March 07, 2022

On February 28, the ERO Enterprise endorsed two NATF Implementation Guidance documents, further signaling the ERO Enterprise’s support of the NATF supply chain security model, criteria, and questionnaire. The endorsement provides entities confidence that using the security approach provided in the NATF model is one way to meet regulatory requirements. It is anticipated that the ERO’s endorsement will encourage further adoption of these tools, thereby supporting industry convergence.

About the Documents

"NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF supply chain security model, criteria, questionnaire, and revision process.

“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF supply chain security model, criteria, and questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).

The documents are posted on the NATF Supply Chain Cyber Security Industry Coordination website.

About the Model

Supported by the Industry Organizations Team, the NATF model and the industry-developed complementary products (e.g., the criteria and questionnaire) provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supply chain security practices.

The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation. See more about the model and supporting documents on the NATF Supply Chain Cyber Security Industry Coordination website.

About ERO Endorsement

Endorsement of an example means the ERO Enterprise compliance monitoring and enforcement staff will give the method described in the  example deference when conducting compliance monitoring activities. The NATF documents are posted on NERC’s “Compliance Guidance" site using the ERO’s naming convention:

• “CIP-013 Using Independent Assessments of Vendors (NATF)”

• “CIP-013 Supply Chain Risk Management Plans (NATF)”