nerctranslate this page commitee dl/2012...%pdf-1.6 %âãÏÓ 1544 0 obj > endobj 1621 0 obj...

Agenda Compliance Committee Open Session August 15, 2012 | 9:45-10:45 a.m. Eastern Hilton Quebec 1100, Rene-Levesque Blvd East Quebec, QC Canada G1R 4P3 418-647-6500 Introductions and Chairs Remarks NERC Antitrust Compliance Guidelines Agenda

1. Minutes* Approve

a. May 8, 2012

2. Compliance Enforcement Initiative (CEI)*

a. Find, Fix, Track and Report (FFT) Progress to Date Information

b. Pathway for Compliance Enforcement Initiative (CEI) Information

c. Preparation for the 12-Month Report Information

3. Compliance Operations*

a. Compliance Bulletin CIP-002 , Option for Transitioning Version 3 to 4 Information

b. Risk-Based Compliance Monitoring Update Information

Entity Impact Evaluation Template

c. 2013 Annual Implementation Plan and Actively Monitored List Information

4. Regional Entity Topic*

a. Reliability Standards Audit Worksheet (RSAW) improvement - Information

5. Quarterly Report on Performance Metrics *

a. Update on Quarterly Performance Metrics to Fulfill the Committees Mandate Obligations Information

b. Enforcement Metrics Development Information *Background materials included.

Antitrust Compliance Guidelines I. General It is NERCs policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERCs compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERCs antitrust compliance policy is implicated in any situation should consult NERCs General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions):

Discussions involving pricing information, especially margin (profit) and internal cost information and participants expectations as to their future prices or internal costs.

Discussions of a participants marketing strategies.

Discussions regarding how customers and geographical areas are to be divided among competitors.

Discussions concerning the exclusion of competitors from markets.

Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers.

NERC Antitrust Compliance Guidelines 2

Any other matters that do not clearly fall within these guidelines should be reviewed with NERCs General Counsel before being discussed.

III. Activities That Are Permitted From time to time decisions or actions of NERC (including those of its committees and subgroups) may have a negative impact on particular entities and thus in that sense adversely impact competition. Decisions and actions by NERC (including its committees and subgroups) should only be undertaken for the purpose of promoting and maintaining the reliability and adequacy of the bulk power system. If you do not have a legitimate purpose consistent with this objective for discussing a matter, please refrain from discussing the matter during NERC meetings and in other NERC-related communications. You should also ensure that NERC procedures, including those set forth in NERCs Certificate of Incorporation, Bylaws, and Rules of Procedure are followed in conducting NERC business. In addition, all discussions in NERC meetings and other NERC-related communications should be within the scope of the mandate for or assignment to the particular NERC committee or subgroup, as well as within the scope of the published agenda for the meeting. No decisions should be made nor any actions taken in NERC activities for the purpose of giving an industry participant or group of participants a competitive advantage over other participants. In particular, decisions with respect to setting, revising, or assessing compliance with NERC reliability standards should not be influenced by anti-competitive motivations. Subject to the foregoing restrictions, participants in NERC activities may discuss:

Reliability matters relating to the bulk power system, including operation and planning matters such as establishing or revising reliability standards, special operating procedures, operating transfer capabilities, and plans for new facilities.

Matters relating to the impact of reliability standards for the bulk power system on electricity markets, and the impact of electricity market operations on the reliability of the bulk power system.

Proposed filings or other communications with state or federal regulatory authorities or other governmental entities.

Matters relating to the internal governance, management and operation of NERC, such as nominations for vacant committee positions, budgeting and assessments, and employment matters; and procedural matters such as planning and scheduling meetings.

Draft Minutes Compliance Committee Open Session May 8, 2012 | 10:45 a.m.-Noon Eastern Westin Arlington Gateway 801 North Glebe Road Arlington, VA 22203 703-717-6200 Chair Bruce Scherr convened a duly noticed open meeting of the Compliance Committee of the North American Electric Reliability Corporation on May 8, 2012 at 10:45 a.m. local time, and a quorum was declared present. The agenda is attached as Exhibit A. NERC Antitrust Compliance Guidelines Chair Scherr directed the participants attention to the NERC Antitrust Compliance Guidelines. Minutes The committee approved the February 8, 2012 meeting minutes (Exhibit B). Compliance Enforcement Initiative Mr. Ken Lotterhos, associate general counsel and director of enforcement, conducted an update on the Compliance Enforcement Initiative (CEI) (Exhibit C). In overview, Mr. Lotterhos stated NERC continues to process violations through the streamlined Spreadsheet Notice of Penalty (SNOP) and the Find, Fix, Track and Report (FFT) informational filing. Since the initial Compliance Enforcement Initiative (CEI) filing on September 30, 2011, NERC will have made eight SNOP filings and eight FFT filings with the Federal Energy Regulatory Commission (FERC) through the end of April 2012. The Commission has issued orders of no further review on the SNOP and NOP filings submitted through the end of February. Mr. Lotterhos further commented on the six-month status report to the Commission, specifically, the six-month report will address and provide context for the CEI processing statistics, discuss the benefits obtained from the program from a broad perspective (NERC, Regional Entity and industry), and how NERC is addressing them. In preparation for this filing, NERC will be working with the Regional Entities to ensure their input is incorporated into the filing.

Chair Scherr opened to discussion by the committee and attending stakeholders. Members are pleased and encouraged by the progress of Phase 1 of the process and look forward to collaborating on Phase 2 and 3 to ensure consistency and success across all Regions.

Agenda Item 1 BOTCC Open Meeting August 15, 2012

Compliance Committee Draft Minutes May 8, 2012

Compliance Operations Michael Moon, director of compliance operations, provided the industry an update on the Risk-Based Compliance Monitoring and Entity Assessments initiative noting the initiative is designed to allow for focus of resources on reliability issues, and to empower registered entities to be forward-looking and successful in their compliance activities. Mr. Moon further commented the initiative integrates the evaluation of risk throughout the process at the program level, the entity level and in the enforcement processing level. Mr. Moon further provided the industry with an update on the 2011 CMEP Annual Report which provides details, analysis, lessons learned, and forward looking activities regarding the Electric Reliability Organizations (ERO) implementation of the CMEP in 2011. The full report is attached as Exhibit C. Mr. Moon completed his compliance operations report with a review of the CIP-005 Compliance Analysis Report stating CIP-005 is a NERC Reliability Standard that is critical to the reliability of the bulk power system, and that to date this is the most comprehensive Compliance Analysis Report and offers great suggestions for compliance for registered entities, as well as the usual violation statistics and violation description examples. The full report is attached as Exhibit D. Regional Entity Items Ms. Linda Campbell, FRCC, provided a presentation on the status of the Reliability Standards Audit Worksheet (RSAW) Development. Ms. Campbells presentation is attached as Exhibit E. Quarterly Statistics Chair Scherr referenced the materials provided in the Agenda package. (Exhibit F) There being no further business, Chair Scherr adjourned the meeting at 12:08 p.m. Eastern. Submitted by,

Ken Lotterhos Associate General Counsel and Director of Enforcement

Agenda Item 2 Compliance Committee Meeting August 15, 2012

Compliance Enforcement Initiative

Action Discussion

Summary NERC continues to process violations through the streamlined Spreadsheet Notice of Penalty (SNOP) and the Find, Fix, Track and Report (FFT) informational filing. Since the initial Compliance Enforcement Initiative (CEI) filing on September 30, 2011, NERC has made 10 SNOP filings and 10 FFT filings with the Federal Energy Regulatory Commission (FERC).1 The Commission has issued orders of no further review on the SNOP and NOP filings submitted through the end of June.2 The six initial FFT filings were accepted through the March 15 order on the CEI proposal3 and since then two additional filings, through the end of April, have been accepted by FERC.4

