Guidelines on Submitting Confidential Information

Definitions

Confidential Information

Confidential Information means all Confidential Information, as that term is defined in Section 1501 of the NERC Rules of Procedure, as may be amended from time to time. 

The NERC Rules of Procedure define Confidential Information as:

  • Confidential Business and Market Information;
  • Critical Energy Infrastructure Information (CEII);
  • Personnel information that identifies or could be used to identify a specific individual, or reveals personnel, financial, medical, or other personal information;
  • Work papers, including any records produced for or created in the course of an evaluation or audit;
  • Investigative files, including any records produced for or created in the course of an investigation; or
  • Cyber Security Incident Information (CSII);

provided, that public information developed or acquired by an entity shall be excluded from this definition.

Confidential Information shall not include information that

  • Is or becomes generally available to the public as a result of actions that do not violate this Policy or other applicable confidentiality requirements;
  • Becomes available to an individual or entity on a non-confidential basis from a source that has the rights to possess and share such information;
  • Is no longer confidential due to the passage of time;
  • An individual or entity can demonstrate by written records that the information was previously known to it or was independently developed without use of any Confidential Information; or
  • The individual or entity originally disclosing the information agrees the information is not confidential or is otherwise publicly available, or waives confidential treatment of the information.

 

Critical Energy Infrastructure Information (CEII)

Critical Energy Infrastructure Information (CEII) means any specific engineering, vulnerability, or detailed design information about proposed or existing Critical Infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) could be useful to a person in planning an attack on Critical Infrastructure; and (iii) does not simply give the location of the Critical Infrastructure. Specific engineering, vulnerability, or detailed design information about proposed or existing Critical Infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) could be useful to a person in planning an attack on Critical Infrastructure; and (iii) does not simply give the location of the Critical Infrastructure.

Protected Entity Information (PEI)

Protected Entity Information (PEI) includes Cyber Security Incident Information (CSII) and any Critical Infrastructure Protection (CIP) Standard information. CSII is any information related to, describing, or which could be used to plan or cause a Cyber Security Incident. The term  “Cybersecurity Incident” is defined in 18 C.F.R. §39.1 as “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software, and data that are essential to the Reliable Operation of the Bulk Power System.”

Non-Public Transmission Function Information (NTI)

Non-Public Transmission Function Information (NTI) means non-public information relating to transmission functions. The term “transmission functions” is defined in 18 C.F.R. §358.3(h) as “the planning, directing, organizing or carrying out of day-to-day transmission operations, including the granting and denying of transmission service requests.”


Identification of confidential information

Documents, messages, and files created or used in the course of performing SERC functions may contain information that must be held in confidence. Information that cannot be publicly disclosed will be categorized in one of the following classes:

  • Confidential Information
    • Critical Energy Infrastructure Information (CEII)
    • Protected Entity Information (PEI)
    • Non-Public Transmission Function Information (NTI)

CEII, PEI, and NTI are all subsets of Confidential Information that require greater protection and/or have stronger restrictions on disclosure than Confidential Information outside of those categories. 

 

Marking of confidential information

Documents, email messages, and files that contain any form of Confidential Information must be appropriately marked in order to ensure adequate protection of that information.  

A Disclosing Party is any individual or entity that supplied Confidential Information via any means to another individual or entity in order to perform SERC functions.  A Disclosing Party shall appropriately mark documents, messages, and files that include any type of Confidential Information prior to providing such documents, messages, and files to SERC. SERC shall not be responsible for protecting Confidential Information in documents, messages, and files submitted by a Disclosing Party that have been improperly marked.

Exception for Protected Entity Information (PEI) – Marking Not Required

PEI information is handled in accordance with the PEI Policy. Documents and files that contain PEI do not require marking because SERC staff only receives PEI via the means described in the PEI Policy. Email messages should not contain PEI.

Documents

Documents, whether in physical or electronic form, that contain any form of Confidential Information must be marked “CONFIDENTIAL” with the appropriate category or categories described above, using at least a 12 point font in a header at the top of each page of the document. The abbreviations “CI,” “CEII,” and “NTI” may be used to save space. 

Email Messages

Email messages that contain any form of Confidential Information, either in the body of the message or as an attachment, must be marked “CONFIDENTIAL” with the appropriate category or categories described above, using all capital letters at the start of the subject heading of the email. The abbreviations “CI,” “CEII,” and “NTI” may be used to save space. Any attached documents or files should be marked separately, if needed.

Files

Files that contain any form of Confidential Information must be marked “CONFIDENTIAL” with the appropriate category or categories described above, using all capital letters in the file name. The abbreviations “CI,” “CEII,” and “NTI” may be used to save space. The electronic documents or messages within should be marked separately, if needed.