement CIP-006-7.1 Physical Security of BES Cyber Systems updated for virtualized environments, applying physical protections where needed rather than relying on one-to-one hardware-software relationships. [adjacent]
“CIP-006-7.1 (Cyber Security--Physical Security of BES Cyber Systems)”
18 CFR Part 40; CIP-006-7.1, Requirement R1.3proposed
USFERCcyber ot securityPROPOSED: Implement CIP-002-7 BES Cyber System Categorization reflecting updated definitions including Cyber System, Virtual Cyber Asset, Shared Cyber Infrastructure, and Management Interface. [adjacent]
“CIP-002-7 (Cyber Security--BES Cyber System Categorization)”
18 CFR Part 40; CIP-002-7proposed
USFERCcyber ot securityPROPOSED: Implement CIP-011-4.1 Information Protection updated for virtualized environments, applying information protection controls to BES Cyber System Information in virtual and shared cyber infrastructure. [adjacent]
“CIP-011-4.1 (Cyber Security--Information Protection)”
18 CFR Part 40; CIP-011-4.1proposed
USFERCcyber ot securityPROPOSED: Implement CIP-013-3 Supply Chain Risk Management updated to address cyber security risks in supply chains for virtualized and emerging technology components used in BES Cyber Systems. [adjacent]
“CIP-013-3 (Cyber Security--Supply Chain Risk Management)”
18 CFR Part 40; CIP-013-3proposed
USFERCcyber ot securityPROPOSED: Implement CIP-004-8 Personnel & Training updated to address security awareness and access management for virtualized BES Cyber System environments. [adjacent]
“CIP-004-8 (Cyber Security--Personnel & Training)”
18 CFR Part 40; CIP-004-8proposed
USFERCcyber ot securityPROPOSED: Implement CIP-003-10 Security Management Controls updated for virtualized environments, including management of Shared Cyber Infrastructure and Virtual Cyber Assets under the security management framework. [adjacent]
“CIP-003-10 (Cyber Security--Security Management Controls)”
18 CFR Part 40; CIP-003-10proposed
USFERCcyber ot securityPROPOSED: Where a responsible entity invokes the 'per system capability' exception in lieu of a required CIP control, document the identified limit to system capability and retain documentation for review upon audit or other compliance activity. [adjacent]
“the Responsible Entity will need to document the limit to the system's capability and demonstrate during compliance monitoring activities that the system's incapability prevents the Responsible Entity from implementing the control”
18 CFR Part 40; CIP-005-8 R1.3, R1.4, R2; CIP-006-7.1 R1.3; CIP-007-7.1 R1.1, R4.1-R4.3, R5.1, R5.4, R5.6-R5.7; CIP-009-7.1 R1.5; CIP-010-5 R2.1, R3.2proposed
USFERCcyber ot securityPROPOSED: Maintain documentation adequate to demonstrate compliance with all modified CIP Reliability Standards, to be made available for periodic Commission and NERC staff audits. [adjacent]
“Entities, however, are required to maintain documentation adequate to demonstrate compliance with the proposed Reliability Standards. Commission and NERC staff conduct periodic audits of entities and auditors rely on the entity's documentation.”
18 CFR Part 40; NOPR Section IV (paragraph 28)proposed
USFERCoperational resilienceEach generator owner of a NERC-registered IBR must ensure the design and operation is such that each IBR meets or exceeds Ride-through requirements in accordance with the 'must Ride-through zone' as specified in Attachment 1 of PRC-029-1.
“each generator owner of a NERC-registered IBR must "ensure the design and operation is such that each IBR meets or exceeds Ride-through requirements, in accordance with the 'must Ride-through zone' as specified in Attachment 1"”
Reliability Standard PRC-029-1, Requirement R1final
USFERCoperational resilienceEach generator owner of a NERC-registered IBR must adhere to voltage ride-through performance criteria during system disturbances, unless a documented hardware limitation exists in accordance with Requirement R4.
“each generator owner of a NERC-registered IBR must adhere to voltage ride-through performance criteria during system disturbances, unless a documented hardware limitation exists in accordance with Requirement R4.”
Reliability Standard PRC-029-1, Requirement R2final
USFERCoperational resilienceEach generator owner of a NERC-registered IBR must ensure its IBR adheres to ride-through requirements during frequency excursion events by continuing to exchange current and remain electrically connected per Attachment 2, while absolute RoCoF magnitude is ≤5 Hz/second, unless a documented hardware limitation exists under R4.
“each generator owner of a NERC-registered IBR must ensure that its IBR adheres to ride-through requirements during frequency excursion events by continuing to exchange current and remain electrically connected in accordance with the "must ride-through zone," as specified in the p”
Reliability Standard PRC-029-1, Requirement R3final
USFERCoperational resilienceEach generator owner of an existing legacy IBR seeking an exemption from Requirements R1-R3 must document information supporting the identified hardware limitation that prevents the IBR from meeting ride-through criteria. [adjacent]
“Each Generator Owner identifying an IBR that is in-service by the effective date of PRC-029-1, has known hardware limitations that prevent the IBR from meeting Ride-through criteria as detailed in Requirements R1-R3, and requires an exemption from specific Ride-through criteria s”
Reliability Standard PRC-029-1, Requirement R4final
USFERCoperational resilienceGenerator owners of synchronous generators, synchronous condensers, and type 1 and type 2 wind resources must ensure frequency and voltage protection settings remain within ride-through compatible ranges per PRC-024-4.
“proposed Reliability Standard PRC-024-4 would continue to address ride-through compatible frequency and voltage protection setting ranges for synchronous generators, synchronous condensers, and type 1 and type 2 wind resources.”
Reliability Standard PRC-024-4, Requirements R1-R4final
USFERCoperational resilienceNERC must, within 12 months of the effective date of this final rule, submit to the Commission its determination whether and how to address HVDC-connected IBR exceptions under R1 and long-lead time project exemptions under R4, and any proposed modifications to PRC-029-1. [adjacent]
“Within 12 months of the effective date of this final rule, we direct NERC to submit to the Commission its determination and, if it deems appropriate, any proposed modifications to Reliability Standard PRC-029-1.”
Order No. 909, paragraph 4final
USFERCoperational resilienceNERC must submit an informational filing to the Commission 18 months after the conclusion of the PRC-029-1 exemption request period, assessing the reliability impact of the exemptions granted under the Standard. [adjacent]
“we also direct NERC to submit, to the Commission, an informational filing 18 months after the conclusion of the exemption request period in proposed Reliability Standard PRC-029-1, Requirement R4 that assesses the reliability impact of the exemptions to the Standard.”
Order No. 909, paragraph 2final
USFERCoperational resilienceIBRs must inject current and remain connected to the Bulk-Power System—prohibiting momentary cessation—within the no-trip zone during voltage or frequency disturbances, as a condition of satisfying ride-through requirements.
“the provision in proposed Requirement R1 requiring IBRs to meet or exceed ride-through requirements in Attachment 1 of proposed Reliability Standard PRC-029-1 that restricts the use of momentary cessation satisfies the directive to prohibit momentary cessation in the no-trip zone”
Reliability Standard PRC-029-1, Requirement R1 and Requirement R2final
USFERCoperational resilienceIBRs must achieve unrestricted post-disturbance ramp rates and return to pre-disturbance power output levels following a voltage or frequency system disturbance.
“proposed Reliability Standard PRC-029-1 advances the reliability of the Bulk-Power System by establishing voltage and frequency ride-through criteria for IBRs to prevent unnecessary tripping and momentary cessation and ensuring that post-disturbance ramp rates are unrestricted an”
Reliability Standard PRC-029-1, Requirement R1 and Requirement R2final
USFERCoperational resilienceFuture IBR projects (not in-service by the effective date of PRC-029-1) must fully satisfy all ride-through performance requirements of PRC-029-1; no exemption is available for new or long-lead time projects.
“to the extent that NERC develops modifications pertaining to long-lead time projects, this final rule should serve as notice that future IBR projects must fully satisfy the ride-through performance requirements (and not later dates as suggested by some commenters).”
Order No. 909, paragraph 5final
USFERCcyber ot securityImplement processes to monitor, detect, and evaluate anomalous activity in networks protected by the Electronic Security Perimeter for high impact BES Cyber Systems and medium impact BES Cyber Systems with external routable connectivity. [adjacent]
“responsible entities would be required to implement process(es) to monitor, detect, and evaluate anomalous activity in 'networks protected by the Responsible Entity's Electronic Security Perimeter(s)'”
CIP-015-1 Requirement R1final
USFERCcyber ot securityImplement processes for retaining INSM data associated with anomalous network activity as determined by the applicable responsible entities. [adjacent]
“responsible entities would be required to implement process(es) for retaining INSM data associated with anomalous network activity as determined by the applicable responsible entities.”
CIP-015-1 Requirement R2final
USFERCcyber ot securityImplement processes to protect INSM monitoring data against unauthorized deletion or modification to maintain integrity of logs and evidence. [adjacent]
“responsible entities would be required to implement process(es) to protect INSM monitoring data collected and retained in support of Requirements R1 and R2 to guard against the risk of unauthorized deletion or modification.”
CIP-015-1 Requirement R3final
USFERCcyber ot securityExtend INSM implementation to include EACMS and PACS outside of the Electronic Security Perimeter, covering network segments connected to, between, and internal to such systems. [adjacent]
“we direct NERC, pursuant to section 215(d)(5) of the FPA, to develop and file within 12 months of the effective date of this final rule modifications to Reliability Standard CIP-015-1 to extend INSM implementation to EACMS and PACS outside of the electronic security perimeter.”