As described in its May 14 compliance filing, NERC is also seeking to expand the application and effectiveness of the FFT process. Thus far, Compliance Enforcement Authority (CEA) enforcement staff has made all FFT determinations. In the next stage of CEI development, CEA compliance monitoring staff (auditors and investigators) will make recommendations to enforcement staff concerning likely candidates for FFT treatment. NERC anticipates that expanding FFT identification will broaden the range of issues that will be afforded FFT treatment much earlier in the compliance monitoring and enforcement process. NERC and the Regional Entities (REs) are continuing to explore opportunities to enhance the CEI processes. Additionally, NERC is developing a process to conduct random surveys each year to gauge program performance, as directed in the March 15, 2012 Order. The March 15 Order requires NERC to file a 12-month status report in March 2013. NERC is working with the Regions and trade associations to collect the information required for the one-year report. The Commission will be evaluating the consistency and application of the FFT initiative and will review the effectiveness of the FFT program with regard to such matters as:

1. The effect of the program on improving bulk power system reliability;

2. The effect of the program on addressing NERCs compliance and enforcement program, including its caseload;

3. The effect of the program on NERC and the REs better focusing resources on addressing more serious violations;

4. How NERCs evaluation of risk in identifying candidate possible violations (PVs) for FFT treatment has evolved during the implementation of the FFT initiative, including but not limited to how the violation risk factors (VRFs) have been considered in the evaluation;

5. Manners in which the FFT mechanism can be improved based on experience to date;

1 The eleventh set of filings will be made July 31, 2012. 2 Action on the June 30, 2012 filing is expected by July 31, 2012. 3 On March 15, 2012 the Commission issued an order accepting, with conditions, NERCs proposal to make informational filings in a Find, Fix, Track and Report (FFT) spreadsheet format of lesser-risk, remediated possible violations of Reliability Standards. 4 By Commission Order, a FFT filing is deemed closed sixty days after submittal by NERC unless there is cause for the Commission to open particular remediated issues for review. Action on the May 31, 2012 FFT filing is expected by July 31, 2012.

6. The results of any audits, spot checks or random samplings that NERC or the REs may have performed during the year with regard to implementation of the FFT proposal; and

7. The impact, if any, the implementation of the FFT mechanism has had on the number of self-reports submitted.

In the one-year report, NERC also will report on results of its evaluation of the consistency and application of the FFT initiative. Upon review of this one-year report, the Commission may consider any necessary changes going forward, including expanding the scope and parameters of PVs to be processed by FFT informational filings.

To date, the CEI has received significant support from the REs and the industry. NERC anticipates the FFT process will continue to result in a better alignment between compliance and enforcement resources and the attention devoted to matters that pose a more serious risk to the reliability of the bulk power system.

Agenda Item 3a Compliance Committee Meeting August 15, 2012

CIP Standards CIP-002-3 to CIP-002-4 Transition Brief

Action Discuss and maintain awareness on Critical Infrastructure Protection (CIP) Standards Version 3 to Version 4 transition and associated CIP Compliance Bulletin and discuss next steps. Background

The Federal Energy Regulatory Commission (FERC) approved Version 4 on April 19, 2012, in FERC Order No. 761. The enforcement date of Version 4 (i.e., the effective date for compliance with the approved standards) is April 1, 2014, which is the first day of the eighth calendar quarter after applicable regulatory approvals have been received. NERC expects that responsible entities are starting their implementation of the Version 4 bright-line criteria selection process, and the creation or implementation of processes to ensure full compliance with the requirements by April 1, 2014. Entities should be determining which electric system assets meet the bright-line criteria today, and begin the process of internal identification of those bright-line identified Critical Assets and associated Critical Cyber Assets now so that the proper resources can be procured and scheduled to ensure that all the technical work is complete on or before the enforcement date of April 1, 2014.

NERC has highlighted four scenarios in which the industry has asked NERC to provide guidance. The categories below summarize these scenarios.

Type A Adding Critical Assets: As stated by NERC in the filing of Version 4, if additional Critical Assets are identified by the BLC, they are required to be compliant to Version 4 by April 1, 2014. The Implementation Plans communicated for both Version 3 and 4 in addition to the CAN-0012 do not take precedence over the Filing. For entities that will have new critical assets due to the approval of the Bulk Electric System (BES) definition, those entities will have 24 months from the BES definition approval date to ensure their affected assets will be compliant to version 4. In the interim, regional auditors shall continue to assess a responsible entitys compliance based on the appropriate use of the Risk-Based Assessment Methodology (RBAM).

Type B No Change in Assets: Assets that are deemed critical based on the Version 3 RBAM will be the focus of NERC CIP audits during the interim. These facilities are generally accepted as Critical Assets and will require compliance to the NERC CIP standards throughout the transition period.

Type C Delisting V3 Critical Assets: Pursuant to CIP-002-3, entities may adjust their RBAM (at least annually), which means that they may choose to leverage the bright-line criteria for purposes of incorporating it into their RBAM, while leaving core requirements of a Version 3 RBAM intact. In such circumstances, there will be some legacy Critical Assets that will be delisted based on the bright-line criteria. In this case, regional auditors will continue to assess a responsible entitys compliance based on the appropriate use of the RBAM.

Type D Third Party Designated BES Facilities: In certain circumstances in Version 4, Critical Assets must be identified by an entity based on particular designations by third party entities. For CIP-002-4, NERC urges Planning Authorities (PAs) and Transmission Planners (TPs) that designate if a facility is required to maintain bulk reliability in accordance with TPL-003 and TPL-004 to document the communication of their findings directly to the asset owner or operator. Additionally, NERC urges PAs and TPs that designate if a facility is required to maintain bulk reliability in accordance with FAC-014 to document the communication of their findings directly to the asset owner or operator. Furthermore, it is recommended that all PAs and TPs communicate their designation to affected entities within 60 days of the completed reliability assessment. If notified on or after April 1, 2014, the affected entity will have up to 24 months from the notification to become compliant to the CIP standards, based on the milestones set forth in the Version 4 Implementation Plan.

Summary

In anticipation of responsible entities starting their implementation of Version 4 of the CIP Standards, NERC has created a Compliance Bulletin to address implementing bright-line criteria into a Version 3 RBAM. This Compliance Bulletin provides compliance information to responsible entities and Regional Entities regarding newly approved Version 4, which becomes enforceable in the United States on April 1, 2014. A copy of the Compliance Bulletin is available with the Board of Trustees read-ahead materials.

NERC Compliance Bulletin #2012-0xx Title: CIP-002-3 & CIP-002-4 Critical Asset Identification during transition period Posted: [DRAFT] Background

This Compliance Bulletin provides compliance information to Responsible Entities and Regional Entities regarding newly approved Version 4 of the CIP Reliability Standards (Version 4), which becomes enforceable in the United States on April 1, 2014. Version 4 includes CIP-002-4 through CIP-009-4, which will replace CIP-002-3 through CIP-009-3. Note that CIP-002-4 is the only reliability standard that changed in Version 4 from its Version 3 predecessor. All other CIP Reliability Standards, CIP-003-4 through CIP-009-4, remain technically unchanged from Version 3.

The Federal Energy Regulatory Commission (FERC) approved Version 4 on April 19, 2012, in FERC Order No. 761. The Federal Register published the order on April 25, 2012, which makes FERC Order No. 761 effective on June 25, 2012 (The effective date of the FERC Order No. 761 is distinct from the effective date of the standards). Therefore, the enforcement date of Version 4 (i.e., the effective date for compliance with the approved standards) is April 1, 2014, which is the first day of the eighth calendar quarter after applicable regulatory approvals have been received.

Overview

Now that Version 4 of the CIP Reliability Standards has been approved by FERC, NERC expects that Responsible Entities are starting their implementation of the Version 4 bright-line criteria selection process, and the creation or implementation of processes to ensure full compliance with the requirements by April 1, 2014. Entities should be determining which electric system assets meet the bright-line criteria today, and begin the process of internal identification of those bright-line identified Critical Assets and associated Critical Cyber Assets now so that the proper resources can be procured and scheduled to ensure that all the technical work is complete on or before the enforcement date of April 1, 2014.

Responsible Entities are reminded that Version 3 of the CIP Reliability Standards remains in effect as mandatory and enforceable until March 31, 2014, and they are reminded that, for audits occurring both before and after that date, CIP auditors may request information to demonstrate compliance with the Version 3 standards (including a Version 3 compliant RBAM) for that time period.

NERC Compliance Bulletin #2012-0xx Title: CIP-002-3 & CIP-002-4 Critical Asset Identification during transition period 2

The categories below summarize the scenarios in which the industry has asked NERC to provide guidance.

