Supply Chain Risk Management Reliability Standards Revisions; Equipment and Services Produced or Provided by Certain Entities Identified as Risks to National Security

<RULE> DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket Nos. RM24-4-000 and RM20-19-000; Order No. 912]</DEPDOC> <SUBJECT>Supply Chain Risk Management Reliability Standards Revisions; Equipment and Services Produced or Provided by Certain Entities Identified as Risks to National Security</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission. <HD SOURCE="HED">ACTION:</HD> Final action; notice terminating proceeding. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) directs the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, to develop new or modified Reliability Standards that address the sufficiency of responsible entities' supply chain risk management plans related to the identification of and response to supply chain risks. Further, the Commission directs NERC to develop modifications related to supply chain protections for protected cyber assets. This final action also terminates a related notice of inquiry. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> This action is effective November 24, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Simon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, <E T="03">simon.slobodnik@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Alan Rukin (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8502, <E T="03">alan.rukin@ferc.gov</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Order No. 912</HD> <HD SOURCE="HD2">Final Rule</HD> <HD SOURCE="HD3">(Issued September 18, 2025)</HD> 1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> the Commission directs the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), to submit new or modified Reliability Standards within 18 months of the date of issuance of this final rule that address ongoing risks to the reliability and security of the Bulk-Power System posed by gaps in the Critical Infrastructure Protection (CIP) Reliability Standards related to supply chain risk management (SCRM) (collectively, the SCRM Reliability Standards). <SU>2</SU> <FTREF/> The new or modified Reliability Standards must address the: (A) sufficiency of responsible entities' SCRM plans related to the identification of and response to supply chain risks, and (B) applicability of SCRM Reliability Standards to protected cyber assets (PCA). <SU>3</SU> <FTREF/> <FTNT> <SU>1</SU>  16 U.S.C 824o(d)(5); <E T="03">see also</E> 18 CFR 39.5(f). </FTNT> <FTNT> <SU>2</SU>  The phrase “SCRM Reliability Standards” as used in this final rule includes Reliability Standards CIP-005-7 (Electronic Security Perimeter(s)), CIP-010-4 (Configuration Change Management and Vulnerability Assessments), and CIP-013-2 (Supply Chain Risk Management). </FTNT> <FTNT> <SU>3</SU>  PCAs are defined as “[o]ne or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. . . .” Electronic Security Perimeters are defined as “[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” <E T="03">See</E> NERC, <E T="03">Glossary of Terms Used in NERC Reliability Standards</E> (July 2024), <E T="03">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</E> (NERC Glossary). </FTNT> 2. While the final rule largely adopts the Notice of Proposed Rulemaking's  <SU>4</SU> <FTREF/> (NOPR) proposals, in response to concerns raised in NOPR comments and a Commission staff-led workshop, we decline to direct NERC to require responsible entities to validate data received from vendors. However, we encourage entities to voluntarily implement this security practice as appropriate. <FTNT> <SU>4</SU>   <E T="03">Supply Chain Risk Mgmt. Reliability Standards,</E> Notice of Proposed Rulemaking, 89 FR 79794 (Oct. 1, 2024), 188 FERC ¶ 61,174, at PP 12-19 (2024) (NOPR). </FTNT> 3. As explained in the NOPR, while the currently effective SCRM Reliability Standards provide a baseline of protection against supply chain threats, there are increasing opportunities for attacks posed by the global supply chain. <SU>5</SU> <FTREF/> For example, using the global supply chain, adversaries have inserted counterfeit and malicious software, tampered with hardware, and enabled remote access. Therefore, we are taking action in this final rule to address the increasing threat environment and the need for improved mitigation strategies. Directing NERC to address the identified gaps in the SCRM Reliability Standards enhances the security posture of the Bulk-Power System. <FTNT> <SU>5</SU>   <E T="03">Id.