18 CFR Part 40, Order No. 907, Section II.B (FPA §215(d)(5) directive); para. 19 and 47final
USFERCcyber ot securityApply INSM to east-west traffic within EACMS networks, between EACMS and PACS networks, and within PACS networks outside the Electronic Security Perimeter as part of the CIP-networked environment. [adjacent]
“the scope of CIP-networked environment includes the systems within the electronic security perimeter and one or more of the following: (1) network segments that are connected to EACMS and PACS outside of the electronic security perimeter; (2) network segments between EACMS and PA”
18 CFR Part 40, Order No. 907, para. 43-45final
USFERCcyber ot securityInclude communications between PACS and controllers and communications to/from EACMS used solely for electronic access monitoring within the INSM monitoring scope. [adjacent]
“communication between PACS and controllers and communications to and from EACMS used solely for electronic access monitoring are included in the term CIP-networked environment.”
18 CFR Part 40, Order No. 907, para. 45final
USFERCcyber ot securityImplement INSM for all high impact BES Cyber Systems with and without external routable connectivity to detect anomalous network activity indicating an ongoing attack. [adjacent]
“Reliability Standard CIP-015-1 requires INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the identification of anomalous network activity indicating an ongo”
CIP-015-1 Requirement R1; 18 CFR Part 40, Order No. 907, para. 2final
USFERCcyber ot securityImplement INSM for medium impact BES Cyber Systems with external routable connectivity to detect anomalous network activity. [adjacent]
“Reliability Standard CIP-015-1 requires INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity”
CIP-015-1 Requirement R1; 18 CFR Part 40, Order No. 907, para. 2final
USFERCcyber ot securityDevelop a baseline of normal network activity within the CIP-networked environment as the foundation for anomaly detection under INSM. [adjacent]
“the new or modified CIP Reliability Standards should address the need for each responsible entity to develop a baseline for their network activity by analyzing for security purposes their network traffic and data flows.”
18 CFR Part 40, Order No. 907, para. 11; CIP-015-1 Requirement R1final
USFERCcyber ot securityMonitor and detect unauthorized activity, connections, devices, network communication protocols, and software within the CIP-networked environment. [adjacent]
“the new or modified CIP Reliability Standards should address the need for responsible entities to monitor and detect 'unauthorized activity, connections, devices, network communication protocols, and software' in the CIP-networked environment.”
18 CFR Part 40, Order No. 907, para. 11; CIP-015-1 Requirement R1final
USFERCcyber ot securityLog network traffic within the CIP-networked environment as part of INSM implementation. [adjacent]
“the methods ensure: (1) logging of network traffic; (2) maintaining the logs, and other data collected, regarding network traffic that are of 'sufficient data fidelity to draw meaningful conclusions' to investigate an incident”
18 CFR Part 40, Order No. 907, para. 11; CIP-015-1 Requirement R1final
USFERCcyber ot securityMaintain INSM logs and collected data at sufficient fidelity to support meaningful incident investigation.
“maintaining the logs, and other data collected, regarding network traffic that are of 'sufficient data fidelity to draw meaningful conclusions' to investigate an incident”
18 CFR Part 40, Order No. 907, para. 11; CIP-015-1 Requirement R2final
USFERCcyber ot securityEmploy measures to maintain integrity of INSM logs and data by minimizing the likelihood of an attacker removing evidence of their tactics, techniques, and procedures. [adjacent]
“maintaining the integrity of the logs and other data by employing measures that minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures.”
18 CFR Part 40, Order No. 907, para. 11; CIP-015-1 Requirement R3final
USFERCcyber ot securityApply a risk-based rationale when implementing network activity monitoring inside and outside the Electronic Security Perimeter under Requirement R1.1. [adjacent]
“responsible entities can take certain steps to mitigate the cost impacts of extending INSM to EACMS and PACS outside the electronic security perimeter by implementing INSM in a risk-based manner pursuant to Requirement R1.1 of proposed Reliability Standard CIP-015-1.”
CIP-015-1 Requirement R1.1; 18 CFR Part 40, Order No. 907, para. 53final
USFERCcyber ot securityDefine incident alert thresholds and establish baselines for normal network activity to reduce INSM data volume requiring retention and protection. [adjacent]
“a responsible entity could define incident alert thresholds and establish a baseline for normal network activity that could reduce the cost of retaining and protecting INSM data under Requirements R2 and R3, respectively, by reducing the amount of INSM data responsible entities m”
CIP-015-1 Requirements R1, R2, R3; 18 CFR Part 40, Order No. 907, para. 53final
USFERCotherComply with WGQ Cybersecurity Related Standards (Version 4.0) governing security of electronic communications and transactions among parties. [adjacent]
“WGQ Cybersecurity Related Standards (Version 4.0, September 29, 2023)”
18 CFR 284.12(a)(1)(viii)final
USFERCrisk resilience assessmentEach transmission provider must file a one-time informational report describing current or planned policies and processes for conducting extreme weather vulnerability assessments of jurisdictional transmission assets and operations.
“we direct each transmission provider to file, in the above-captioned dockets, a one-time informational report on its extreme weather vulnerability assessment and risk mitigation efforts within 120 days of the publication of this final rule”
18 CFR Part 141, Order No. 897 (Final Rule, Docket RM22-16-000)final
USFERCrisk resilience assessmentTransmission providers must report on how they establish the scope of their extreme weather vulnerability assessments, including how they define extreme weather for assessment purposes.
“transmission providers: (1) establish a scope; (2) develop inputs; (3) identify vulnerabilities and exposure to extreme weather hazards; (4) estimate the costs of impacts in their extreme weather vulnerability assessments”
18 CFR Part 141, Order No. 897, Appendix A, Section A (Scope)final
USFERCrisk resilience assessmentTransmission providers must report on how they develop inputs for their extreme weather vulnerability assessments, including data sources and climate projections used.
“whether, and if so how, transmission providers: (1) establish a scope; (2) develop inputs; (3) identify vulnerabilities and exposure to extreme weather hazards; (4) estimate the costs of impacts”
18 CFR Part 141, Order No. 897, Appendix A, Section B (Inputs)final
USFERCrisk resilience assessmentTransmission providers must report on how they identify vulnerabilities and exposure of jurisdictional transmission assets and operations to extreme weather hazards.
“identify vulnerabilities and exposure to extreme weather hazards...for the purpose of these reports, we define an extreme weather vulnerability assessment as an analysis that identifies where and under what conditions jurisdictional transmission assets and operations are at risk”
18 CFR Part 141, Order No. 897, Appendix A, Section C (Vulnerabilities and Exposure to Extreme Weather Hazards)final
USFERCrisk resilience assessmentTransmission providers must report on how they estimate the costs of impacts from extreme weather events on jurisdictional transmission assets and operations. [adjacent]
“estimate the costs of impacts in their extreme weather vulnerability assessments”
18 CFR Part 141, Order No. 897, Appendix A, Section D (Costs of Impacts)final
USFERCrisk resilience assessmentTransmission providers must report on how they use the results of extreme weather vulnerability assessments to develop risk mitigation measures, including resilience investments and system recoverability measures.
“use the results of those assessments to develop risk mitigation measures...extreme weather resilience efforts can take many forms but generally involve both measures to prevent or minimize damage to vulnerable assets...and to manage the consequences of such damage when it occurs ”
18 CFR Part 141, Order No. 897, Appendix A, Section E (Risk Mitigation)final
USFERCrisk resilience assessmentRTOs/ISOs that are public utilities must file one-time informational reports, in addition to or in lieu of transmission owner member filings, covering regional extreme weather vulnerability assessment policies and processes.
“the reports we are proposing herein would be filed by either the public utility members of RTOs/ISOs, the RTOs/ISOs themselves, or both, as well as other public utility transmission providers outside of RTO/ISO regions”
18 CFR Part 141, Order No. 897, Docket RM22-16-000, PP 47-50final
USFERCrisk resilience assessmentTransmission providers must include in their reports their policies for considering affected communities (including disadvantaged, vulnerable, and frontline communities) in extreme weather vulnerability assessments. [adjacent]
“we revise questions 8 and 19...by replacing references to disadvantaged and vulnerable communities, and affected and frontline communities, respectively, with the term 'affected communities'...any other community or stakeholder group respondents consider in their extreme weather ”
18 CFR Part 141, Order No. 897, Appendix A, Questions 8 and 19final
USFERCrisk resilience assessmentTransmission providers that do not currently conduct extreme weather vulnerability assessments must report whether they have planned policies and processes for doing so in the future.
“the Commission did not intend in the NOPR to require transmission providers to conduct extreme weather vulnerability assessments where they do not do so already...the proposed reporting requirement was meant only to capture plans that have already been made, but not yet been impl”
18 CFR Part 141, Order No. 897, Docket RM22-16-000, P 32final
USFERCrisk resilience assessmentTransmission providers whose vulnerability assessment policies and processes differ from the five topic areas described by FERC must still describe the policies and processes that most closely align with those topics.
“If respondents' policies and processes for developing their own extreme weather vulnerability assessments differ from those the Commission described, the Commission proposed to require that transmission providers still describe in their one-time reports the policies and processes”
18 CFR Part 141, Order No. 897, Docket RM22-16-000, P 33final
USFERCoperational resilienceNERC must develop and submit a new or modified Reliability Standard requiring transmission system planning for extreme heat and cold weather events affecting Bulk-Power System reliable operation.