Type A Adding Critical Assets: As stated in NERC the filing of Version 41, if additional Critical Assets are identified by the bright-line criteria, they are required to be compliant to Version 4 by April 1, 2014. The Implementation Plans2

communicated for both Version 3 and 4 in addition to the CAN-0012 do not take precedence over the Filing. For entities that will have new critical assets due to the approval of the Bulk Electric System (BES) definition, those entities will have 24 months from the BES definition approval date to ensure their affected assets will be compliant to Version 4. In the interim, Regional Auditors shall continue to assess a responsible entitys compliance based on the appropriate use of the RBAM.

Type B No Change in Assets: Assets that are deemed critical based on the Version 3 RBAM will be the focus of NERC CIP audits during the interim. These facilities are generally accepted as Critical Assets and will require compliance to the NERC CIP standards throughout the transition period.

Type C Delisting V3 Critical Assets: Pursuant to CIP-002-3, entities may adjust their RBAM (at least annually), which means that they may choose to leverage the bright-line criteria for purposes of incorporating it into their RBAM, while leaving core requirements of a Version 3 RBAM intact. In such circumstances, there will be some legacy Critical Assets that will be delisted based on the bright-line criteria. In this case, regional auditors will continue to assess a responsible entitys compliance based on the appropriate use of the RBAM.

Type D Third Party Designated BES Facilities: In certain circumstances in Version 4, Critical Assets must be identified by an entity based on particular designations by third party entities.3

1 See NERC CIPv4 filing to FERC.

For CIP-002-4, Attachment 1, criterion 1.3, NERC urges Planning Authorities (PAs) and Transmission Planners (TPs) that designate if a facility is required to maintain bulk reliability in accordance with TPL-003 and TPL-004 to document the communication of their findings directly to the asset owner or operator. For CIP-002-4, Attachment 1, criteria 1.8 and 1.9, NERC urges PAs and TPs that designate if a facility is required to maintain bulk reliability in accordance with FAC-014 to document the communication of their findings directly to the asset owner or operator. Furthermore, it is recommended that all PAs and TPs communicate their designation to affected entities within 60 days of the completed reliability assessment. If notified on or after April 1, 2014, the affected entity will have up to 24 months from the notification to become compliant to the CIP standards, based on the milestones set forth in the Version 4 Implementation Plan.

http://www.nerc.com/files/Final_Final_CIP_V4_Petition_20110210.pdf 2 http://www.nerc.com/docs/standards/sar/Imp-Plan_Newly_Identified_CCA_RE_clean_last_approval_2009Nov19.pdf http://www.nerc.com/docs/standards/sar/Project_2008-06_Draft_v4_Imp_Plan_Newly_Id_CCA_and_RE_clean_20101130.pdf 3 See CIP-002-4, Attachment 1, criteria 1.3, 1.8, and 1.9, which require a responsible entity to identify generation and transmission facilities as Critical Assets when they have been determined as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon (criterion 1.3) or critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies (criteria 1.8 and 1.9).

http://www.nerc.com/files/Final_Final_CIP_V4_Petition_20110210.pdfhttp://www.nerc.com/docs/standards/sar/Imp-Plan_Newly_Identified_CCA_RE_clean_last_approval_2009Nov19.pdfhttp://www.nerc.com/docs/standards/sar/Project_2008-06_Draft_v4_Imp_Plan_Newly_Id_CCA_and_RE_clean_20101130.pdf

NERC Compliance Bulletin #2012-0xx Title: CIP-002-3 & CIP-002-4 Critical Asset Identification during transition period 3

See the CIP-002-4 Cyber Security Critical Cyber Asset Identification: Rationale and Implementation Reference Document available on the NERC website at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf for additional information.

For more information please contact:

Michael Moon Director of Compliance Operations [email protected] 404-446-2567 Tobias Whitney Ben Engelby Manager of CIP Compliance Senior Standards & Enforcement Interface and Outreach Specialist [email protected] [email protected] 202-644-8088 404-446-2578

This document is designed to convey compliance guidance from NERCs various activities. It is not intended to establish new requirements under NERCs Reliability Standards or to modify the requirements in any existing NERC Reliability Standards. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time. Implementation of this compliance Bulletin is not a substitute for compliance with requirements in NERCs Reliability Standards.

Process disclaimer: NERC reserves the right to issue new process Bulletins or modify existing process Bulletins when necessary and at its discretion.

http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdfhttp://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf

Agenda Item 3b Compliance Committee Meeting August 15, 2012

Entity Impact Evaluation Template

Action Information Background This provides a status update for the Entity Impact Evaluation (EIE) Template, formally known as the Entity Assessment. The EIE, which is conducted at the entity level, is one component of the Risk-Based Compliance Monitoring Initiative. As discussed at the April Compliance Committee meeting, the Risk-Based Compliance Monitoring Initiative consists of components throughout the process at the program level, the entity level, and in the enforcement processing level, as follows:

Program Level

Annual Implementation Plan

Actively Monitored List (AML)

Entity Level

Entity Assessment The assessment will, among other objectives, determine the frequency, scope and methods of compliance monitoring for each entity.

Compliance Monitoring Integration of verification of Internal Controls into the compliance monitoring to determine the due diligence a Compliance Enforcement Authority (CEA) must use (the amount of evidence to review) to obtain reasonable assurance the entity is not non-compliant.

Enforcement Processing Level

Resolution of non-compliance based on risk - Compliance Enforcement Initiative (CEI) Phase one and two:

o Find, Fix, Track and Report Lower Risk Possible Violations (PVs)

o Notice of Penalty (NOP) Summary In 2011 the Electric Reliability Organization (ERO) began developing an EIE Template, but by year-end the timeline for the project was extended to obtain greater industry input. The following activities were conducted:

Early 2012, the Compliance and Certification Committee (CCC) formed a working group to review the work that had been conducted to date and to draft a template that would include categories and information needed to appropriately scope compliance monitoring.

During April 2012, NERC conducted eight facilitated focus group meetings which consisted of two focus groups for each of the following functional areas: Balancing

Authority (BA)/Reliability Coordinator (RC), Transmission Owner (TO)/Transmission Operator (TOP), Generator Owner (GO)/Generator Operator (GOP) and Small Entities. The focus groups input was provided to the CCC working group for consideration. A total of 68 industry representatives from 64 entities participated in the focus groups.

In May 2012, working with the semi-final draft version of the CCC working groups template, NERC and the Regional Entities (REs) met to discuss the questions raised by the focus groups and to begin gathering the REs input.

NERC and the REs met again in June, following the CCC working groups completion of their final draft template. Further information provided by the focus groups and added to the draft template by the CCC was discussed.

NERC and the REs met again in July 2012 to finalize the draft template; which was posted on the NERC website for industry comment with the customary 45-day comment period. Comments will be due in early September and the template finalized.

Agenda Item 3c Compliance Committee Meeting August 15, 2012

2013 Annual Implementation Plan and Actively Monitored List

Action Review Background The 2013 Actively Monitored List (AML) worksheet has been updated to show known upcoming changes to standards and assign tier statuses as needed. The 2013 CMEP Implementation Plan has been drafted to include program changes and updated data. Both documents have been edited based on comments received from NERC staff, Regional Entities, FERC, and the Compliance and Certification Committee. Summary Most changes on the 2013 AML worksheet stem from reassigning tiers of Critical Infrustructure Protection (CIP) requirements so that each CIP requirement shares a common tier assignment with its own subrequirements. The anticipated effect of this change is to make it easier for a registered entity to prepare for its audit. Noteworthy changes to the 2013 CMEP Implementation Plan from the 2012 Plan are summarized in the reports Executive Summary. These include a new discussion on audit scope and periodicity, possible self-certification waivers for entities undergoing an audit that year, registered entity compliance assessments after events and disturbances, registered entity self-assessments, and the tier reassignment of some CIP standards.

