The American Public Power Association, Large Public Power Council and Transmission Access Policy Study Group recently submitted comments with the Federal Energy Regulatory Commission related to a FERC proceeding involving supply chain risk management reliability standards.
The April 15 comments were made in a FERC Notice of Proposed Rulemaking proceeding (RM24-4-000).
In the NOPR, which was issued Sept. 19, 2024, FERC proposed to direct the North American Electric Reliability Corporation to develop and submit for Commission approval new or modified Reliability Standards that address the: sufficiency of responsible entities’ supply chain risk management plans related to the identification of, assessment of, and response to supply chain risks, and applicability of Reliability Standards’ supply chain protections to protected cyber assets. APPA, LPPC, and TAPS filed comments on the NOPR.
More recently, FERC in March 2025 held a workshop in the NOPR proceeding. The April 15 comments filed jointly by APPA, LPPC, and TAPS were submitted post-workshop.
“Our earlier comments share a perspective that is common with other industry trade associations,” APPA, LPPC and TAPS said. “We do not oppose the NOPR’s proposals to require certain responsible entities to document, track, and respond to identified supply chain risks. Nor do we oppose extension of the supply chain standards to protected cyber assets.”
The groups do, however, object to the proposed requirement that would require NERC to revise its supply chain risk management standards, applicable to high- and medium-impact bulk electric system cyber systems, to require responsible entities to validate the completeness and accuracy of information received from vendors.
“The record developed at the Supply Chain Workshop confirms that the marginal value of a validation requirement does not support the NOPR’s proposal to direct revisions to NERC’s standards,” they argued.
“Workshop panelists explained that the appropriate level of validation of information received from vendors varies significantly based on several factors, including the nature of the product or service, the way in which the utility will use the product or service, and the additional risk management controls the utility incorporates around that product or service,” the groups said.
“Although responsible entities can and do use a variety of tools to corroborate some of the information received from vendors, much of the information can never be fully validated, so they adopt additional risk mitigation measures to address residual risk associated with vendors’ products and services as appropriate,” APPA, LPPC and TAPS said.
Based on the record developed in this proceeding, including evidence from the workshop, APPA, LPPC, and TAPS urged the Commission not to adopt the proposed directive to require NERC to revise its supply chain risk management standards to require responsible entities to validate the completeness and accuracy of information received from vendors.