“directs the North American Electric Reliability Corporation...to submit a new Reliability Standard or modifications to Reliability Standard TPL-001-5.1 that addresses concerns pertaining to transmission system planning for extreme heat and cold weather events”
18 CFR Part 40, Order No. 896, Para. 1 / FPA §215(d)(5)final
USFERCoperational resilienceThe new/modified Reliability Standard must require development of benchmark planning cases based on major prior extreme heat and cold weather events and/or meteorological projections.
“development of benchmark planning cases based on information such as major prior extreme heat and cold weather events and/or future meteorological projections”
18 CFR Part 40, Order No. 896, Para. 6(1) / Para. 35final
USFERCoperational resilienceThe new/modified Reliability Standard must require planning for extreme heat and cold events using steady state and transient stability analyses covering a range of extreme weather scenarios including resource mix availability.
“planning for extreme heat and cold weather events using steady state and transient stability analyses expanded to cover a range of extreme weather scenarios including expected availability of the resource mix during extreme heat and cold weather conditions”
18 CFR Part 40, Order No. 896, Para. 6(2) / Para. 27final
USFERCoperational resilienceThe new/modified Reliability Standard must require development of corrective action plans to mitigate instances where performance requirements during extreme heat and cold weather events are not met.
“development of corrective action plans that mitigate specified instances where performance requirements during extreme heat and cold weather events are not met”
18 CFR Part 40, Order No. 896, Para. 6(3) / Para. 27final
USFERCoperational resilienceNERC must submit the proposed new or modified Reliability Standard no later than 18 months from publication of the final rule (i.e., by December 23, 2024). [adjacent]
“We direct NERC to submit the proposed new or modified Reliability Standard no later than 18 months from the publication of this final rule in the Federal Register.”
18 CFR Part 40, Order No. 896, Para. 7 / Para. 28final
USFERCoperational resilienceNERC must develop a phased-in implementation timeline for the new/modified standard requirements that begins within 12 months of Commission approval. [adjacent]
“we direct NERC to develop a phased-in implementation timeline for the different requirements of the new or modified Reliability Standard...that shall begin within 12 months of the effective date of a Commission order approving the proposed Reliability Standard.”
18 CFR Part 40, Order No. 896, Para. 28final
USFERCoperational resilienceBenchmark events must reflect regional differences in climate and weather patterns; NERC must ensure the standard accounts for such regional variation.
“in developing extreme heat and cold benchmark events, NERC shall ensure that benchmark events reflect regional differences in climate and weather patterns.”
18 CFR Part 40, Order No. 896, Para. 38final
USFERCoperational resilienceThe Reliability Standard must include a framework and criteria for responsible entities to develop benchmark planning cases representing weather-related contingencies, concurrent outages, and expected future system conditions.
“NERC to include in the Reliability Standard the framework and criteria that responsible entities shall use to develop from the relevant benchmark event planning cases to represent potential weather-related contingencies (e.g., concurrent/correlated generation and transmission out”
18 CFR Part 40, Order No. 896, Para. 39final
USFERCoperational resilienceThe Reliability Standard must contain mechanisms ensuring benchmark events are reviewed and updated periodically (at least every five years) to reflect up-to-date meteorological data.
“we agree with MISO that including a mechanism to update the benchmark event at least every five years would strike a reasonable balance between the benefits of using the most up-to-date meteorological data and administrative the burdens”
18 CFR Part 40, Order No. 896, Para. 40final
USFERCoperational resilienceTransmission planning studies must consider the wide-area impacts of extreme heat and cold weather, including effects on neighboring regions and cross-regional resource availability.
“failure to study the wide-area impact of extreme heat or cold weather conditions in transmission planning could result in reliability issues affecting multiple regions...remaining undetected in the long-term planning horizon”
18 CFR Part 40, Order No. 896, Para. 41-42 / Para. 6(2)final
USFERCoperational resilienceAll responsible entities impacted by the same extreme weather events must use consistent benchmark events to ensure coordinated assumptions across neighboring planning regions.
“it is important that all responsible entities likely to be impacted by the same extreme weather events use consistent benchmark events...neighboring planning regions are assuming similar weather conditions and are able to coordinate their assumptions accordingly.”
18 CFR Part 40, Order No. 896, Para. 37final
USFERCoperational resilienceNERC must identify the responsible entities for developing benchmark planning cases and conducting wide-area planning studies under the new or modified Reliability Standard. [adjacent]
“We also direct NERC to identify the responsible entities for developing benchmark planning cases and conducting wide-area studies under the new or modified Reliability Standard.”
18 CFR Part 40, Order No. 896, Para. 27final
USFERCoperational resilienceThe new/modified Reliability Standard must ensure the proposed standard becomes mandatory and enforceable no later than 12 months from Commission approval.
“we direct NERC to ensure that the proposed new or modified Reliability Standard becomes mandatory and enforceable beginning no later than 12 months from the effective date of Commission approval of the new or modified Reliability Standard.”
18 CFR Part 40, Order No. 896, Para. 7final
USFERCoperational resilienceTransmission planners and planning coordinators must prepare annual planning assessments for near-term and long-term horizons under existing TPL-001-5.1 (pending new standard), including study of pre-specified extreme events.
“each transmission planner and planning coordinator must prepare an annual planning assessment for its portion of the Bulk-Power System...required for both near-term and long-term transmission planning horizons.”
18 CFR Part 40 / TPL-001-5.1 Requirement R2 (as described at Para. 11-12)final
USFERCoperational resiliencePlanning studies must include concurrent and correlated generator and transmission outages as part of extreme weather scenario modeling.
“the framework and criteria that responsible entities shall use to develop...planning cases to represent potential weather-related contingencies (e.g., concurrent/correlated generation and transmission outages, derates)”
18 CFR Part 40, Order No. 896, Para. 29 / Para. 39final
USFERCoperational resilienceBenchmark planning cases must account for expected future conditions including changes in load, transfers, generation resource mix, and generator sensitivity to extreme heat or cold.
“expected future conditions of the system such as changes in load, transfers, and generation resource mix, and impacts on generators sensitive to extreme heat or cold, due to the weather conditions indicated in the benchmark events.”
18 CFR Part 40, Order No. 896, Para. 39final
USFERCoperational resilienceThe new/modified Reliability Standard must require sensitivity analysis as part of extreme weather transmission planning studies.
“establishing one or more benchmark planning cases, based on benchmark events, should form the basis for sensitivity analysis”
18 CFR Part 40, Order No. 896, Para. 29 / Para. 31final
USFERCoperational resilienceResponsible entities must coordinate with neighboring planning regions and share data and study results related to extreme weather planning studies.
“Coordination Among Registered Entities and Sharing of Data and Study Results”
18 CFR Part 40, Order No. 896, Para. 29 / Section IV.E (Para. 63-77)final
USFERCoperational resilienceBenchmark planning cases must assess limitations of the transmission system locally and over wide areas, and understand resource availability and potential firm load shedding under stressed conditions.
“responsible entities would use the benchmark events to develop benchmark planning cases to conduct studies to assess the limitations of the transmission system locally and over a wide-area, and to understand resource availability and potential firm load shedding requirements unde”
18 CFR Part 40, Order No. 896, Para. 31final
USFERCoperational resilienceThe new/modified Reliability Standard must address potential cascading outages caused by extreme heat and cold weather through study and corrective action identification.
“the impact of concurrent failures of Bulk-Power System generation and transmission equipment and the potential for cascading outages that may be caused by extreme heat and cold weather events should be studied and corrective actions should be identified and implemented.”
18 CFR Part 40, Order No. 896, Para. 2 / Para. 12final
USFERCoperational resilienceCorrective action plans must mitigate specified instances where performance requirements for extreme heat and cold weather events are not met, with notification to applicable regulatory authorities where required.
“corrective action plans that include mitigation activities for specified instances where performance requirements during extreme heat and cold events are not met”
18 CFR Part 40, Order No. 896, Para. 6(3) / Section IV.H (Para. 139-168)final
USFERCoperational resiliencePlanning studies must consider modifications to traditional deterministic planning approaches to address extreme weather scenarios.
“Modifications to the Traditional Planning Approach”
18 CFR Part 40, Order No. 896, Para. 29 / Section IV.G.3 (Para. 127-138)final
USFERCoperational resilienceNERC must ensure the new/modified standard requires entities to study extreme weather scenarios including the broad area impacts across multiple planning coordinator areas on grid reliability.
“maintaining the reliability of the Bulk-Power System requires transmission system planning to account for the potential impact of extreme heat and cold weather over wide geographical areas, and to consider the changing resource mix.”
18 CFR Part 40, Order No. 896, Para. 5 / Para. 41final
USFERCcyber ot securityUtilities investing in Advanced Cybersecurity Technology that improves ability to protect against, detect, respond to, or recover from a cybersecurity threat may seek incentive-based rate treatment under 18 CFR 35.48. [adjacent]
“enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat”
18 CFR 35.48(c); 18 CFR 35.48(d)final
USFERCcyber ot securityUtilities must demonstrate that cybersecurity investments for which incentives are sought are not mandated by Reliability Standards, local/State/Federal law, or legal agreements. [adjacent]
“not already mandated by the Reliability Standards, or otherwise mandated by local, State, or Federal law, decision, or directive; otherwise legally mandated; or an action taken in response to a Federal or State agency merger condition”
18 CFR 35.48(d)(2)final
USFERCcyber ot securityUtilities seeking incentives for cybersecurity investments aligned with C2M2 must demonstrate achievement and sustainment of the highest Maturity Indicator Level (MIL3) in one or more C2M2 Domains. [adjacent]
“requiring a utility to demonstrate that its proposed cybersecurity investments will cause the utility to achieve Maturity Indicator Level 3 of the C2M2 Domains rather than the incremental steps of the lower Maturity Indicator Levels”
18 CFR 35.48(d)(1); Section III.A.3.cfinal
USFERCcyber ot securityUtilities must include in incentive applications cybersecurity investments that improve ability to recover from a cybersecurity threat, qualifying disaster recovery and network restoration services as eligible Advanced Cybersecurity Technology.