3353 Peachtree Road NE Suite 600, North Tower

Atlanta, GA 30326 404-446-2560 | www.nerc.com

ERO Compliance Monitoring and Enforcement Program 2013 Implementation Plan

July 13, 2012 NOTE: CMEP Implementation Plan and the 2013 Actively Monitored Reliability Standards List are posted on the: NERC Website.

http://www.nerc.com/commondocs.php?cd=3

Table of Contents

ii 2013 NERC CMEP Implementation Plan

Table of Contents

Table of Contents .............................................................................................................................ii

Introduction .................................................................................................................................... 1

2013 Executive Summary ................................................................................................................ 3

ERO CMEP Description .................................................................................................................... 5

Risk-Based Compliance Monitoring Approach ............................................................................... 7

2013 Implementation Plan Development Methodology .............................................................. 11

ERO High-Risk Priorities ............................................................................................................ 11

Southwest Blackout Report ...................................................................................................... 12

FERC Order and Guidance ......................................................................................................... 12

Compliance History and Culture ............................................................................................... 12

AML and Implementation Plan Input ....................................................................................... 14

Future Considerations............................................................................................................... 17

Three-Tiered Compliance Approach ......................................................................................... 17

Three-Tiered Approach to Requirements Specification ........................................................... 17

Three-Tiered Approach to Audit Scope Determination ........................................................... 18

Reliability Standards Subject to 2013 CMEP Implementation...................................................... 21

High-Risk Priority Standards List ............................................................................................... 21

2013 High-Risk Priority Standards and Tier 1 Requirements ................................................... 22

CIP Critical Infrastructure Protection ................................................................................. 22

EOP Emergency Preparedness and Operations ................................................................. 23

FAC Facilities Design, Connections, and Maintenance ...................................................... 24

IRO Interconnection Reliability Operations and Coordination .......................................... 24

PER Personnel Performance, Training, and Qualifications ................................................ 24

Table of Contents

iii 2013 NERC CMEP Implementation Plan

PRC Protection and Control ............................................................................................... 25

Other Standard Families ....................................................................................................... 26

External CMEP Discovery Methods............................................................................................... 27

Compliance Audits .................................................................................................................... 27

Audit Focus or Scope ............................................................................................................. 28

CIP Reliability Standards Compliance Audits ........................................................................ 29

2013 Compliance Audit Schedule ......................................................................................... 29

Compliance Audit Reports .................................................................................................... 30

Compliance Tools .................................................................................................................. 31

Mitigation Plans .................................................................................................................... 31

Spot Checks ............................................................................................................................... 32

CIP Reliability Standards ....................................................................................................... 32

Compliance Investigations ........................................................................................................ 32

Complaints ................................................................................................................................ 33

Internal CMEP Discovery Methods ............................................................................................... 34

Self-Reports ............................................................................................................................... 34

Self-Certifications ...................................................................................................................... 35

CIP-002-3 through CIP-009-3 Reliability Standards .............................................................. 36

Periodic Data Submittals ........................................................................................................... 37

Exception-Reporting ................................................................................................................. 37

Key CMEP Activities and Initiatives ............................................................................................... 38

Registration and Certification ................................................................................................... 38

Joint Registration Organization and Coordinated Functional Registration .......................... 38

Results of Abrupt or Forced Registration Changes ............................................................... 39

CMEP Transparency Elements .................................................................................................. 39

Table of Contents

iv 2013 NERC CMEP Implementation Plan

Compliance Operations and REs Communications .................................................................. 40

Seminars and Workshops ..................................................................................................... 40

Transparent Communications............................................................................................... 40

Training ..................................................................................................................................... 42

Compliance Auditors ............................................................................................................. 42

Compliance Investigative (CI) Staff ....................................................................................... 43

Compliance Assessments after Events and Disturbances ........................................................ 43

Enforcement Initiatives ............................................................................................................. 43

Further Implementation of the CEI ....................................................................................... 44

Closeout of Past Caseload ..................................................................................................... 46

ERO Guidance on COM-002-2 Communication and Coordination ........................................ 47

Approved Standards Which Reference Unapproved Standards .............................................. 48

Regional Entities CMEP Implementation Plans ............................................................................ 50

Conclusion ..................................................................................................................................... 51

Appendix 1 2013 ERO High-Risk Priorities with High Value Associated Reliability Standards .. 53

Appendix 2 2013 Actively Monitored List (AML) Analysis ......................................................... 58

Appendix 3 2013 Regional Entity Request to Defer or Reduce the Scope of a Compliance Audit .............................................................................................................................................. 61

Appendix 4 2012 CMEP Implementation Plan Survey ............................................................... 63

Appendix 5 Compliance Assessment Template ......................................................................... 66

Appendix 6 2012 High-Risk Priority Standards and Tier 1 Requirements ................................. 70

BAL Resource and Demand Balancing ............................................................................... 70

CIP Critical Infrastructure Protection ................................................................................. 70

COM Communications ....................................................................................................... 70

EOP Emergency Preparedness and Operations ................................................................. 70

Table of Contents

v 2013 NERC CMEP Implementation Plan

FAC Facilities Design, Connections, and Maintenance ...................................................... 71

IRO Interconnection Reliability Operations and Coordination .......................................... 71

MOD Modeling, Data, and Analysis ................................................................................... 71

NUC Nuclear ....................................................................................................................... 72

PER Personnel Performance, Training, and Qualifications ................................................ 72

PRC Protection and Control ............................................................................................... 72

TOP Transmission Operations ............................................................................................ 73

Appendix 7 Situational Awareness Requirements Implicated by the 2011 Southwest Blackout ........................................................................................................................................ 74

Introduction

1 2013 NERC CMEP Implementation Plan

Introduction The ERO Compliance Monitoring and Enforcement Program (CMEP) Annual Implementation Plan (Annual Plan) is the annual operating plan for compliance monitoring and enforcement activities to ensure that the North American Electric Reliability Corporation (NERC), as the international ERO, and the Regional Entities (REs) fulfill their responsibilities under legislation in the United States and other applicable obligations in jurisdictions in Canada and Mexico1

.

The annual plan provides guidance for both REs and registered entities about the direction Compliance Monitoring and Enforcement will take in 2013. Major changes from the 2012 annual plan are found in the Executive Summary. Currently, reliability standards are mandatory and enforceable in the United States and the Canadian provinces of British Columbia2, Ontario3, New Brunswick4, Saskatchewan5, and Manitoba6. The Canadian province of Alberta7 has adopted some of the reliability standards and is in the process of reviewing others. The legislative framework to make reliability standards mandatory and enforceable exists in Nova Scotia8 and Quebec9. In Nova Scotia, the reliability standards are pending the approval of the Nova Scotia Utility and Review Board. The National Energy Board of Canada10

is in the process of making reliability standards mandatory and enforceable for international power lines.

The compliance monitoring and enforcement activities are carried out by NERC and the eight REs based on the regulatory authority-approved uniform CMEP11, the NERC Rules of Procedure (ROP)12, the respective RDA13 with the eight REs, and other agreements including Memoranda of Understanding with the Canadian provinces. This plan outlines the implementation requirements to be followed by NERC and the eight REs. Each RE submits its annual Implementation Plan to NERC by November 1 of the prior compliance year. NERC is responsible for approving RE Implementation Plans.14

1 http://www.cre.gob.mx/pagina_a.aspx?id=23 2 http://www.nerc.com/files/British-Columbia112706.pdf 3 http://www.nerc.com/files/MOU_between_IESO_NERC_NPCC_02052010.pdf 4 http://www.nerc.com/files/MOU_NewBrunswick-10032008.pdf 5 http://www.nerc.com/files/SaskPower_MOU_020309.pdf 6 http://web2.gov.mb.ca/laws/regs/2012/025.pdf 7 http://www.nerc.com/files/NERC-WECC-AESO_MOU_Executed%20Version_071510.pdf 8 http://www.nerc.com/files/NSPI_NERC_NPCC_MOU_executed_20100511.pdf 9 http://www.nerc.com/files/NERC-Regie-NPCC_Agreement_20090508EN_signed.pdf 10 http://www.nerc.com/files/NEB-NERCMOU091406.pdf 11 http://www.nerc.com/files/Appendix4C_Uniform_CMEP_20110101.pdf 12 http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf 13 http://www.nerc.com/page.php?cid=1%7C9%7C119%7C181 14 See Appendix 4C of the NERC RoP at Section 4.2: http://www.nerc.com/page.php?cid=1|8|169

http://www.cre.gob.mx/pagina_a.aspx?id=23http://www.nerc.com/files/British-Columbia112706.pdfhttp://www.nerc.com/files/MOU_between_IESO_NERC_NPCC_02052010.pdfhttp://www.nerc.com/files/MOU_NewBrunswick-10032008.pdfhttp://www.nerc.com/files/SaskPower_MOU_020309.pdfhttp://web2.gov.mb.ca/laws/regs/2012/025.pdfhttp://www.nerc.com/files/NERC-WECC-AESO_MOU_Executed%20Version_071510.pdfhttp://www.nerc.com/files/NSPI_NERC_NPCC_MOU_executed_20100511.pdfhttp://www.nerc.com/files/NERC-Regie-NPCC_Agreement_20090508EN_signed.pdfhttp://www.nerc.com/files/NEB-NERCMOU091406.pdfhttp://www.nerc.com/files/Appendix4C_Uniform_CMEP_20110101.pdfhttp://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdfhttp://www.nerc.com/page.php?cid=1%7C9%7C119%7C181http://www.nerc.com/page.php?cid=1|8|169

