- Security Program for Hydropower Projects Revision 3A
- Revision 3 and 3A Changes
- Frequently Asked Question to Revision 3 and 3A (FAQs)
- FERC Hydro Cyber/SCADA Security Checklist – Form 3 (fillable)
Best Practices for Completing the Annual Security Compliance Certification (ASCC). The ASCC is an annual requirement due December 31 each year. A webinar was conducted on November 2, 2022 to help clarify the requirements of the ASCC and a new template was reviewed. A link to the webinar is provided above this section. At a minimum, the ASCC must be submitted (new or old format; new format strongly recommended) with applicable FERC Physical Security Checklist(s) and a completed Cyber Asset Designation Worksheet. Below are links to help facilitate the completion of the ASCC:
- New 2022 ASCC Template with Fillable Forms and Attachments (Security Documentation Table, Revised Cyber Asset Designation Worksheet, FERC Physical Security Checklist Version 5a, and Security Correspondence)
- Completed example of the New ASCC letter for a licensee/exemptee with four developments and the same security contacts for all four Developments
- Completed example of the New ASCC letter for a licensee/exemptee with eight developments and different security contacts for certain Developments
- 2022 Non-Certification Template with Fillable Forms and Attachment
- Completed example of Non-Certification submittal
- The old ASCC Letter Template (please keep in mind if you use this option you must still attach the FERC Physical Security Checklist and the Cyber Asset Designation Worksheet to your submittal; see the 2 links directly below)
- FERC Physical Security Checklist Version 5
- Original Cyber Asset Designation
Guide on Best Practices for Controlling Security Sensitive Material. The guide is a starting point for information security planning and proposes a range of Security Sensitive Material protection strategies with examples of how to identify and manage sensitive information. The guide is not prescriptive and is not intended to substitute as policy or set any minimum standard for compliance.
Security Assessment Template for Group 2 Dams - A template for the Security Assessment of Group 2 dams has been prepared from a joint effort between a volunteer licensee group and FERC staff. The template consists of three parts: (1) a Microsoft Word file formatting the assessment methodology, assessment findings, recommendations and conclusions in sufficient detail to satisfy the Security Program requirements; (2) The FERC Hydro Security Inspection Form, to be filled out by the licensee (included in the MS Word base report form; and, (3) a Microsoft Excel spreadsheet used to evaluate all the security components applicable to all critical assets identified at the site. An analysis of foot, land, and water avenues of approach are included in the spreadsheet. Use of this template is not a requirement, and is provided for licensee consideration on a voluntary basis.
Sample Security Plan - A sample of a Security Plan was requested from several FERC licensees. The following (redacted) document has been created by a volunteer licensee group to fulfill that purpose. Use of this format is not a requirement, and is provided for licensee consideration on a voluntary basis only. Other Security Plan formats and content will be considered by the FERC.
Security Letters - The following letters were issued by FERC regarding security concerns at hydropower dams after September 11, 2001.
- March 31, 2016
- January 23, 2009
- January 16, 2009
- March 5, 2003
- November 18, 2002
- June 7, 2002
- November 21, 2001
Dam Assessment Matrix for Security and Vulnerability Risk (DAMSVR) - DAMSVR is a vulnerability assessment methodology for dams developed by FERC, USBR, USACE, ASDSO, and Foos Associates LLC (now Security Management Solutions).
Last updated April 26, 2021