“Cybersecurity services may be either automated or manual and can include, but are not limited to... incident response, forensic investigation, network monitoring, data sharing, data recovery, disaster recovery, network restoration”
18 CFR 35.48(b); Section III.A.1 para. 5final
USFERCcyber ot securityUtilities must demonstrate that cybersecurity investments align with specific recommendations from relevant federal authorities (CISA, FBI, NSA, or DOE) to satisfy the materially improves eligibility criterion. [adjacent]
“a specific cybersecurity recommendation from a relevant Federal authority, such as DHS's CISA, the FBI, NSA, or DOE”
18 CFR 35.48(d)(1); Section III.A.3.c para. 40final
USFERCcyber ot securityUtilities must demonstrate cybersecurity investments satisfy NIST SP 800-53 security controls or NIST Cybersecurity Framework technical subcategory objectives to qualify for incentives under the materially improves criterion. [adjacent]
“security controls enumerated in the NIST SP 800-53 'Security and Privacy Controls for Information Systems and Organizations' catalog... security controls satisfying an objective found in the NIST Cybersecurity Framework technical subcategory”
18 CFR 35.48(d)(1); Section III.A.3.c para. 40final
USFERCcyber ot securityUtilities must include incident response tools and capabilities within cybersecurity investments eligible for incentive treatment, covering the full protect-detect-respond-recover lifecycle.
“Cybersecurity products can include, but are not limited to... intrusion detection systems, anomaly detection systems... forensic toolkits, incident response tools... event logging systems”
18 CFR 35.48(b); Section III.A.1 para. 4-5final
USFERCcyber ot securityUtilities seeking incentives for OT/ICS cybersecurity investments must demonstrate how such investments enhance security of operational technology systems used in electric grid operations. [adjacent]
“Cybersecurity products are generally hardware, software, and cybersecurity services that can be used for information technology (IT) systems and/or operational technology (OT) systems.”
18 CFR 35.48(b); Section III.A.1 para. 4final
USFERCcyber ot securityNERC must develop new or modified CIP Reliability Standards requiring INSM for all high impact BES Cyber Systems (with and without external routable connectivity) and medium impact BES Cyber Systems with external routable connectivity. [adjacent]
“we direct NERC to develop new or modified CIP Reliability Standards that require applicable responsible entities to implement INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable conn”
18 CFR Part 40, Order No. 887, Section IV.A (Paragraph 24)final
USFERCcyber ot securityNERC must submit new or modified CIP Reliability Standards requiring INSM to FERC for approval within 15 months of the effective date of this final action. [adjacent]
“we direct that NERC submit responsive new or modified CIP Reliability Standards within 15 months of the effective date of this final action.”
18 CFR Part 40, Order No. 887, Section IV.A (Paragraph 24)final
USFERCcyber ot securityResponsible entities must develop baselines of network traffic inside their CIP-networked environment as part of INSM implementation. [adjacent]
“any new or modified CIP Reliability Standards should address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment.”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityResponsible entities must monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment. [adjacent]
“any new or modified CIP Reliability Standards should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityResponsible entities must log network traffic (e.g., via packet capture) within the CIP-networked environment to identify anomalous activity with a high level of confidence. [adjacent]
“require responsible entities to identify anomalous activity to a high level of confidence by: (1) logging network traffic (we note that packet capture is one means of accomplishing this goal)”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityResponsible entities must maintain logs and other data collected regarding network traffic within the CIP-networked environment. [adjacent]
“require responsible entities to identify anomalous activity to a high level of confidence by: ... (2) maintaining logs and other data collected regarding network traffic”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityResponsible entities must implement measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices. [adjacent]
“implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices.”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityINSM implementations must provide visibility over east-west communications between networked devices within the CIP-networked trust zone, not only at the network perimeter. [adjacent]
“INSM is a component of a comprehensive cybersecurity strategy as it provides an additional layer of defense against intrusions regardless of the attack vector or whether existing security controls failed. With INSM, an entity can maintain visibility over communications between ne”
18 CFR Part 40, Order No. 887, Section III (Paragraph 19)final
USFERCcyber ot securityResponsible entities must use INSM to facilitate early detection of anomalous network activity indicative of an attack in progress, enabling quicker mitigation and recovery.
“INSM facilitates the detection of anomalous network activity indicative of an attack in progress, thus increasing the probability of early detection and allowing for quicker mitigation and recovery from an attack.”
18 CFR Part 40, Order No. 887, Section III (Paragraph 19)final
USFERCcyber ot securityResponsible entities must retain collected network traffic data to facilitate timely recovery and post-incident analysis of cyberattacks, including determining backup restoration timeframes.
“The recorded network traffic can also be retained to facilitate timely recovery and/or perform a thorough post-incident analysis of malicious activity... allowing for: (1) determining the timeframe for backup restoration; (2) creating a record of the attack for incident reporting”
18 CFR Part 40, Order No. 887, Section II.B (Paragraph 12)final
USFERCcyber ot securityNERC's study must determine the ongoing risk to BES reliability and security posed by low and medium impact BES Cyber Systems not subject to new INSM standards, including their quantity. [adjacent]
“NERC should include in its study a determination of: (1) ongoing risk to the reliability and security of the Bulk-Power System posed by low and medium impact BES Cyber Systems that would not be subject to the new or modified Reliability Standards, including the number of low and ”
18 CFR Part 40, Order No. 887, Section I (Paragraph 7)final
USFERCcyber ot securityNERC's study must identify potential technological or other challenges in extending INSM to additional BES Cyber Systems and possible alternative mitigating actions. [adjacent]
“potential technological or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative mitigating actions to address ongoing risks.”
18 CFR Part 40, Order No. 887, Section I (Paragraph 7)final
USFERCcyber ot securityNew or modified CIP Reliability Standards must be forward-looking and objective-based, addressing the three INSM security objectives: baselining, monitoring/detection, and anomaly identification. [adjacent]
“we direct NERC to develop new or modified CIP Reliability Standards that are forward-looking, objective-based, and that address the following three security objectives that pertain to INSM.”
18 CFR Part 40, Order No. 887, Section I (Paragraph 5)final
USFERCcyber ot securityINSM capabilities deployed by responsible entities must increase the probability of early detection and allow for quicker mitigation and recovery from a cyberattack on BES Cyber Systems.
“To address this gap, we direct NERC to develop new or modified CIP Reliability Standards requiring INSM... to ensure the detection of anomalous network activity indicative of an attack in progress. These provisions will increase the probability of early detection and allow for qu”
18 CFR Part 40, Order No. 887, Section I (Paragraph 3)final
USFERCcyber ot securityPROPOSED: Utilities must seek CEII treatment for any part of an incentive filing that includes specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure. [adjacent]
“A utility should seek CEII treatment, as appropriate, for any part of its filing seeking incentives that includes specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure.”
18 CFR 388.113; NOPR paragraph 24proposed
USFERCincident reportingLicensees must ensure an independent consultant team performs a comprehensive assessment (including Potential Failure Mode Analysis and semi-quantitative risk analysis) at 10-year intervals. [adjacent]
“The comprehensive assessment requires a more in-depth review than the current part 12 inspection, formally incorporates the existing Potential Failure Mode Analysis process, and requires a semi-quantitative risk analysis.”
18 CFR 12.36 (new subpart D)final
USFERCincident reportingLicensees of high or significant hazard potential dams must prepare, maintain, file with the Commission, and periodically review and update an Owner's Dam Safety Program. [adjacent]
“This final rule codifies the requirement that licensees of one or more high or significant hazard potential dams must prepare, maintain, file with the Commission, and periodically review and update an Owner's Dam Safety Program.”
18 CFR Part 12, Subpart Ffinal
USFERCincident reportingLicensees must prepare, maintain, and submit a public safety plan to D2SI covering safety measures at or near the hydroelectric project. [adjacent]
“to prepare, maintain, and submit a public safety plan to D2SI, which is the current practice required by existing D2SI guidance.”
18 CFR Part 12, Subpart E (revised)final
USFERCincident reportingLicensees must report to FERC project-related public safety incidents, including deaths, serious injuries, and rescues related to project operation. [adjacent]
“to report rescues in addition to deaths and serious injuries; and to prepare, maintain, and submit a public safety plan to D2SI”
18 CFR 12.10(b) (as revised)final
USFERCincident reportingLicensees must ensure the periodic inspection includes review of surveillance and monitoring plans and data, dam safety programs, and public access restrictions. [adjacent]
“As revised, Sec. 12.35 establishes the scope of a periodic inspection, which includes review of prior reports, a field inspection, review of the surveillance and monitoring plan and data, and review of dam and public safety programs.”
18 CFR 12.35final
USFERCincident reportingLicensees must provide the independent consultant team all information and reports necessary to fulfill periodic inspection requirements. [adjacent]
“The final rule adds a sentence to Sec. 12.35(a) to clarify that it is the licensee's responsibility to provide to the independent consultant team all information and reports necessary to fulfill the requirements of this section.”
