Schedule 1 — Alert Criteria
File within 1 Hour
If any box 1-9 on the right is checked, this form must be filed within 1 hour of the incident; check Emergency Alert (for the Alert Status) on Line A below.
File within 6 Hours
If any box 10-13 on the right is checked AND none of the boxes 1-9 are checked, this form must be filed within 6 hours of the incident; check Normal Report (for the Alert Status) on Line A below.
ATTEMPTED CYBER COMPROMISE
File within 1-Day
If box 14 on the right is checked AND none of the boxes 1-13 are checked, this form must be filed by the end of the next calendar day after the determination of the attempted cyber compromise; check Attempted Cyber Compromise (for the Alert Status) on Line A below.
File within 1 Business Day
If any box 15-26 on the right is checked AND none of the boxes 1-14 are checked, this form must be filed by the later of 24 hours after the recognition of the incident OR by the end of the next business day. Note: 4:00pm local time will be considered the end of the business day. Check System Report (for the Alert Status) on Line A below.
At least one criteria must be checked!
If significant changes have occurred after filing the initial report, re-file the form with the changes and check Update (for the Alert Status) on Line A below.
The form must be re-filed within 72 hours of the incident with the latest information and Final (Alert Status) checked on Line A below, unless updated.
A. Alert Status
B. FOIA Exemption(s)
Information on Lines C and D of Schedule 1 will not be disclosed to the public to the extent that it satisfies the criteria for exemption under the Freedom of Information Act (FOIA), e.g., exemptions for confidential commercial information and trade secrets, certain information that could endanger the physical safety of an individual, or information designated as Critical Electric Infrastructure Information.
If box 2, 3, 11, or 14 above is checked, identify (by checking all that apply) whether Line C and D combined with box 2, 3, 11, or 14 contains:
C. Organization Name
D. Address of Principal Business Office
E. Geographic Area(s) Affected(County, State)
H. Did the incident/disturbance originate in your system/area? (check one)
I. Estimate of Amount of Demand Involved (Peak Megawatts)
J. Estimate of Number of Customers Affected
K. Cause. Check if known or suspected
At least one Cause must be checked!
L. Impact. Check all that apply
At least one Impact must be checked!
M. Action Taken. Check all that apply
At least one Action Taken must be checked!
Schedule 2 — Narrative Description
Information on Schedule 2 will not be disclosed to the public to the extent that it satisfies the criteria for exemption under the Freedom of Information Act (FOIA), e.g., exemptions for confidential commercial information and trade secrets, certain information that could endanger the physical safety of an individual, or information designated as Critical Electric Infrastructure Information.
N. FOIA Excemption(s)
Identify (by checking all that apply) whether Schedule 2 – Narrative Description contains:
Name of Official that should be contacted for follow-up or any additional information
*You can only change the official contact in My Account
Provide a description of the incident and actions taken to resolve it. Include as appropriate, the cause of the incident/disturbance, change in frequency, mitigation actions taken, equipment damaged, critical infrastructures interrupted, effects on other systems, and preliminary results from any investigations. Be sure to identify: the estimate restoration date, the name of any lost high voltage substations or switchyards, whether there was any electrical system separation (and if there were, what the islanding boundaries were), and the name of the generators and voltage lines that were lost (shown by capacity type and voltage size grouping).
Cyber Attributes: For cyber events, including attempted cyber compromises, provide the following attributes (at a minimum): (1) the functional impact, (2) the attack vector used, and (3) the level of intrusion that was achieved or attempted.
If necessary, copy and attach additional sheets. Equivalent documents, containing this information can be supplied to meet the requirement; this includes the NERC EOP-004 Disturbance Report. Along with the filing of Schedule 2, a final (updated) Schedule 1 needs to be filed. Check the Final box on line 1 for Alert Status on Schedule 1 and submit this and the completed Schedule 2 no later than 72 hours after detection that a criterion was met.
T. Narrative (2500 characters limit)
U. Estimated Restoration Date for all Affected Customers Who Can Receive Power
V. Name of Assets Impacted (1000 characters limit)
Additional Form Recipients
Notify NERC, E-ISAC, or CIOCC
Select the appropriate box(es) if you approve of all of the information provided on this form being submitted to the North America Electric Reliability Corporation (NERC), the Electricity Information Sharing and Analysis Center (E-ISAC), or DHS CISA Central or their successor(s).
NERC is an entity that is certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk power system but that is not part of the Federal Government. The information submitted to NERC, E-ISAC, or CISA Central can be submitted to help fulfill the respondent’s requirements under NERC’s reliability standards.
If approval is given to alert NERC, E-ISAC, or DHS CISA Central, then this form will be emailed to systemawareness@nerc.net, operations@eisac.com and/or central.cyber@cisa.dhs.gov when it is submitted to DOE. DOE is not responsible for ensuring the receipt of these emails by NERC, E-ISAC, or CISA Central.
Trusted Entities
Select any additional recipients from the trusted entities below who should receive a PDF copy of the submission by email.
Review
Criteria for Filing
Emergency Alert
Normal Report
C. Address of Principal Business Office
D. Geographic Area(s) Affected
E. Date/Time Incident Began
F. Date/Time Incident Ended
G. Did the incident/disturbance originate in your system/area?
H. Estimate of Amount of Demand Involved
I. Estimate of Number of Customers Affected
10. Type of Emergency. Check all that apply
J. Cause. Check if known or suspected
11. Cause of Incident. Check if known or suspected
M. Name of Official that should be contacted for follow-up or any additional information
O. Estimated Restoration Date for all Affected Customers Who Can Receive Power
P. Name of Assets Impacted
21. Identify Name of Loss High Voltage Substation(s) and/or Switchyards
22. Identify Electrical System Separation; Islanding Boundaries