</E> </FTNT> <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Section 215 of the FPA and Mandatory Reliability Standards</HD> 4. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to establish and enforce Reliability Standards, which are subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>6</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>7</SU> <FTREF/> and subsequently certified NERC as the ERO. <SU>8</SU> <FTREF/> <FTNT> <SU>6</SU>  16 U.S.C. 824o(e). </FTNT> <FTNT> <SU>7</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org. & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards,</E> Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006). </FTNT> <FTNT> <SU>8</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 FERC ¶ 61,062, <E T="03">order on reh'g & compliance,</E> 117 FERC ¶ 61,126 (2006), <E T="03">aff'd sub nom. Alcoa, Inc.</E> v. <E T="03">FERC,</E> 564 F.3d 1342 (D.C. Cir. 2009). </FTNT> <HD SOURCE="HD2">B. SCRM Reliability Standards</HD> 5. The supply chain refers to the sequence of processes involved in the production and distribution of, <E T="03">inter alia,</E> industrial control system hardware, software, and services. <SU>9</SU> <FTREF/> Such supply chains are complex, globally distributed, and interconnected systems with geographically diverse routes that consist of multiple tiers of suppliers who collectively build components necessary to deliver final products to customers. Further, the origins of products or components may be intentionally or inadvertently obscured. Certain foreign suppliers may also be subject to policies or laws that compel those suppliers to covertly provide their governments with customer data, trade secrets, and intellectual property obtained by embedding spyware or other compromising software in products, parts, or services. <SU>10</SU> <FTREF/> Because the supply chain is so complex, it is extremely challenging to identify, assess, and respond to risk. The various processes, practices, and methodologies used to do so are collectively referred to as supply chain risk management or SCRM. SCRM includes implementing processes, tools, or techniques that minimize adverse impacts of adversary attacks. <SU>11</SU> <FTREF/> <FTNT> <SU>9</SU>   <E T="03">See, e.g., Revised Critical Infrastructure Prot. Reliability Standards,</E> Order No. 829, 81 FR 49878 (July 29, 2016), 156 FERC ¶ 61,050, at P 4 (2016) (discussing the reliability concerns posed by the supply chain). </FTNT> <FTNT> <SU>10</SU>   <E T="03">See</E> Office of the Dir. of Nat'l Intelligence, <E T="03">Protecting Critical Supply Chains: Risks from Foreign Adversarial Exposure</E> (2024), <E T="03">https://www.dni.gov/files/NCSC/documents/supplychain/Risks_From_Foreign_Adversarial_Exposure.pdf.</E> </FTNT> <FTNT> <SU>11</SU>   <E T="03">See</E> NIST, <E T="03">Computer Security Resource Center—Definition of Supply Chain Risk Management, https://csrc.nist.gov/glossary/term/supply_chain_risk_management.</E> </FTNT> 6. The currently effective SCRM Reliability Standards provide a baseline for supply chain risk protection for high and medium impact bulk electric system (BES) Cyber Systems  <SU>12</SU> <FTREF/> and various associated systems and assets as outlined in each Standard. <SU>13</SU> <FTREF/> First, Reliability Standard CIP-005-7 requires responsible entities to manage electronic access to their BES Cyber Systems and requires each responsible entity to have one or more methods to determine active vendor remote access sessions and one or more methods to disable vendor remote access. Second, Reliability Standard CIP-010-4 requires responsible entities to prevent and detect unauthorized changes to their BES Cyber Systems. Finally, Reliability Standard CIP-013-2 requires each responsible entity to develop a written SCRM plan for its high and medium impact BES Cyber Systems and their associated electronic access control or monitoring systems and physical access control systems. The SCRM Reliability Standards, except for Reliability Standard CIP-005-7, do not include protections for PCAs. <SU>14</SU> <FTREF/> <FTNT> <SU>12</SU>  Each BES Cyber System, per Reliability Standard CIP-002-5.1a (BES Cy ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 89k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━