18 CFR 12.35(a)final
USFERCincident reportingLicensees must conduct a Potential Failure Mode Analysis as part of each comprehensive assessment, evaluating failure scenarios and prioritizing corrective actions.
“The Commission is codifying the Potential Failure Mode Analysis as part of the scope of a part 12 inspection, specifically during a comprehensive assessment and typically at a 10-year interval.”
18 CFR Part 12, Subpart D (revised)final
USFERCincident reportingLicensees must obtain written D2SI approval of the facilitator(s) of the Potential Failure Mode Analysis or risk analysis prior to conducting those activities. [adjacent]
“clarify that written approval of the facilitator(s) of the Potential Failure Mode Analysis or risk analysis must also be obtained”
18 CFR 12.34final
USFERCincident reportingLicensees must maintain project works in a condition of repair adequate for efficient operation and make all necessary renewals and replacements to protect life, health, and property.
“licensees, in pertinent part, to 'maintain the project works in a condition of repair adequate . . . for the efficient operation of said works,' to 'make all necessary renewals and replacements,' and to 'conform to such rules and regulations as the Commission may from time to tim”
18 CFR Part 12 (implementing 16 U.S.C. 803(c))final
USFERCincident reportingLicensees must ensure the periodic inspection report documents evaluations of surveillance, monitoring, and performance of the project, including assessment of whether potential failure modes are active, developing, or warrant further evaluation. [adjacent]
“These pertain to the surveillance, monitoring, and performance of the project, with a focus on whether any potential failure modes, previously identified or not, are active, developing, or warrant further evaluation at the time of the periodic inspection.”
18 CFR 12.36(b)final
USFERCincident reportingLicensees must submit an independent consultant team proposal that identifies technical disciplines and level of expertise required for the inspection and demonstrates each supporting member meets independence requirements. [adjacent]
“clarify that the independent consultant team proposal must identify the technical disciplines and level of expertise required to perform the inspection and show that each member of the independent consultant team who is not designated as an independent consultant meets the requir”
18 CFR 12.34final
USFERCcyber ot securityPROPOSED: Public utility pursuing the Med/High Incentive must voluntarily apply all requirements and sub-requirements for medium or high impact BES Cyber Systems to low impact systems, or high impact requirements to medium impact systems.
“a public utility seeking a cybersecurity incentive for a facility that is classified as a low impact BES Cyber System would invest in ways to make that facility meet all the requirement and sub-requirement protections applicable to medium or high impact BES Cyber Systems”
18 CFR 35.48(b)(1)(i) (proposed)proposed
USFERCcyber ot securityPROPOSED: Public utility pursuing the Hub-Spoke Incentive must ensure all external routable connectivity to/from low impact BES Cyber Systems connects through a high or medium impact BES Cyber System with associated security controls inherited. [adjacent]
“all the cyber communications to and from a low impact system location must connect to a medium or high impact BES Cyber System and the cyber communication security controls required for the medium or high impact BES Cyber System must be implemented on the low impact system”
18 CFR 35.48(b)(1)(ii) (proposed)proposed
USFERCcyber ot securityPROPOSED: Public utility that ceases to implement CIP Reliability Standards consistent with the Commission approval order under the NERC CIP Incentives Approach must forfeit the incentive for the non-compliant period.
“if the Commission approves a public utility's request for cybersecurity incentives pursuant to either the Med/High or Hub-Spoke Incentive and the public utility subsequently ceases to implement the CIP Reliability Standards consistent with the order approving the application”
18 CFR 35.48(b)(1) (proposed)proposed
USFERCcyber ot securityPROPOSED: Public utility pursuing NIST Framework Approach must implement automated and continuous monitoring security controls and demonstrate these go above and beyond CIP Reliability Standards requirements. [adjacent]
“we propose to initially only consider incentives that fall within the first type of security controls, automated and continuous monitoring... continuous monitoring tools that utilize automated features for pulling information from a variety of sources”
18 CFR 35.48(b)(2) (proposed)proposed
USFERCcyber ot securityPROPOSED: Public utility applying under NIST Framework Approach must show how cybersecurity investment materially enhances cybersecurity posture of the Bulk-Power System substantially above CIP Reliability Standards levels.
“public utilities seeking an incentive under this approach would need to show how a cybersecurity investment...allows the public utility to meet NIST Framework security controls...will go above and beyond the requirements of the CIP Reliability Standards, and materially enhance th”
18 CFR 35.48(b)(2) (proposed)proposed
USFERCcyber ot securityPROPOSED: Public utility must make informational filings and submit to verification procedures as required to demonstrate continued compliance with cybersecurity incentive conditions. [adjacent]
“Informational Filing and Verification..... 61”
18 CFR 35.48 (proposed); NOPR Section IV.E.2proposed
USFERCcyber ot securityPROPOSED: Eligible deferred cost recovery includes other implementation expenses such as third-party risk assessments and internal system reviews and initial responses to findings, subject to five-year amortization. [adjacent]
“other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments”
18 CFR 35.48 (proposed); NOPR Para. 3proposed
USFERCcyber ot securityPROPOSED: Public utility implementing incident response cybersecurity investments under NIST Framework (Respond function) may qualify for incentives where such investments go above and beyond CIP-008 incident response requirements. [adjacent]
“Commission staff identified five types of security controls included in the NIST Framework that may be considered for incentives under the NIST Framework approach: (1) Automated and continuous monitoring; (2) access control; (3) data protection; (4) incident response; and (5) phy”
18 CFR 35.48(b)(2) (proposed); NOPR Para. 33proposed
USFERCcyber ot securityPROPOSED: Public utility must implement automated and continuous monitoring of both IT and OT networks, including asset management and detection of unauthorized equipment, to qualify for NIST Framework incentive.
“a public utility to install a dynamic asset management program to improve its ability to quickly detect and address new or previously unknown equipment on its network...automatically and continuously scans the current inventory of hardware and software across both the information”
18 CFR 35.48(b)(2) (proposed); NOPR Para. 34proposed
USFERCcyber ot securityPROPOSED: Public utility implementing automated malware detection (e.g., sandbox) environments for continuous monitoring of communications may qualify for NIST Framework incentive treatment. [adjacent]
“implementation of a dynamic file analysis program or a 'sandbox'...an automated malware detection environment that continuously scans email attachments and weblinks in the corporate email system for malicious code”
18 CFR 35.48(b)(2) (proposed); NOPR Para. 35proposed
USFERCcyber ot securityDevelop and implement a plan to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between bulk electric system Control Centers. [adjacent]
“requires Responsible Entities to develop and implement a plan to address the risks posed by unauthorized disclosure (confidentiality) and unauthorized modification (integrity) of Real-time Assessment and Real-time monitoring data while being transmitted between applicable Control”
CIP-012-1 Requirement R1 (approved via 18 CFR Part 40, Order No. 866)final
USFERCcyber ot securityIdentify specific security protections applied to Real-time Assessment and Real-time monitoring data communicated between Control Centers. [adjacent]
“The required plan must include the following: (1) Identification of security protections; (2) identification of where the protections are applied; and (3) identification of the responsibilities of each entity.”
CIP-012-1 Requirement R1.1 (approved via 18 CFR Part 40, Order No. 866)final
USFERCcyber ot securityIdentify where security protections are applied for inter-Control Center communications where the Control Center is owned or operated by the same responsible entity. [adjacent]
“identification of where the protections are applied; and (3) identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible entities.”
CIP-012-1 Requirement R1.2 (approved via 18 CFR Part 40, Order No. 866)final
USFERCcyber ot securityIdentify security protection responsibilities when a Control Center is owned or operated by different responsible entities. [adjacent]
“identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible entities.”
CIP-012-1 Requirement R1.3 (approved via 18 CFR Part 40, Order No. 866)final
USFERCcyber ot securityDevelop modifications to CIP Reliability Standards to require protections for the AVAILABILITY of communication links and data communicated between bulk electric system Control Centers.
“we direct that NERC develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”
18 CFR Part 40, Order No. 866, Ordering Paragraph (directing NERC under FPA section 215(d)(5))final
USFERCcyber ot securityPlan for recovery of compromised communication links and use of backup communication capability (e.g., satellite or alternate backup) when redundancy of communication links cannot be guaranteed.
“responsible entities should therefore plan for both recovery of compromised communication links and use of backup communication capability should it be needed for redundancy (i.e., satellite or other alternate backup communications).”
18 CFR Part 40, Order No. 866, Para. 35final
USFERCcyber ot securityAddress availability of communication links between entity-owned and third-party-owned Control Centers, including through service contracts with telecommunications providers that include quality-of-service commitments.
“entities could enter into service contracts with telecommunication service providers that include an agreed-upon quality of service commitment to maintain the availability of the data exchange capability to minimize the availability risk.”
18 CFR Part 40, Order No. 866, Paras. 32–33final
USFERCoperational resiliencePlanning coordinators and transmission planners must perform an annual planning assessment of their portion of the bulk electric system considering system conditions and contingencies using a risk-based approach.
“requires each planning coordinator and transmission planner to perform an annual planning assessment of its portion of the bulk electric system considering a number of system conditions and contingencies with a risk-based approach”
Reliability Standard TPL-001-5, Requirement R1 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must develop a corrective action plan if planning studies determine the system would experience performance issues for planning events (more common scenarios).
“For more common scenarios (i.e., planning events), the planning entity must develop a corrective action plan if it determines through studies that its system would experience performance issues.”
