Self-Certification 91.

91. In the CIP NOPR, the Commission expressed concern over whether responsible entities will be fully prepared for compliance upon reaching the implementation deadline and will take reasonable action to protect the Bulk-Power System during the interim period.49 The Commission stated that NERC’s plans to require self-certification during the interim period are helpful and proposed that, to allow adequate monitoring of

progress, the ERO develop a self-certification process with certifications more frequent than once per year. The CIP NOPR suggested that self-certification be tied either to target dates in the schedule or perhaps quarterly or semi-annual certifications. The Commission indicated that, while an entity should not be subject to a monetary penalty if it is unable to certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the Regional Entities should then work with such an entity either informally or, if appropriate, by requiring a remedial plan, to assist such an entity in achieving full compliance in a timely manner. We also stated that the ERO and the Regional Entities should provide informational guidance, upon request, to assist a responsible entity in assessing its progress in reaching “auditably compliant” status.

b. Comments

92. Many commenters oppose directing NERC to consider a self-certification process with more frequent self-certifications than on an annual basis.50 In this regard, EEI argues that a more frequent self-certification requirement is likely to impose undue burdens without commensurate benefits. KCPL claims that there are sufficient processes already in place in order to evaluate and monitor CIP Reliability Standards compliance and additional requirements for self-certification provide no significant support or benefit to tracking a Responsible Entity’s obligations to the CIP Reliability Standards and are unneeded.

93. Other commenters, such as APPA/LPPC, MidAmerican, Northern Indiana and SDG&E either support or do not object to more frequent self-certifications. APPA/LPPC support NERC’s proposed self-certification process as a reasonable means of tracking the

49

CIP NOPR at P 48. 50

E.g., Alliant, Bonneville, Entergy, EEI, ISO-NE, KCPL, National Grid, Northeast Utilities, PG&E, Portland General, Progress, Puget Sound and Southern.

progress made by responsible entities toward full, auditable compliance. Nor do they object to the Commission’s proposal that such certification be rendered quarterly or semi- annually. Northern Indiana supports semi-annual self-certification during the transition until the implementation plan is completed. Northern Indiana contends that more frequent self-certification would be unduly burdensome.

94. METC-ITC also support quarterly or semi-annual self-certifications because the certifications will properly pressure entities to take timely steps to achieve compliance by the deadline for auditable compliance. METC-ITC are concerned, however, that having NERC monitor progress toward compliance with the CIP Reliability Standards via self- certifications, may place a burden on the ERO and the Regional Entities that their current staffs may be unable to properly administer. Thus, METC-ITC propose that the

Commission require the ERO to file plans addressing how it will satisfy the new requirements for providing assistance to responsible entities and further assessing CIP implementation as part of its readiness reviews.

95. SDG&E supports semi-annual certifications, but comments that quarterly certifications would be distracting to the main goal, as well as burdensome, time

consuming and paper intensive. It agrees with the Commission that an entity should not be penalized if it cannot certify that it is on schedule. SDG&E does not object to the Commission’s proposal that the ERO and the Regional Entities should work with such an entity to achieving full compliance, provided that the Commission clarify that this means “getting back” on schedule and not accelerating compliance.

c. Commission Determination

96. While the Commission is sensitive to concerns that more frequent self-

certifications may be burdensome, it is important that the ERO and the Commission know whether industry, or segments of industry, are having difficulty implementing the CIP Reliability Standards. Therefore, we direct the ERO to require more frequent, semi- annual, self-certifications prior to the date by which full compliance is required. Such additional self-certifications may be a “stream-lined” version, but must be useful for the ERO and the Commission to assess industry’s progress toward achieving compliance with the CIP Reliability Standards.

97. Further, we adopt our CIP NOPR proposals that, while an entity should not be subject to a monetary penalty if it is unable to certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the

Regional Entities should then work with such an entity either informally or, if appropriate, by requiring a remedial plan to assist such an entity in achieving full

provide informational guidance, upon request, to assist a responsible entity in assessing its progress in reaching “auditably compliant” status.

98. With regard to METC-ITC’s comment, we will not require NERC and the

Regional Entities to submit plans describing how it will undertake these responsibilities. Rather, the ERO and Regional Entities can address any need for additional resources in the ERO’s annual budget filing. If necessary to fulfill their statutory obligations, the ERO and Regional Entities may file a request for additional funding to supplement their Commission approved budgets.

99. With regard to SDG&E’s comment, we clarify that the goal of a Regional Entity working with a responsible entity that is unable to self-certify is to assist the entity in meeting the NERC time frames for auditable compliance, and not to accelerate compliance ahead of schedule.

3. Adding a Cyber Security Assessment to NERC’s Readiness