Introduction

2013 NERC CMEP Implementation Plan 2

The 2013 Implementation Plan includes a set of reliability standards that were selected based upon ERO-identified high-risk priorities and a three-tiered approach to compliance auditing. In addition to ERO-wide audit scope guidance, the Implementation Plan requires REs to consider a registered entitys actual and potential risk to the bulk power system (BPS) when determining the specific scope of each compliance monitoring activity. The objectives of the Implementation Plan are to:

Promote the reliability of the BPS through rigorous compliance monitoring and enforcement activities

Facilitate improved consistency of compliance activities throughout North America

Monitor all regulatory authority approved reliability standards by using the eight CMEP compliance monitoring methods

Use risk-based and performance-based criteria for determining the scope of compliance audits

Allow flexibility for the ERO and REs to investigate trends that may pose a near term risk to reliability either across the North American BPS, across an Interconnection or within a RE boundary

Improve the ERO CMEP by analyzing the compliance monitoring experience across North America and implementing necessary improvements

2013 Executive Summary


2013 Executive Summary Noteworthy changes to the 2013 Implementation Plan include:

1. Audit Scope and Periodicity: Both audit scope and audit periodicity for a registered entity starts with the tier one and the usual audit scope and can be adjusted by the Regional Entity (RE) with NERC oversight based on appropriate justification:

a. For entities registered as Balancing Authority (BA), Reliability Coordinator (RC) or Transmission Operator (TOP), scope can be modified however per the current ROP they are still required to be audited every three years15

b. For all other registered entities that NERC has previously directed be audited on a six year cycle there is flexibility to adjust the periodicity as well as scope, again with appropriate justification provided by the RE.

.

2. Self Certification Waiver for Entites Undergoing Audit: Self-certifications may not be necessary for a requirement that is being audited that year.

3. Registered Entity Compliance Assessments after Events and Disturbances: Registered entities are encouraged to conduct formal compliance assessments of Category two events and disturbances and submit a report to the RE for review. REs may consider a registered entitys submittal of compliance assessments, along with other factors, in determining appropriate audit scopes for upcoming audits. Registered entities that discover possible violations (PVs) and self-report will gain the appporiate credit for self reporting. REs may request these more formal compliance assessments for any category of event they deem of significance based on risk-based criteria or compliance history of the entity. Where registered entities choose not to do compliance assessments after events and disturbances, REs may use other compliance monitoring activities as deemed necessary.

4. Registered Entity Self Assessment: NERC, the Regions and industry representatives have been developing a template. Registered entities are encouraged to formulate a self assessment to share with the RE prior to the audit notification.

5. Critical Infrustructure Protection (CIP) Standards and Tier Assignments: Tier assignments in the CIP standards have been reassigned so that each requirement, along with its subrequirements, is assigned a single tier.

The ERO is working with the industry to develop an open and transparent uniform entity assessment template and will provide a draft for industry comment in late July of 2012. There will be a 45 day comment period, and then a final version will be ready by the end

15 Audit periodicity for entities registered as BAs, RCs, and TOPs must be every three years and cannot be reduced per section 403.11.1 of the NERC Rules of Procedure at http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf.

http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf

2013 Executive Summary


of 2012. It is the goal that after the comment period a base template will be available for use by the registered entity to conduct self assessments and engage in discussions with the RE on appropriately scoping audits and other compliance monitoring activities. Significant areas of emphasis in the ongoing discussions include a consideration of internal controls and an understanding of an entitys internal compliance program (ICP). Two development strategys have been used: 1) the broad based effort by the NERC Compliance and Certification Committee (CCC)16 and 2) select focus group discussion by registered functions17

.

When there is confidence in entity assessments, both audit scopes and audit periodicity can be specifically tailored to each registered entity. In 2012 it was emphasized that Tier 1 standards represent minimum audit scope. However, if an entitys assessment indicates such, either its audit scope can be reduced below Tier 1 or its audit periodicity18 can be reduced19

. This reduction can allow for more compliance monitoring of entities which pose more risk to the reliability of the Bulk Electric System (BES), which is the heart of performance monitoring.

NERC staff continues to monitor recent activites and major events, such as the southwest cold weather event20, the southwest blackout event21, as well as the progress of the Find, Fix, Track and Report (FFT) mechanism of the Compliance Enforcement Initiative (CEI). As a result of the recently released Southwest Blackout22

report by FERC and NERC, REs are expected to consider critical standards that include aspects of situational awareness, including both planning and coordination, in their audit and self-certification programs for 2013. A list of these standards is provided in Appendix 7 of this report.

The impact of new or revised standards coming into effect in 2013 include the introduction of:

New CIP Tier reassignments, effective 1/1/2013

FAC-008-3, effective 1/1/2013 (no effect on the Actively Monitored List (AML))

PER-005-1, effective 4/1/2013

EOP-001-2b, EOP-005-2, EOP-006-2, and EOP-008-1, effective 7/1/2013.

Specifics of the changes can be found in the 2013 High-Risk Priority Standards and Tier 1 Requirements section of this report and in the 2013 AML.

16 http://www.nerc.com/docs/compliance/ccc/RBRCWG_EIET-12_2012_06_11a.pdf 17 http://www.nerc.com/page.php?cid=3|22|410 18 Audit periodicity for entities registered as BAs, RCs, and TOPs must be every three years and cannot be reduced per section

403.11.1 of the NERC Rules of Procedure at http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf. 19 Using the form found in Appendix 3 of this document entitled 2013 Regional Entity Request to Defer or Reduce the Scope of a

Compliance Audit. 20 Report from NERC and FERC: http://www.nerc.com/files/SW_Cold_Weather_Event_Final_Report.pdf 21 Report from NERC and FERC: http://www.nerc.com/fileUploads/File/News/PR_AZOutage01MAY12.pdf 22 http://www.nerc.com/fileUploads/File/News/PR_AZOutage01MAY12.pdf

http://www.nerc.com/docs/compliance/ccc/RBRCWG_EIET-12_2012_06_11a.pdfhttp://www.nerc.com/page.php?cid=3|22|410http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdfhttp://www.nerc.com/files/SW_Cold_Weather_Event_Final_Report.pdfhttp://www.nerc.com/fileUploads/File/News/AZOutage_Report_01MAY12.pdfhttp://www.nerc.com/fileUploads/File/News/AZOutage_Report_01MAY12.pdf

ERO CMEP Description


ERO CMEP Description Reliability and accountability are basic tenets of the Compliance Monitoring and Enforcement Program (CMEP). The objective of the NERC and the Regional Entities (REs) is to achieve the highest level of reliability for the bulk power system (BPS). NERC, as the Federal Energy Regulatory Commission (FERC)-certified Electric Reliability Organization (ERO), together with the REs, is accountable to government regulators and industry stakeholders. The CMEP is a critical component in supporting reliability and accountability. The CMEP covers monitoring and enforcement activities in addition to training and informational activities designed to assist the industry in achieving and sustaining effective compliance and enhanced reliability. The CMEP also complements other critical ERO activities aimed at improving reliability such as: facilitating the industry in the development and improvement of reliability standards, providing reliability assessments, and identifying lessons learned from events analysis that can assist the industry in enhancing reliability. There is clear ERO and industry accountability for the development of reliability standards in accordance with the 2005 Federal Power Act23 and FERC Order No. 67224

, which duly recognize the collective expertise, experience and judgment needed to develop and improve reliability standards. NERC continues to refine and improve the annual CMEP and Actively Monitored List (AML) by focusing its efforts and resources on those standards that pose the greatest risk to BPS reliability.