Reliability Standard TPL-001-5, Table 1 / Part 2 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must conduct a comprehensive analysis of potential impacts and possible mitigating actions for extreme events (less common scenarios that could result in cascading or severe impacts).
“For less common scenarios that could result in potentially severe impacts such as cascading (i.e., extreme events), the planning entity must conduct a comprehensive analysis to understand both the potential impacts on its system and the types of actions that could reduce or mitig”
Reliability Standard TPL-001-5, Table 1 / Part 4 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must study protection system single points of failure for Category P5 events (single-line-to-ground fault with failure of a non-redundant protection system component) and develop corrective action plans if cascading is identified.
“Category P5 requires the study of a single-line-to-ground faulted element...along with a failure to operate of a non-redundant component of the protection system (i.e., a single point of failure) protecting the faulted element.”
Reliability Standard TPL-001-5, Table 1, Category P5 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must study protection system single points of failure in combination with three-phase faults as extreme events and evaluate possible actions to reduce or mitigate consequences, even though a corrective action plan is not required.
“if an entity determines that its system will experience cascading as a result of a three-phase fault scenario, the entity would evaluate possible actions designed to reduce the likelihood or mitigate the consequences of the event”
Reliability Standard TPL-001-5, Table 1, Stability Extreme Events 2.a-h (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must include known planned maintenance outages of facilities in near-term transmission planning horizon studies regardless of outage duration.
“Reliability Standard TPL-001-5 provides for a more complete consideration of factors for selecting which known outages will be included in near-term transmission planning horizon studies.”
Reliability Standard TPL-001-5, Requirement R1 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must assess the impact of the possible unavailability of long lead time equipment consistent with the entity's spare equipment strategy for stability analysis.
“Reliability Standard TPL-001-5 modifies requirements for stability analysis to require an entity to assess the impact of the possible unavailability of long lead time equipment, consistent with the entity's spare equipment strategy.”
Reliability Standard TPL-001-5, Requirement R1 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must ensure planned transmission system studies demonstrate that known, planned removal of facilities for maintenance does not result in cascading, voltage instability, or uncontrolled islanding.
“a properly planned transmission system should ensure the known, planned removal of facilities (i.e., generation, transmission, or protection system facilities) for maintenance purposes without...detrimental impacts to system reliability such as cascading, voltage instability, or ”
Reliability Standard TPL-001-5, Requirement R1 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must perform steady-state and stability analysis for seven contingency planning events (P1 through P7) as specified in Table 1 of TPL-001-5.
“The table lists seven contingency planning events (P1 through P7) that require steady-state and stability analysis as well as five extreme event contingencies: Three for steady-state and two for stability.”
Reliability Standard TPL-001-5, Table 1 (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCoperational resiliencePlanning entities must perform comprehensive analysis for five extreme event contingencies (three steady-state and two stability) specified in Table 1 of TPL-001-5 and evaluate possible mitigating actions.
“five extreme event contingencies: Three for steady-state and two for stability...the entity would evaluate possible actions designed to reduce the likelihood or mitigate the consequences of the event”
Reliability Standard TPL-001-5, Table 1, Extreme Events (approved via 18 CFR Part 40, FR Doc 2020-02170)final
USFERCcyber ot securityDevelop and implement a plan to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between applicable Control Centers. [adjacent]
“requires Responsible Entities to develop and implement a plan to address the risks posed by unauthorized disclosure (confidentiality) and unauthorized modification (integrity) of Real-time Assessment and Real-time monitoring data while being transmitted between applicable Control”
CIP-012-1 Requirement R1 (approved via Order No. 866, 18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityIdentify specific security protections applied to Real-time Assessment and Real-time monitoring data communications between Control Centers. [adjacent]
“The required plan must include the following: (1) Identification of security protections; (2) identification of where the protections are applied; and (3) identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible ”
CIP-012-1 Requirement R1.1 (approved via Order No. 866, 18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityIdentify where security protections are applied to inter-Control Center communications (where Control Centers are owned by the same responsible entity). [adjacent]
“identification of where the protections are applied”
CIP-012-1 Requirement R1.2 (approved via Order No. 866, 18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityIdentify security protection responsibilities where a Control Center is owned or operated by different responsible entities. [adjacent]
“identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible entities.”
CIP-012-1 Requirement R1.3 (approved via Order No. 866, 18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityDevelop modifications to CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.
“we direct that NERC develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers”
Order No. 866, Section II.A, Para. 36 (18 CFR Part 40, Docket RM18-20-000); FPA §215(d)(5)final
USFERCcyber ot securityPlan for recovery of compromised communication links and use of backup communication capability (e.g., satellite or alternate backup) when redundancy cannot be guaranteed.
“responsible entities should therefore plan for both recovery of compromised communication links and use of backup communication capability should it be needed for redundancy (i.e., satellite or other alternate backup communications).”
Order No. 866, Section II.A, Para. 35 (18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityWhere inter-Control Center communications are managed by a third party, take contractual actions (e.g., quality-of-service commitments) with telecommunication service providers to minimize availability risk.
“entities could enter into service contracts with telecommunication service providers that include an agreed-upon quality of service commitment to maintain the availability of the data exchange capability to minimize the availability risk.”
Order No. 866, Section II.A, Para. 32 (18 CFR Part 40, Docket RM18-20-000)final
USFERCcyber ot securityEnsure availability protections for inter-Control Center communication links encompass both entity-owned and third-party-owned Control Centers, requiring coordination between neighboring responsible entities.
“protections for the availability of communication links and data communicated between bulk electric system Control Centers should encompass both entity-owned and third-party owned Control Centers...which will require coordination between neighboring responsible entities.”
Order No. 866, Section II.A, Para. 33 (18 CFR Part 40, Docket RM18-20-000)final
USTSAcyber ot securityPROPOSED: Develop and implement a TSA-approved Cybersecurity Operational Implementation Plan (COIP) that includes measures to respond to and recover from cybersecurity incidents.
“measures to address response to, and recover from, a cybersecurity incident”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Develop and maintain a Cybersecurity Incident Response Plan (CIRP) covering all owner/operators within scope, regardless of whether Critical Cyber Systems are identified.
“all owner/operators within the proposed scope of applicability would be required to have a Cybersecurity Incident Response Plan (CIRP), regardless of whether they identify any Critical Cyber Systems”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Annually conduct an enterprise-wide cybersecurity evaluation comparing current cybersecurity profile to a target profile that includes required security outcomes and NIST CSF recommendations. [adjacent]
“owner/operators to whom the proposed rule applies would be required to annually conduct an enterprise-wide cybersecurity evaluation that would identify the current profile of cybersecurity...compared to the target profile”
49 CFR 1580.305, 1582.205, 1586.205proposed
USTSAcyber ot securityPROPOSED: Develop and maintain a Cybersecurity Assessment Plan (CAP) with a schedule for assessments, annual report of assessment results, and identification of unaddressed vulnerabilities. [adjacent]
“owner/operators subject to the proposed rule would be required to have a CAP that includes a schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities”
49 CFR 1580.329, 1582.229, 1586.229proposed
USTSAcyber ot securityPROPOSED: Ensure individuals or companies assigned to evaluate CRM program effectiveness are independent and have no personal or financial interest in assessment results. [adjacent]
“owner/operators would also be required to ensure any individuals or companies assigned or hired to evaluate the effectiveness of the owner/operator's CRM program are independent, i.e., do not have a personal, financial interest in the results”
49 CFR 1580.329, 1582.229, 1586.229proposed
USTSAcyber ot securityPROPOSED: Include in the COIP detailed procedures, policies, and capabilities to detect cybersecurity incidents and monitor Critical Cyber Systems.
“detailed measures to detect cybersecurity incidents and monitor these Critical Cyber Systems”
49 CFR 1580.321, 1582.221, 1586.221proposed
USTSAcyber ot securityPROPOSED: Identify Critical Cyber Systems, network architecture issues, and baseline communications within the COIP.
“identification of Critical Cyber Systems, specific network architecture issues, and baseline communications”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Include detailed measures in the COIP to protect Critical Cyber Systems.
“detailed measures to protect these Critical Cyber Systems”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Designate an accountable executive and Cybersecurity Coordinator(s) responsible for governance of the CRM program and identify them in the COIP. [adjacent]
“identification of individuals/positions responsible for the governance of the owner/operator's CRM program, including an accountable executive and Cybersecurity Coordinator(s)”
49 CFR 1580.309, 1580.311, 1582.209, 1582.211, 1586.209, 1586.211proposed
USTSAcyber ot securityPROPOSED: Report cybersecurity incidents to CISA as required. [adjacent]
“TSA is proposing that all owner/operators currently required to report significant security concerns to TSA...report cybersecurity incidents to CISA”
49 CFR 1580.107, 1582.107, 1584.107, 1586.107proposed
USTSAcyber ot securityPROPOSED: Maintain backups sufficient to allow system restoration and data recovery following a cybersecurity incident.
“The presence of backups could allow for system restoration, data recovery, and unhindered system operations”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Implement network segmentation and separation between IT and OT systems to prevent lateral movement during cyber intrusions.
