Choose Site
FERC, CFTC, and State Energy Law Developments
FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.
President Joe Biden signed an executive order on February 24 to address possible vulnerabilities in the supply chains of critical national economic sectors, including the energy sector. The executive order directs various executive departments and agencies to complete, in coordination with private stakeholders, a series of assessments to evaluate the resiliency of supply chains in those key sectors. In his prepared remarks, President Biden explained that the order was prompted partly by concerns surrounding shortages in semiconductors, which are vital components of electronic devices used in everything from mobile phones to motor vehicles.
In May 2020, US President Donald Trump issued Executive Order 13920, banning the unrestricted import or use of certain categories of bulk-power system electric equipment from foreign adversaries, with a focus on Russian and Chinese equipment suppliers. The future of that regulation is now up in the air.
The US Congress adopted extensive federal energy policies in the Energy Act of 2020 (Energy Act), which President Donald Trump signed into law on December 27 as part of the Consolidated Appropriations Act, 2021.
At its December open meeting, FERC proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility.
The secretary of the US Department of Energy (DOE) issued an order on December 17 prohibiting electric utilities from installing equipment or components provided by Chinese companies in electric facilities serving designated “Critical Defense Facilities.” Relying on authority from Executive Order 13920 on Securing the United States Bulk-Power System, the order identified threats to the electric supply chain from China and concluded that prohibiting Chinese equipment in these sensitive facilities is necessary to respond to the Chinese government’s plans to undermine the bulk-power system.
Following significant pushback from the regulated community, FERC and NERC Staff jointly announced in a new white paper that filings and other submissions to FERC describing violations of cybersecurity reliability standards would be entirely nonpublic. Under the revised approach, all cybersecurity noncompliance information will be considered CEII and not disclosed in response to FOIA requests.
At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation.

President Donald Trump signed an executive order on May 1 declaring that the use of bulk-power system equipment supplied by companies controlled by certain foreign nations poses an extraordinary threat to the US power grid. The order observes that the bulk-power system is a valuable target for malicious actors, and any attack on that system could pose serious risks to the economy, public health and safety, and national security.

In an order issued on April 17, the Federal Energy Regulatory Commission (FERC) agreed to defer implementation of certain cybersecurity and operational reliability standards administered by the North American Electric Reliability Corporation (NERC) that had important compliance milestones later this year, including the suite of supply chain risk management standards that have been under development for several years and were set to take effect on July 1. The move by FERC is intended to provide some measure of relief from impending compliance burdens and to allow electric utilities to focus their resources on responding to the coronavirus (COVID-19) pandemic.