NERC ROP25

state that all BPS users, owners, and operators are required to comply with all applicable ERO governmental authority-approved reliability standards at all times. Regional reliability standards and regional variances approved by NERC and the applicable ERO governmental authority are enforceable and apply to all registered entities responsible for meeting those reliability standards within the RE boundaries, whether or not the BPS user, owner or operator is a member of the RE.

The CMEP is developed under Section 215(c) of the Federal Power Act26 to establish and enforce reliability standards for the BPS, subject to review by FERC and in general accordance with the Principles for an Electric Reliability Organization that can Function on an International Basis.27

23 Section 215(d)(2) of the Federal Power Act located at

The CMEP is designed to improve reliability through the effective and efficient monitoring and enforcement of reliability standards.

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h6enr.txt.pdf

24 Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards,114 FERC 61, 104 (2006) at P 324 located at http://www.nerc.com/files/final_rule_reliability_Order_672.pdf.

25 See Rules of Procedure, Section 401.2 at http://www.nerc.com/page.php?cid=1|8|169. 26 Federal Power Act, 16 U.S.C. 824o. a.3 (2005). Located at

http://www.nerc.com/fileUploads/File/AboutNERC/HR6_Electricity_Title.pdf 27 Bilateral Electric Reliability Oversight Group, August 3, 2005 (the Bilateral Principles).

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h6enr.txt.pdfhttp://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h6enr.txt.pdfhttp://www.nerc.com/files/final_rule_reliability_Order_672.pdfhttp://www.nerc.com/page.php?cid=1|8|169http://www.nerc.com/fileUploads/File/AboutNERC/HR6_Electricity_Title.pdf

ERO CMEP Description


To help fulfill its responsibilities under its rules filed with regulatory authorities, NERC, as the international ERO, has delegated authority to qualified REs to monitor and enforce compliance with reliability standards by users, owners, and operators of the BPS. This delegation is governed by Regional Delegation Agreements (RDA) that have been approved by the appropriate regulatory authorities. NERC and these REs are responsible for carrying out the CMEP. Each RE submits its regional CMEP Implementation Plan to NERC for approval based on the requirements of this document. NERC and the REs recognize that there are important reliability matters that require prompt communication to industry. NERC has used the Alerts/Advisory28

28 See Events Analysis: Alerts at

process to rapidly inform the industry of such matters. The Implementation Plan strongly encourages the applicable registered entities to proactively address such communications as a way of demonstrating good utility practice and a strong culture of compliance and reliability excellence.

http://www.nerc.com/page.php?cid=5|63.

http://www.nerc.com/page.php?cid=5|63

Risk-Based Compliance Monitoring Approach


Risk-Based Compliance Monitoring Approach The premise of risk-based compliance monitoring is that scrutiny is directly proportional to the risk or impact posed to the reliability of the BPS by a registered entity. Risk is not to be considered as a negative in any way simply a consideration of the complex nature of the industry. Risk is neither uniform across the diverse industry that is responsible for the reliability of the BPS nor is it consistent over time. Compliance monitoring encompasses a range of activities, both internal and external to the registered entity. External compliance monitoring activities include audits, spot checks, investigations, and complaints. Internal activities include self-reports, self-certifications, periodic data submittals, and exception reporting. Of note is that in 2011, registered entities self identified 67 percent of the possible violations (PVs) and compliance issues. This clearly speaks to the continued discipline and integrity of the industry. While compliance auditing is an important compliance monitoring discovery method, it may not always be the most effective of the eight methods based upon an entitys risk or other associated factors. For entities that pose minimal reliability risk, the activities specifically prescribed in this Implementation Plan may suffice. For registered entities that pose a significant risk to reliability, it is the responsibility of REs to mitigate this risk through the use of compliance monitoring, which includes audits of increased scope and frequency, focused spot checks, self-certifications, etc. Where an entity can develop and present a complete self assessment, an RE will give strong consideration to how the registered entity describes its own risk and how it manages and, where necessary, mitigates this risk. This could lead to a discussion between an entity and the RE about the possibility of modifying future compliance monitoring activities.

One of the key components to an effective risk-based audit approach is the incorporation of performance-based auditing. Performance audits, according to the United States Government Accountability Office29

29 See United States Government Accountability Office Government Auditing Standards (GAGAS) at Chapter 1: Use and Application of GAGAS at Section 1.25

, are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Another component to a risk-based audit approach involves the

http://www.gao.gov/new.items/d07731g.pdf.

Registered Entities are responsible for compliance with all regulatory approved Reliability Standards and Requirements in effect per their

registered functions at all times, regardless of what is specified in the AML.

http://www.gao.gov/new.items/d07731g.pdf



detailed reviews and testing of registered entities programs and procedures utilized to control risk in order to assure performance rather than relying solely on documentation. The ERO is working with the industry to develop an open and transparent uniform entity assessment template and will provide a draft for industry comment in late July of 2012. There will be a 45 day comment period, and then a final version will be ready by the end of 2012. It is the goal that after the comment period a base template will be available for use by the registered entity to conduct self assessments and engage in discussions with the RE on appropriately scoping audits and other compliance monitoring activities. Significant areas of emphasis in the ongoing discussions include a consideration of internal controls and an understanding of an entitys internal compliance program (ICP). Two development strategys have been used: 1) the broad based effort by the NERC Compliance and Certification Committee30 and 2) select focus group discussion by registered functions31

.

In early development of the uniform entity risk assessment template, a number of aspects were identified of importance: the Technical and Risk Profile of an entity, Reliability Performance Metrics, an entitys Internal Compliance Program, Compliance and Enforcement Metrics and Status, and Regional Entity Qualitative Assessment, which are concepts described in generally accepted government auditing standards (GAGAS)32

Technical and Risk Profile: This profile details the technical components of the registered entity. It highlights various aspects of the companys structure and identifies key information that is relative to its risk. Such components include MW capacities, registration information, points of interconnection, and affiliated companies.

. These five aspects described below:

Reliability Performance Metrics (Trends): Metrics provide a quantitative approach for measuring a registered entitys performance. Consistent metrics yield a baseline to measure performance as well as compare performance to previous years.

Internal Compliance Program: The strength of a registered entitys internal compliance program evidences its activities to self-monitor reliability and compliance through internal controls, corrective action programs and a culture of compliance. An assessment of a registered entitys internal compliance program includes an evaluation of how the entity addresses the standard FERC 13 questions33 and the additional FERC 1b compliance criteria34

30

, and outlines areas for improvement in the internal compliance program.

http://www.nerc.com/docs/compliance/ccc/RBRCWG_EIET-12_2012_06_11a.pdf 31 http://www.nerc.com/page.php?cid=3|22|410 32 See GAGAS at Chapter 7: Field Work Standards for Performance Audits http://www.gao.gov/new.items/d07731g.pdf 33 http://www.ferc.gov/whats-new/comm-meet/102005/M-2.pdf. See section Internal Compliance starting with paragraph 22. 34 http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title18/18cfr1b_main_02.tpl

http://www.nerc.com/docs/compliance/ccc/RBRCWG_EIET-12_2012_06_11a.pdfhttp://www.nerc.com/page.php?cid=3|22|410http://www.gao.gov/new.items/d07731g.pdfhttp://www.ferc.gov/whats-new/comm-meet/102005/M-2.pdfhttp://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title18/18cfr1b_main_02.tpl



Compliance and Enforcement Metrics and Status: These metrics detail the violation history and any open enforcement actions of the registered entity, including consideration of the facts and circumstances surrounding the violations. The evaluation includes consideration of the methods of discovery, with specific focus on repeat violations, the status of any open mitigation plans, and compliance improvements over time.

Regional Entity Qualitative Assessment: This area provides an opportunity for the REs to include qualitative assessment and regional expertise for what the entity is doing well and areas for improvement.