“ensuring that OT and IT systems are separate and segregated will help protect against intrusions that can exploit vulnerabilities from one system and move laterally to infect another”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Maintain documentation sufficient to establish compliance with all CRM program requirements. [adjacent]
“Documentation To Establish Compliance (Proposed Sec. Sec. 1580.331, 1582.231, and 1586.231)”
49 CFR 1580.331, 1582.231, 1586.231proposed
USTSAcyber ot securityPROPOSED: Include patch management procedures within the COIP protective measures for Critical Cyber Systems to limit attacker access during intrusions. [adjacent]
“A commitment to patch management, system segmentation, and firewalls could limit the resources potential malicious actors would be able to access during an intrusion”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Implement continuous network monitoring to detect and respond to potential threats and limit system degradation of Critical Cyber Systems.
“Continuous monitoring of the network could help to detect and respond to potential threats and limit system degradation”
49 CFR 1580.321, 1582.221, 1586.221proposed
USTSAcyber ot securityPROPOSED: Obtain TSA approval for the Cybersecurity Operational Implementation Plan (COIP) prior to implementation. [adjacent]
“owner/operators to whom the proposed rule applies would be required to develop a COIP”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: Include supply chain risk management requirements in the CRM program to address risks from third-party ICT providers to Critical Cyber Systems.
“TSA is requesting comments on whether proposed requirements for supply chain risk management should also include requirements to ensure that any new software purchased for, or to be installed on, Critical Cyber Systems meets CISA's Secure-by-Design”
49 CFR 1580.307, 1582.207, 1586.207proposed
USTSAcyber ot securityPROPOSED: OTRB owner/operators subject to TSA requirements must report cybersecurity incidents to CISA. [adjacent]
“a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents”
49 CFR 1584.107proposed
USTSAcyber ot securityPROPOSED: Structure the CRM program to address all five functions: identify, detect, protect, respond, and recover from cybersecurity incidents.
“improving the owner/operator's ability to identify, detect, protect against, respond to, and recover from cybersecurity incidents”
49 CFR 1580.303, 1582.203, 1586.203proposed
USTSAcyber ot securityPROPOSED: Pipeline facilities and systems owner/operators must report both physical security concerns and cybersecurity incidents to the appropriate authorities. [adjacent]
“TSA is proposing that owner/operators of designated pipeline facilities and systems also report both physical and cybersecurity incidents”
49 CFR 1586.107proposed
USTSAphysical securityInclude a contingency plan in the airport security program covering emergency and unusual conditions.
“A contingency plan required under § 1542.301.”
49 CFR 1542.103(a)(15); 1542.103(b)(5)final
USTSAphysical securityInclude alternate security procedures in the security program for use in the event of natural disasters, emergencies, or unusual conditions.
“Alternate security procedures, if any, that the airport operator intends to use in the event of natural disasters, and other emergency or unusual conditions.”
49 CFR 1542.103(a)(19)final
USTSAphysical securityInclude incident management procedures in the security program to comply with § 1542.307.
“Incident management procedures used to comply with § 1542.307.”
49 CFR 1542.103(a)(18); 1542.103(b)(8); 1542.103(c)(7)final
USTSAphysical securityNotify TSA within 6 hours of discovery of changed conditions affecting security measures, staffing, operations, or physical layout, and report interim measures being taken. [adjacent]
“Each airport operator must notify TSA no more than 6 hours after the discovery of any changed condition described in paragraph (a) of this section... The airport operator must inform TSA of each interim measure being taken to maintain adequate security.”
49 CFR 1542.107(b)final
USTSAphysical securityFor changed conditions of less than 60 days, submit written notification to TSA within 72 hours of original notification of the changed condition. [adjacent]
“For changed conditions expected to be less than 60 days duration, each airport operator must forward the information required in paragraph (b) of this section in writing to TSA within 72 hours of the original notification.”
49 CFR 1542.107(c)final
USTSAphysical securityFor changed conditions of 60 days or more, submit a proposed security program amendment to TSA within 30 days of discovering the changed condition. [adjacent]
“For changed conditions expected to be 60 days or more duration, each airport operator must forward the information...in the form of a proposed amendment to the airport operator's security program...within 30 days of the discovery.”
49 CFR 1542.107(d)final
USTSAphysical securityEnsure that access control systems immediately deny entry to secured areas when an individual's access authority is withdrawn. [adjacent]
“Ensure that an individual is immediately denied entry to a secured area when that person's access authority for that area is withdrawn.”
49 CFR 1542.207(a)(2)final
USTSAphysical securityDetect and respond to each unauthorized presence or movement in, or attempted entry to, the secured area. [adjacent]
“Provide for detection of, and response to, each unauthorized presence or movement in, or attempted entry to, the secured area by an individual whose access is not authorized.”
49 CFR 1542.201(b)(2)final
USTSAphysical securityDetect and respond to each unauthorized presence or movement in, or attempted entry to, the AOA. [adjacent]
“Provide for detection of, and response to, each unauthorized presence or movement in, or attempted entry to, the AOA by an individual whose access is not authorized.”
49 CFR 1542.203(b)(2)final
USTSAphysical securityMaintain a 24-hour-available Airport Security Coordinator (ASC) as the primary contact for security-related activities and communications with TSA. [adjacent]
“Is available to TSA on a 24-hour basis.”
49 CFR 1542.3(b)(2)final
USTSAphysical securityASC must immediately initiate corrective action for any instance of non-compliance with the security program or applicable Security Directives. [adjacent]
“Immediately initiate corrective action for any instance of non-compliance with this part, its security program, and applicable Security Directives.”
49 CFR 1542.3(b)(4)final
USTSAphysical securityAudit the personnel identification system at a minimum of once per year to ensure integrity and accountability of all identification media. [adjacent]
“Auditing the system at a minimum of once a year or sooner, as necessary, to ensure the integrity and accountability of all identification media.”
49 CFR 1542.211(a)(3)(iv)final
USTSAphysical securityRecord each law enforcement action taken in furtherance of the security program and maintain records for a minimum of 180 days. [adjacent]
“A record is made of each law enforcement action taken in furtherance of this part; and The record is maintained for a minimum of 180 days.”
49 CFR 1542.221(a)final
USTSAphysical securityExclusive area agreements must include procedures for the aircraft operator/foreign air carrier to immediately notify the airport operator and provide alternative security measures when changed conditions occur. [adjacent]
“Procedures by which the aircraft operator or foreign air carrier will immediately notify the airport operator and provide for alternative security measures when there are changed conditions as described in § 1542.103(a).”
49 CFR 1542.111(b)(3)final
USTSAphysical securityAirport tenant security programs must include procedures for the tenant to immediately notify the airport operator and provide alternative security measures for changed conditions. [adjacent]
“Procedures by which the tenant will immediately notify the airport operator of and provide for alternative security measures for changed conditions as described in § 1542.103(a).”
49 CFR 1542.113(b)(8)final
USTSAphysical securityRevalidate the identification system or reissue identification media if a significant portion of issued unexpired media are lost, stolen, or unaccounted for. [adjacent]
“Revalidate the identification system or reissue identification media if a portion of all issued, unexpired identification media are lost, stolen, or otherwise unaccounted for, including identification media that are combined with access media.”
49 CFR 1542.211(a)(3)(v)final
USTSAphysical securityASC must review all security-related functions with sufficient frequency to ensure effectiveness and compliance, and immediately initiate corrective action for non-compliance. [adjacent]
“Review with sufficient frequency all security-related functions to ensure that all are effective and in compliance with this part, its security program, and applicable Security Directives. Immediately initiate corrective action for any instance of non-compliance.”
49 CFR 1542.3(b)(3)-(4)final
USUSCGcyber ot securityDevelop and maintain a Cyber Incident Response Plan outlining instructions on how to respond to a cyber incident, identifying key roles, responsibilities, and decision-makers.
“Owners or operators must also prepare and document a Cyber Incident Response Plan that outlines instructions on how to respond to a cyber incident and identifies key roles, responsibilities, and decision-makers amongst personnel.”
33 CFR 101.620(b); 33 CFR 101.630(a)final
USUSCGcyber ot securityDevelop and maintain a Cybersecurity Plan that includes account security, device security, and data security measures to detect, respond to, and recover from cybersecurity risks.
“this final rule requires that owners or operators of U.S.-flagged vessels, facilities, or Outer Continental Shelf (OCS) facilities required to have a security plan under 33 CFR parts 104, 105, and 106 to develop and maintain a Cybersecurity Plan and Cyber Incident Response Plan.”
33 CFR 101.630(a)final
USUSCGcyber ot securitySubmit the Cybersecurity Plan to the Coast Guard for review and approval within 24 months of the rule's effective date. [adjacent]
“Revised Sec. 101.655 to reflect that the Cybersecurity Plan must also be submitted to the Coast Guard for review and approval within 24 months of the effective date of this final rule.”
33 CFR 101.655final
USUSCGcyber ot securityDesignate a Cybersecurity Officer (CySO) to ensure implementation of the Cybersecurity Plan and Cyber Incident Response Plan, keep the plan current, arrange inspections, ensure personnel training, and record/report cyber incidents. [adjacent]
“Owners or operators must also designate a Cybersecurity Officer (CySO) who must ensure that U.S.-flagged vessel, facility, or OCS facility personnel implement the Cybersecurity Plan and the Cyber Incident Response Plan.”
33 CFR 101.625final
USUSCGcyber ot securityCySO must ensure the Cybersecurity Plan is kept up to date and undergoes an annual audit. [adjacent]
“The CySO must also ensure that the Cybersecurity Plan is up to date and undergoes an annual audit.”
33 CFR 101.625(d)final
USUSCGcyber ot securityReport reportable cyber incidents to the National Response Center without delay (for entities not subject to 33 CFR 6.16-1).
