June 06, 2022

The “NATF Supply Chain Security Criteria” and “Energy Sector Supply Chain Risk Questionnaire” version 3.0 documents and associated revision process have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. A new “Version History” link has been added, which includes all prior versions and redlines of the NATF criteria and risk questionnaire.

The updates have been reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: “NATF CIP-013 Implementation Guidance: Independence Assessments of Vendors” and “NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.” This provision has been added to the revision process so the NATF does not need to resubmit the NATF Implementation Guidance documents to the ERO Enterprise for re-endorsement after each revision cycle. Specifically, the ERO has the ability to review the proposed changes and notify the NATF if any of the proposed revisions would cause the ERO to revoke its endorsement. 

In addition to the updates to the revision process, revisions for the 2022 revision cycle include three new criteria, two new questions, and the removal of four questions that were determined to be duplicative. Other minor changes include additional notes and terminology updates to provide clarity.