NERC and the REs with industry stakeholder input are working together to develop an Entity Risk Profile Assessment template for use across the entire ERO. When complete, this template will be publically posted on NERCs website for the benefit of both the REs and registered entities. For registered entities, the template may prove valuable for conducting critical self-assessments in preparation of compliance monitoring actions and other times such as internal compliance reviews. Also, the template will be invaluable for the Regions in order to scope audits appropriately. A quality entity assessment includes doing a risk assessment, a careful look at internal controls, and knowing an entitys internal compliance program (ICP). The best internal controls are not only based on documentation, but also contain a performance aspect so that an entity is actively monitoring its own compliance. Emphasizing quality registered entity assessments is key to performance based auditing. When there is confidence in entity assessments, both audit scopes and audit periodicity can be specifically tailored for each registered entity. In 2012 it was emphasized that Tier 135 standards represent minimum audit scope. However, if an REs assessment of a registered entity indicates, it is possible (through approval from NERC using the form found in Appendix 3 of this document) that either an audit scope can be reduced to less than applicable Tier 1 requirements or that audit periodicity can be reduced36

. This can allow for more compliance monitoring of entities which pose more risk to the reliability of the BES, which is the heart of performance monitoring.

To further assist the REs in determining the level of risk an entity poses to reliability, registered entities are expected to conduct formal compliance assessments of Category 2 events/disturbances and submit to the RE for review. REs may request these more formal compliance assessments for any category of event they deem of significance based on risk-based criteria or compliance history of the entity. It must be emphasized that registered entities are responsible for compliance with all regulatory approved reliability standards and requirements in effect per their registered

35 See the Three-Tiered Compliance Approach section of this document for more detail on the tiered system. 36 Audit periodicity for entities registered as BAs, RCs, and TOPs must be at least three years and cannot be reduced per section

403.11.1 of the NERC Rules of Procedure at http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf.




function at all times, regardless of what a registered entitys risk profile may indicate. REs have the authority and responsibility to expand the scope of an audit, spot check, or any other compliance monitoring process if they consider it necessary when evaluating the compliance of a registered entity.

2013 Implementation Plan Development Methodology


2013 Implementation Plan Development Methodology As part of an overall compliance plan, NERC developed the AML of Reliability Standards for 2013 based on the methodology outlined in this section. This framework builds on the development process utilized for the 2012 Implementation Plan. The 2013 Implementation Plan is designed to realize risk-based approaches for ERO programs, priorities and initiatives that meet reliability goals and improve efficiencies. Achieving these goals will be accomplished through the development, maintenance, and implementation of a list of the highest priority reliability standards. The reliability standards and associated requirements populating this list will be determined through an annual review of the following:

ERO High-Risk Priorities

Southwest Blackout Report

FERC Orders and Guidance

Compliance History and Culture

Input from NERC Staff including Compliance Operations (OC), Critical Infrastructure Protection (CIP), Enforcement, Events Analysis (EA) and Investigations, Legal, Reliability Assessments and Performance Analysis, and Standards

Input from RE Staff

Input from the NERC CCC

Future Considerations

ERO Hig h -Risk Prio r it ie s The purpose of identifying and using a set of priorities is to focus on requirements within reliability standards that are most critical to the reliability of the BPS as determined by a set of risk-based criteria. The priorities and correlated reliability standards are explained in further detail in Appendix 1 - 2013 ERO High-Risk Priorities with High Value Associated Reliability Standards. NERC and the REs considered these priorities and identified a number of reliability standards that apply to each criterion. Many of these reliability standards apply to multiple priorities, bolstering their importance and reason for inclusion into the AML.



Sou t h w e s t Bla ckou t Re p ort The joint FERC/NERC report on the southwest blackout of September 201137

was released on May 1, 2012. Areas of continuing concern are: situational awareness, communications, coordination, planning and modeling. Many of these concerns are already addressed by the AML, and will be bolstered by the release of EOP-005-2 when it comes into effect July 1, 2013.

FERC Ord e r a n d Gu id a n ce Based upon FERC Order No. 729, Reliability Standards associated with the calculation of available transfer capability (ATC), being MOD-001, MOD-004, and MOD-008, will be continued to be actively monitored as part of the 2013 Implementation Plan. Com p lia n ce His t ory a n d Cu lt u re An analysis of the compliance history with reliability standards is only one aspect for determining the risk-based compliance approach, and provides insight into which reliability standards have proven most challenging for registered entities. Reliability standards that are understood by registered entities will typically result in PVs being discovered through self-report and self-certification monitoring methods. Reliability standards that are not well understood typically result in more PVs through the audit and spot check monitoring methods. Through the identification and inclusion of reliability standards with high violations discovered directly by REs into the AML, registered entities will have the ability to learn through personal experience, regional workshops, and other outreach programs and resources on how best to improve their compliance programs. Improved compliance programs will result not only in enhanced compliance for these reliability standards in particular, but for all reliability standards through the growth of compliance processes and systems. A collection of violation statistics for the most highly violated reliability standards is provided in Tables 1 and 2. Table 1 emphasizes violations from the recent past while Table 2 focuses upon violations stemming back to June 18, 2007. The NERC total is sometimes a few more that the total of the Interconnections. This is due to violations found by NERC directly, which are known as NERC Compliance Enforcement Authority (NCEA) violations.

37 http://www.nerc.com/fileUploads/File/News/AZOutage_Report_01MAY12.pdf



Table 1: Top 10 Violation Statistics for the near term in all Regions and by Interconnection for all Reliability Standards.

Table 2: Top 10 Violation Statistics for all time in all Regions and by Interconnection for all Reliability Standards.

The significant presence of FERC Order No. 70638 (CIP) reliability standards among near term violations makes it difficult to gauge how FERC Order No. 69339

38 Mandatory Reliability Standards for Critical Infrastructure Protection, 122 FERC 61,040 (2008) (Order No. 706).

(O&P Operations and Planning) reliability standards rank in terms of violations. Removing the CIP reliability standards from this analysis, the violation statistics for O&P reliability standards in the near term and for all time can be seen in Tables 3 and 4 respectively.

39 Mandatory Reliability Standards for the Bulk-Power System, 72 FR 16,416 (Apr. 4, 2007), FERC Stats. & Regs. 31,242 (2007) (Order No. 693). NERC realizes each Canadian province has separate Memoranda of Understanding and the use of 693 and 706 in this document for referencing CIP and non-CIP standards.



Table 3: Top 10 Violation Statistics for the near term in all Regions and by Interconnection for O&P Reliability Standards.

Table 4: Top 10 Violation Statistics for all time in all Regions and by Interconnection for O&P Reliability Standards.

Risk-based compliance includes high-impact violations as well as low-impact violations that are widespread enough to, as an aggregate, represent a high impact to reliability. Thus, violation history analysis is an important tool for assessing which reliability standards and, in turn, which functions have proven to be most difficult for compliance and require more attention during audits. AML a n d I m p le m e n t a t ion Pla n I n pu t All eight REs provided valuable input into the development of the 2013 AML and Implementation Plan. In addition, several NERC departments provided insight in terms of the relationship of reliability standards to ERO High-Risk Priorities, supplementary information from these groups has been provided in order to help further refine the list of High-Risk Priority Standards. Specifically, the departments that contributed to the 2013 Implementation Plan include COs, CIP, Enforcement, EA and Investigations, Legal, Reliability Assessment and Performance Analysis, and Standards. The Reliability Assessment and Performance Analysis department is continuing its ongoing process in which a subset of requirements with the highest impact to reliability



is identified according to a Standards/Statute Driven Index (SDI). The SDI measures improvement in compliance with reliability standards as part of a Reliability Metrics and Integrated Risk Assessment study40

Table 5: 26 Requirements considered by the Standards/Statute Index as part of Reliability Metrics and Integrated Risk Assessment

. As of August 2012, this subset consists of the same 26 Requirements from previous years and is found in Table 5. These Requirements have high Violation Risk Factors (VRFs) and the violations of these Requirements have severe Reliability Impact Statements (RIS) as determined by the Regional Entity.

Standard Req. Standard Req. Standard Req. Standard Req. Standard Req.

EOP-001-0 R1. FAC-009-1 R1. PER-002-0 R3. PRC-005-1 R2. TOP-004-2 R1.

