Commissioner Cheryl A. LaFleur Statement
July 21, 2016
Docket No. RM15-14-002
Standards for Supply Chain Cyber Controls
“In today’s order, the Commission elects to proceed directly to a Final Rule and require the development of a new reliability standard on supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. I fully support the Commission’s continued attention to the threat of inadequate supply chain risk management procedures, which pose a very real threat to grid reliability.
“However, in my view, the importance and complexity of this issue should guide the Commission to proceed cautiously and thoughtfully in directing the development of a reliability standard to address these threats. I am concerned that the Commission has not adequately considered or vetted the Final Rule, which could hamper the development and implementation of an effective, auditable, and enforceable standard. I believe that the more prudent course of action would be to issue today’s Final Rule as a Supplemental Notice of Proposed Rulemaking (Supplemental NOPR), which would provide NERC, industry, and stakeholders the opportunity to comment on the Commission’s proposed directives. Accordingly, and as discussed below, I dissent from today’s order.1
- 11 I do agree with one holding in the order: that the Commission has authority under section 215 of the Federal Power Act to promulgate a standard on this issue.