The Regulatory Mix, TMI’s daily blog of regulatory activities, is a snapshot of PUC, FCC, legislative, and occasionally court, issues that our regulatory monitoring team uncovers each day. Depending on their significance, some items may be the subject of a TMI Regulatory Bulletin.
National Institute of Standards and Technology (NIST)
The NIST released its Framework for Improving Critical Infrastructure Cybersecurity. The Framework provides a structure that organizations, regulators, and customers can use to create, assess, or improve comprehensive cybersecurity programs. The Framework is a consensus description of what’s needed for a comprehensive cybersecurity program and reflects the efforts of a broad range of industries. It allows organizations—regardless of size, degree of cyber risk or, cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
The Framework document is labeled “Version 1.0” and is described as a “living” document that will need to be updated to keep pace with changes in technology, threats, and other factors and to incorporate lessons learned from its use. The three main elements described in the document are the Framework core, tiers, and profiles.
- The core presents five functions—identify, protect, detect, respond, and recover—that taken together allow any organization to understand and shape its cybersecurity program.
- The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the Framework and range from informal, reactive responses to agile and risk-informed.
- The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
NIST also released today a “Roadmap” document to accompany the Framework. It lays out a path toward future Framework versions and ways to identify and address key areas for cybersecurity development, alignment, and collaboration.
FCC Chairman Thomas Wheeler issued a statement saying:
“I commend NIST and the many stakeholders who helped develop the Cybersecurity Framework, a significant first step that lays the groundwork to further secure America’s critical infrastructure. The FCC was pleased to participate in this process. Now the next phase of hard work begins. It is time to operationalize the framework within the communications sector to keep America’s information economy strong.”
The PSC has initiated a proceeding to review the extent of the current and projected arrearages owed to Maryland’s electric, gas, and gas and electric utilities (Utilities) and the Utilities’ policies and procedures regarding: (1) assistance to customers who have arrearages, (2) collections and (3) termination of service. Each Utility must file responses to the PSC’s data request by February 21, 2014. Comments on the Utility filings are due by February 28, 2014, and a hearing is scheduled for March 4, 2014.
The PUC has considered the PECO Energy Company Petition for approval of its Customer Assistance Program (CAP) Shopping Plan. The PECO was directed to (i) file revisions to its Electric Generation Supplier Coordination Tariff reflecting the PUC’s Opinion and Order; (ii) file semi-annual reports that reflect the net benefits of allowing its CAP customers to shop; and (iii) allow its CAP customers to participate in its Standard Offer Program no later than April 15, 2014. The PECO must also convene a collaborative of interested stakeholders and the PUC’s Office of Competitive Market Oversight and Office of Communications to address the specific components of the education plan associated with CAP customer shopping, including a cost-effective means of informing customers leaving CAP of shopping alternatives available to non-CAP residential customers.