U.S. GAO - Federal Energy Regulatory Commission

Recent Reports

Electricity Grid Resilience

Published: Sep 20, 2021

Publicly Released: Sep 20, 2021

Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems

Published: Mar 18, 2021

Publicly Released: Mar 18, 2021

Electricity Grid Resilience: Climate Change Is Expected to Have Far-reaching Effects and DOE and FERC Should Take Actions

Published: Mar 05, 2021

Publicly Released: Mar 10, 2021

Electricity Grid Resilience: Climate Change Is Expected to Have Far-reaching Effects and DOE and FERC Should Take Actions

Published: Mar 10, 2021

Publicly Released: Mar 10, 2021

Gas Transmission Pipelines: Interstate Transportation of Natural Gas Is Generally Reliable, but FERC Should Better Identify and Assess Emerging Risks

Published: Sep 23, 2020

Publicly Released: Sep 23, 2020

Natural Gas Exports: Updated Guidance and Regulations Could Improve Facility Permitting Processes

Published: Aug 06, 2020

Publicly Released: Aug 06, 2020

View More Reports

Open Recommendations (4 total)

Electricity Grid Resilience: Climate Change Is Expected to Have Far-reaching Effects and DOE and FERC Should Take Actions

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
Federal Energy Regulatory Commission	The Chairman of FERC should direct staff to take steps to identify and assess climate related risks to the electricity grid, and plan a response, including identifying actions to address the risks and enhance the resilience of the grid to climate change. (Recommendation 2)	Open – Partially Addressed FERC agreed with our recommendation and has taken several steps to identify and assess climate-related risks. For example, in June 2021, FERC held a technical conference on climate change that addressed how utilities might assess climate-risks, ways to increase resilience to climate change, improving transmission and generation outage management, and potential changes to mandatory reliability standards. In addition, since the June 2021 technical conference, FERC took several additional steps to identify and address climate change risks to the grid. For example, in June 2023, FERC issued two orders to address challenges in planning for extreme heat and cold weather events. Specifically, FERC issued Order No. 896-Transmission System Planning Performance Requirements for Extreme Weather-which directs NERC to develop a new or modified Reliability Standard no later than December 23, 2024, to address reliability concerns pertaining to transmission system planning for extreme heat and cold weather events that impact the reliable operation of the Bulk-Power System. In the order, FERC noted consensus among panelists at the June 2021 technical conference that planners cannot simply project historical weather patterns forward to effectively forecast the future, since climate change has made the use of historical weather observations no longer representative of future conditions. In addition, FERC issued Order No. 897-One-Time Informational Reports on Extreme Weather Vulnerability Assessments, Climate Change, Extreme Weather, and Electric System Reliability-directing transmission providers to file a one-time informational report on whether and how they conduct extreme weather vulnerability assessments, as well as how they use the results of those assessments to develop risk mitigation measures. Through gathering this information, FERC seeks to address the increasing risks of extreme weather to bulk-power system reliability and jurisdictional rates, and to better understand how transmission providers assess and mitigate those risks. The reports were filed, and FERC staff are currently evaluating the reports. We believe FERC has partially addressed our recommendation. To fully address our recommendation, FERC should identify actions needed to address extreme weather and other climate-related risks.

Natural Gas Exports: Updated Guidance and Regulations Could Improve Facility Permitting Processes

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
Federal Energy Regulatory Commission	FERC should review its current interagency agreements that pertain to its onshore LNG permitting process, and implement any needed updates. FERC's review should include input from cooperating agencies and CEQ. (Recommendation 1)	Open – Partially Addressed In January 2024, FERC officials stated that FERC had completed a review of the two agreements cited in our report regarding permitting liquefied natural gas (LNG) export facilities. FERC conducted a review in 2022 and found that one of the agreements remained relevant and did not require further updates. With regard to the second agreement, officials stated that FERC is collaborating with the other agencies cited in the agreement to finalize an updated agreement. We believe FERC's actions demonstrate progress toward implementing our recommendation, and we will consider closing the recommendation once FERC has finalized the updated agreement.

Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid

Show

2 Open Recommendations

Agency Affected	Recommendation	Status
Federal Energy Regulatory Commission	FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)	Open According to FERC officials, the Commission is conducting a technical analysis to develop a plan with appropriate next steps to address GAO's recommendation. As part of this effort, FERC issued two documents in June 2020. First, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. As of June 2023, FERC officials completed its review of public comments on the Notice of Inquiry. FERC officials also engaged with NERC on a project that identified the risk posed by an orchestrated coordinated cyber-attack attack against multiple distributed targets that individually would generally be a localized event. The project resulted in an October 2022 whitepaper on low impact criteria that made a variety of recommendations including revising Critical Infrastructure Protection Reliability Standards, developing security guidelines, and continuous monitoring of access attempts. According to FERC officials, NERC is currently working to implement these recommendations and FERC officials remain actively engaged and will assess new or modified Reliability Standards when they are developed and filed by NERC. In addition, FERC officials will consider whether to recommend additional actions based on NERC's implementation of the white paper recommendations. Second, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. In December 2020, FERC issued a Notice of Proposed Rulemaking proposing incentives for cybersecurity investments by public utilities that built on the June 2020 white paper. As of May 2022, Commission staff completed its review of public comments on the Notice of Proposed Rulemaking, and on April 20, 2023, the Commission issued Order No. 893, Incentives for Advanced Cybersecurity Investment. The Order revises FERC regulations for incentive-based rate treatments to encourage advanced cybersecurity technology and participation in cybersecurity threat information sharing programs in accordance with the Infrastructure Investment and Jobs Act of 2021. For an entity to receive an incentive, the Commission will evaluate whether a voluntary investment in security controls satisfies an objective found in the NIST Cybersecurity Framework and protects against cybersecurity risks for cyber assets that are not currently protected by the Critical Infrastructure Protection Reliability Standards. As of June 2023, we continue to monitor FERC's progress to implement our recommendation.
Federal Energy Regulatory Commission	FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)	Open According to FERC officials, the Commission is conducting a technical analysis to develop a plan with appropriate next steps to address GAO's recommendation. As part of this effort, FERC issued two documents in June 2020. First, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. As of June 2023, FERC officials completed its review of public comments on the Notice of Inquiry. FERC officials also engaged with NERC on a project that identified the risk posed by an orchestrated coordinated cyber-attack attack against multiple distributed targets that individually would generally be a localized event. The project resulted in an October 2022 whitepaper on low impact criteria that made a variety of recommendations including revising Critical Infrastructure Protection Reliability Standards, developing security guidelines, and continuous monitoring of access attempts. According to FERC officials, NERC is currently working to implement these recommendations and FERC officials remain actively engaged and will assess new or modified Reliability Standards when they are developed and filed by NERC. In addition, FERC officials will consider whether to recommend additional actions based on NERC's implementation of the white paper recommendations. Second, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. In December 2020, FERC issued a Notice of Proposed Rulemaking proposing incentives for cybersecurity investments by public utilities that built on the June 2020 white paper. As of May 2022, Commission staff completed its review of public comments on the Notice of Proposed Rulemaking, and on April 20, 2023, the Commission issued Order No. 893, Incentives for Advanced Cybersecurity Investment. The Order revises FERC regulations for incentive-based rate treatments to encourage advanced cybersecurity technology and participation in cybersecurity threat information sharing programs in accordance with the Infrastructure Investment and Jobs Act of 2021. For an entity to receive an incentive, the Commission will evaluate whether a voluntary investment in security controls satisfies an objective found in the NIST Cybersecurity Framework and protects against cybersecurity risks for cyber assets that are not currently protected by the Critical Infrastructure Protection Reliability Standards. As of June 2023, we continue to monitor FERC's progress to implement our recommendation.

View More Recommendations