EOP-003-1 R7. IRO-005-2 R17. PER-002-0 R4. TOP-001-1 R3. TOP-004-2 R2.

EOP-005-1 R6. PER-001-0 R1. PRC-004-1 R1. TOP-001-1 R6. TOP-006-1 R6.

EOP-008-0 R1. PER-002-0 R1. PRC-004-1 R2. TOP-001-1 R7. TOP-008-1 R2.

FAC-003-1 R1. PER-002-0 R2. PRC-005-1 R1. TOP-002-2 R17. VAR-001-1 R1.

FAC-003-1 R2.

The Reliability Assessment and Performance Analysis group has also completed an analysis of the BPS transmission system through the Transmission Availability Data System (TADS). As shown in Figure 1, this analysis points to several causes for sustained outages41

40

experienced by North Americas transmission system. Keeping these outage causes in mind can be helpful in determining the priority of individual Requirements within already designated, high-risk priority reliability standards.

http://www.nerc.com/docs/pc/rmwg/Integrated_Reliability_Index_WhitePaper_DRAFT.pdf 41 Individual sustained outages of AC circuit transmission line categorized by cause. An Automatic Outage with an Outage Duration of

a minute or greater. The TADS definition of Sustained Outage is different than the NERC Glossary of Term Used in Reliability Standards definition of Sustained Outage which is presently only used in FAC-003-1. The glossary defines a Sustained Outage as follows: The deenergized condition of a transmission line resulting from a fault or disturbance following an unsuccessful automatic reclosing sequence and/or unsuccessful manual reclosing procedure. The definition is inadequate for TADS reporting for two reasons. First, it has no time limit that would distinguish a Sustained Outage from a Momentary Outage. Second, for a circuit with no automatic reclosing, the outage would not be counted if the TO has a successful manual reclosing under the glossary definition.

http://www.nerc.com/docs/pc/rmwg/Integrated_Reliability_Index_WhitePaper_DRAFT.pdf



Figure 1: Initiating causes of sustained outages for the BPS from 2008 to 2010.



Fu t u re Con s id e ra t ion s Future considerations refer to those reliability standards that are not yet enforceable, but are implicated by the 2013 ERO high-risk priorities as referenced in Appendix 1. Thus, these suggested reliability standards provide guidance on what should immediately be considered for incorporation into the AML following FERC approval and given the current priorities. As indicated by the NERC Standards group, the applicable reliability standards subject to future enforcement42

for 2013 include EOP-001-2b, EOP-005-2, EOP-006-2, EOP-008-1, FAC-008-3, FAC-013-2, and most requirements of PER-005-1.

Th re e -Tie re d Com p lia n ce App roa ch Following the compilation of the complete list of high-priority reliability standards based upon the sources described above, the AML, being the minimum scope of compliance audits, will include a subset43

of Requirements from these high-priority reliability standards. The requirements identified for the 2013 AML are designated as Tier 1 within the three-tiered approach that was initially developed for the 2012 Implementation Plan.

Th re e -Tie re d Ap proa ch t o Re q u ire m e n t s Sp e cifica t ion After selecting a set of reliability standards based upon the priorities and criteria identified above, it is necessary to identify the specific Requirements within each of the reliability standards that most directly relate to the purpose of the standard itself in terms of its relationship to the identified ERO high-risk priorities and, ultimately, its support for the reliability of the BPS. In accordance with the FERC approved ROP, the ERO has selected a subset of the reliability standards and requirements to be actively monitored and audited in the ERO annual compliance program for 2013. The three-tiered approach for identifying the requirements of the AML is described below. For further information regarding the Implementation Plan methodology, refer to Appendix 1 2013 ERO High-Risk Priorities with High Value Associated Reliability Standards. Tier 1 Requirements are those that are the most critical to the purpose and intent of the standard of which they are a part. Additionally, the ability of a registered entity to demonstrate compliance with Tier 1 Requirements will provide guidance to audit teams on the necessity to investigate further and broaden an audits scope in additional Requirements or reliability standards or both. Tier 2 Requirements are also critical to the purpose of a standard, but less so than Tier 1 in that Tier 2 does not address the ERO high-risk priorities as directly as Tier 1. Tier 2

42 See the NERC site for the latest information regarding in-effect dates for Reliability Standards: http://www.nerc.net/standardsreports/standardssummary.aspx

43 See NERC RoP, Section 401.6.

http://www.nerc.net/standardsreports/standardssummary.aspx



also does not pose as severe a risk as Tier 1. The determination of what tier each assignment is assigned is done using all the data and input mentioned earlier in this section of the report, applied with professional judgement and input from the REs. This is not to say that compliance with Tier 2 Requirements is not mandatory. Instead, Tier 2 Requirements represent an additional level of inquiry that must be undertaken when a registered entity does not display clear compliance with those most critical Requirements of Tier 1. In the process of this added level of investigation, it may become necessary to branch off into other reliability standards that were not identified as relating directly to an ERO priority. Based upon professional judgement and review of (these areas) and agreement with the regions. Tier 3 Requirements are those that, while still being significant to BPS reliability, do not represent the purpose of a reliability standard directly or are not representative of ERO priorities. The exploration of an audit team into the compliance of a registered entity with Tier 3 Requirements will be initiated through links between identified deficiencies in Tier 1 and 2 Requirements and those of Tier 3. The basis for the requirements of the high-risk priority reliability standards in the Tier 1 classification is covered in the following section. Th re e -Tie re d Ap proa ch t o Au d it Scop e De t e rm in a t ion RE audit teams are authorized and obligated to expand the scope of a compliance audit to include Tier 2 and Tier 3 Requirements and any other requirements they may deem necessary based on the results of the Registered Entity Risk Profile Assessment or the audit teams collective professional judgment. Audit scope expansion can occur at any point during the process: from the initial review of the Registered Entity Profile Assessment through the close of the audit. The implementation plan for 2013 will use Tier 1 Requirements as the AML, which is the usual minimum audit scope. In 2012 it was emphasized that Tier 1 standards represent minimum audit scope. However, if an entitys assessment indicates such, either an audit scope can be smaller than Tier 1 or audit periodicity44 can be reduced45

. This can allow for more compliance monitoring of entities which pose more risk to the reliability of the BES, which is the heart of performance monitoring.

The emphasis of 2013 is moving the entire ERO toward performing quality registered entity assessments. A quality entity assessment includes doing a risk assessment, a careful look at internal controls, and knowing an entitys internal compliance program

44 Audit periodicity for entities registered as BAs, RCs, and TOPs must be every three years and cannot be reduced per section 403.11.1 of the NERC Rules of Procedure at http://www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf.

45 Using the form found in Appendix 3 of this document entitled 2013 Regional Entity Request to Defer or Reduce the Scope of a Compliance Audit.




(ICP). The best internal controls are not only based on documentation, but also contain a performance aspect so that an entity is actively monitoring its own compliance. Emphasizing quality registered entity assessments is key to performance based auditing. When there is confidence in entity assessments, both audit scopes and audit periodicity can be specifically tailored for each registered entity.

The audit scope for registered entities with identical functional registrations will not always be identical. Registered entities will be advised of their specific audit scopes when they receive a formal audit notification. Compliance information and data archived by the RE from the implementation of previous monitoring methods will be used in the development of a registered entitys audit scope, including but not limited to previous audits, self-certifications, events, and previous or current enforcement actions. The overall monitoring scope of the 2013 Implementation Plan and AML is based on reliability standards that are anticipated to be in effect on January 1, 2013. To the extent new or revised reliability standards are adopted, approved by the regulatory authority or in effect during the course of 2013, NERC will work with the RE to determine whether the 2013 program needs to be amended. All NERC Reliability Standards identified in the 2013 Implementation Plan are listed in the 2013 AML posted on the NERC website. The 2013 AML includes several tabs. A description of each is listed below:

Summary Tabs: Quick reference listings of the reliability standards and requirements identified for compliance audits, self-certifications, periodic data submittals, and spot checks required by NERC in 2013, and mandatory effective dates for reliability standards. These tabs are designed to give the user a quick reference of the Implementation Plan

nerctranslate this page commitee dl/2012...%pdf-1.6 %âãÏÓ 1544 0 obj > endobj 1621 0 obj...

Documents