Supply Chain Cyber Security Industry Coordination
The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
The Model (Version History)
Supply Chain Security Assessment Model
NATF Supply Chain Security Criteria V3.0
Energy Sector Supply Chain Risk Questionnaire V3.0 (Unformatted, Formatted)
Revision Process for the Energy Sector Supply Chain Risk Questionnaire and NATF Supply Chain Security CriteriaResources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Upcoming Meetings and Activities
Expand all
Announcements (View All)
June 06, 2022
NATF Supply Chain Criteria and Risk Questionnaire Version 3.0 Posted for Industry Use
The “NATF Supply Chain Security Criteria” and “Energy Sector Supply Chain Risk Questionnaire” version 3.0 documents and associated revision process have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. A new “Version History” link has been added, which includes all prior versions and redlines of the NATF criteria and risk questionnaire.
The updates have been reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: “NATF CIP-013 Implementation Guidance: Independence Assessments of Vendors” and “NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.” This provision has been added to the revision process so the NATF does not need to resubmit the NATF Implementation Guidance documents to the ERO Enterprise for re-endorsement after each revision cycle. Specifically, the ERO has the ability to review the proposed changes and notify the NATF if any of the proposed revisions would cause the ERO to revoke its endorsement.
In addition to the updates to the revision process, revisions for the 2022 revision cycle include three new criteria, two new questions, and the removal of four questions that were determined to be duplicative. Other minor changes include additional notes and terminology updates to provide clarity.March 14, 2022
NATF Criteria, Questionnaire, and Revision Process Revisions Posted for Industry-Wide Comment through April 13
The NATF Criteria and Questionnaire Revision Team has reviewed suggestions for modifications to the “NATF Supply Chain Security Criteria,” “Energy Sector Supply Chain Risk Questionnaire,” and associated revision process. The proposed changes have been posted for industry-wide comment through April 13 on the NATF Supply Chain Cyber Security Industry Coordination page. Input can be submitted to supplychain@natf.net.
Please review the criteria, questionnaire, and revision process for changes indicated by red text.
A summary of changes is available in the “Version History” notes section of each document. The redlines for the questionnaire are provided in the formatted version only; conforming final changes will be made to the unformatted version.
The revision team will review comments in April and May and provide a summary of its determinations. The updated documents will be posted following NATF board approval in June.