“amended Sec. 101.620(b)(7) to clarify that all entities not subject to 33 CFR 6.16-1 must report all reportable cyber incidents to the National Response Center (NRC) and amended Sec. 101.650(g)(1) to clarify...report reportable cyber incidents to the NRC without delay.”
33 CFR 101.620(b)(7); 33 CFR 101.650(g)(1)final
USUSCGcyber ot securityConduct a Cybersecurity Assessment within 24 months of the rule's effective date, identifying vulnerabilities in critical IT and OT systems. [adjacent]
“Revised Sec. 101.650(e)(1) to specify that owners and operators will need to conduct the cyber assessment within 24 months of the effective date of this final rule...Revised Sec. 101.650(e)(1)(i) to limit the identification of vulnerabilities to only 'critical' OT and IT systems.”
33 CFR 101.650(e)(1)final
USUSCGcyber ot securityEnsure patching or implementation of documented compensating controls for all known exploited vulnerabilities (KEVs) in critical IT or OT systems without delay.
“revised Sec. 101.650(e)(iv) to remove 'mitigate any unresolved vulnerabilities' and, instead, require that the owner or operator ensure patching or implementation of documented compensating controls for all known exploited vulnerabilities (KEVs) in critical IT or OT systems, with”
33 CFR 101.650(e)(1)(iv)final
USUSCGcyber ot securityComplete penetration testing in conjunction with renewing the Cybersecurity Plan; CySO must submit a letter verifying testing was conducted and all identified vulnerabilities. [adjacent]
“Revised Sec. 101.650(e)(2) in this final rule to clarify that penetration testing must be completed in conjunction with renewing the Cybersecurity Plan and to specify that the CySO must submit a letter verifying that the test was conducted, as well as all vulnerabilities identifi”
33 CFR 101.650(e)(2)final
USUSCGcyber ot securityConduct two cybersecurity drills every 12 months as required by applicable security plan regulations.
“Revised Sec. 101.635(b)(1) to require two cybersecurity drills every 12 months instead of requiring at least one cybersecurity drill every 3 months and added 'as required by 33 CFR 104.230, 105.220, or 106.225,' where appropriate.”
33 CFR 101.635(b)(1)final
USUSCGcyber ot securityEnsure cybersecurity personnel training is adequate; CySO must arrange for cybersecurity training for vessel/facility/OCS facility personnel. [adjacent]
“The CySO must also arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.”
33 CFR 101.625(d)final
USUSCGcyber ot securityEnable automatic account lockout after repeated failed login attempts on all password-protected IT systems. [adjacent]
“enabling of automatic account lockout after repeated failed log in attempts on all password protected information technology (IT) systems”
33 CFR 101.650(a)(1)final
USUSCGcyber ot securityChange default passwords (or implement compensating security controls if unfeasible) before using any IT or OT systems. [adjacent]
“changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or OT systems”
33 CFR 101.650(a)(2)final
USUSCGcyber ot securityImplement multifactor authentication on password-protected IT systems and remotely accessible OT systems. [adjacent]
“implementing multifactor authentication on password-protected IT and remotely accessible OT systems”
33 CFR 101.650(a)(4)final
USUSCGcyber ot securityApply the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems. [adjacent]
“applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems”
33 CFR 101.650(a)(5)final
USUSCGcyber ot securityRemove or revoke user credentials when a user leaves the organization. [adjacent]
“removing or revoking user credentials when a user leaves the organization”
33 CFR 101.650(a)(7)final
USUSCGcyber ot securityDevelop and maintain an accurate inventory of network-connected systems including critical IT and OT systems.
“maintain an accurate inventory of network-connected systems including those critical IT and OT systems”
33 CFR 101.650(b)final
USUSCGcyber ot securityDevelop and document a network map and OT device configuration information. [adjacent]
“develop and document the network map and OT device configuration information”
33 CFR 101.650(b)final
USUSCGcyber ot securityEnsure that logs are securely captured, stored, and protected and accessible only to privileged users. [adjacent]
“ensure that logs are securely captured, stored, and protected and accessible only to privileged users”
33 CFR 101.650(c)(1)final
USUSCGcyber ot securityDeploy effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible. [adjacent]
“Revised Sec. 101.650(c)(2) to specify that effective encryption must be deployed to maintain confidentiality of sensitive data and integrity of IT and OT traffic and to require that only sensitive data be encrypted.”
33 CFR 101.650(c)(2)final
USUSCGcyber ot securityMaintain a list of hardware, firmware, and software approved for installation on IT or OT systems (approved asset list). [adjacent]
“develop and maintain a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems”
33 CFR 101.650(b)final
USUSCGcyber ot securityEnsure that applications running executable code are disabled by default on critical IT and OT systems. [adjacent]
“ensure that applications running executable code are disabled by default on critical IT and OT systems”
33 CFR 101.650(b)final
USUSCGcyber ot securityCySO must record reportable cyber incidents and report them to the owner or operator, and take steps to mitigate them.
“Revised Sec. 101.625(d)(10), regarding the CySO's responsibilities in reporting incidents, to refer to reportable cyber incidents...CySO must also arrange for cybersecurity inspections...record and report cybersecurity incidents to the owner or operator, and take steps to mitigat”
33 CFR 101.625(d)(10)final
USUSCGcyber ot securityAmend the Cybersecurity Plan and resubmit proposed amendments to USCG, with at least 60 days to submit, when changes are required; implement additional security measures immediately for exigent security situations. [adjacent]
“Revised Sec. 101.630(e)(1)(ii) to clarify that the owner and operator will have at least 60 days to submit its proposed amendments...Revised Sec. 101.630(e)(2) to add new paragraph (e)(2)(i) to note that nothing...should be construed as limiting the owner or operator...from the t”
33 CFR 101.630(e)(1)(ii); 33 CFR 101.630(e)(2)(i)final
USUSCGcyber ot securityOwners/operators must report transportation security incidents (TSIs) without delay to their local COTP and immediately begin following procedures set out in their security plan. [adjacent]
“Any owner or operator required to have a security plan under part 104 or 105 of this subchapter shall, without delay, report a TSI to their local COTP and immediately thereafter begin following the procedures set out in their security plan”
33 CFR 101.305(c)final
USUSCGcyber ot securityOwners/operators must report breaches of security without delay to the National Response Center.
“An owner or operator required to have a security plan under parts 104, 105, or 106 of this subchapter shall, without delay, report breaches of security to the National Response Center”
33 CFR 101.305(b)final
USUSCGcyber ot securityOwners/operators must report suspicious activities that may result in a TSI without delay to the National Response Center.
“An owner or operator required to have a security plan under part 104, 105, or 106 of this subchapter shall, without delay, report activities that may result in a transportation security incident to the National Response Center”
33 CFR 101.305(a)final
USUSCGcyber ot securityUpon a MARSEC Level change, owners/operators must confirm attainment of required security measures to their local COTP and implement all plan-specified and COTP-imposed measures. [adjacent]
“Each owner or operator of a vessel or facility required to have a security plan under parts 104 or 105 of this subchapter affected by a change in the MARSEC Level must ensure confirmation to their local COTP the attainment of measures or actions described in their security plan”
33 CFR 101.300(c)(1)final
USUSCGcyber ot securityOwners/operators must comply with all mandatory security measures in a MARSEC Directive within the time prescribed by that Directive. [adjacent]
“Each owner or operator of a vessel or facility to whom a MARSEC Directive applies is required to comply with the relevant instructions contained in a MARSEC Directive issued under this section within the time prescribed by that MARSEC Directive.”
33 CFR 101.405(b)final
USUSCGcyber ot securityOwners/operators receiving a MARSEC Directive must acknowledge receipt and specify implementation method to their COTP within the prescribed timeframe. [adjacent]
“Within the time prescribed in the MARSEC Directive, acknowledge receipt of the MARSEC Directive to their local COTP... and specify the method by which the measures in the MARSEC Directive have been implemented”
33 CFR 101.405(c)final
USUSCGcyber ot securityIf unable to implement a MARSEC Directive, owners/operators must submit proposed equivalent security measures with justification to the COTP within the time prescribed. [adjacent]
“In the event that the owner or operator...is unable to implement the measures in the MARSEC Directive, the owner or operator must submit proposed equivalent security measures and the basis for submitting the equivalent security measures to the COTP”
33 CFR 101.405(d)-(e)final
USUSCGcyber ot securityVessels and facilities must implement the security measures specified in their approved security plans at each applicable MARSEC Level. [adjacent]
“vessels and facilities required to have security plans under part 104, 105, or 106 of this subchapter shall implement the measures specified in their security plans for the applicable MARSEC Level.”
33 CFR 101.200(a)final
USUSCGcyber ot securityThe cancelled TWIC list must be updated within 12 hours of any increase in MARSEC Level, regardless of when it was last updated.
“The list of cancelled TWICs used to conduct the card validity check must be updated within 12 hours of any increase in MARSEC level, no matter when the information was last updated.”
33 CFR 101.525(d)final
USUSCGcyber ot securityOCS facility owners/operators must report TSIs without delay to their cognizant District Commander and immediately follow procedures in their security plan.
“Any owner or operator required to have a security plan under part 106 of this subchapter shall, without delay, report a TSI to their cognizant District Commander and immediately thereafter begin following the procedures set out in their security plan”
33 CFR 101.305(c)(2)final

Turning this into an operating plan?

Knowing which rules bind you is step one. WSquare Advisory builds the operating capability behind compliance — the continuity, third-party, and recovery disciplines these regimes expect. If that's your challenge, let's talk.

Start a Conversation →