Supply Chain Cyber Security Industry Coordination
The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
The Model (Version History)
Supply Chain Security Assessment Model
NATF Supply Chain Security Criteria V3.0
- Proposed Changes to Criteria (Redline)
Energy Sector Supply Chain Risk Questionnaire V3.0 (Unformatted, Formatted, Scorable Option)
- Proposed Changes to Questionnaire (Redline)
Resources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Upcoming Meetings and Activities
Announcements (View All)
March 10, 2023
NATF Supply Chain Criteria and Questionnaire Revision Redlines Posted for Industry-Wide Comment through April 9
The NATF Criteria and Questionnaire Revision Team has reviewed suggested modifications to the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The proposed changes have been posted for industry-wide comment on the NATF Supply Chain Cyber Security Industry Coordination page. A summary of changes is available in the “Change Log” section of each document, and changes are indicated by red font.
Feedback on the proposed changes can be submitted to firstname.lastname@example.org through April 9.The revision team will review comments in April and May and make any final determinations. The updated documents will be posted following NATF board approval in June.
February 22, 2023
Registration Open for Upcoming NATF Supplier Sharing Calls
NATF supplier sharing calls are facilitated by suppliers and are typically held exclusively for the supplier community. The next two calls will bring suppliers together with potential customers from the NATF membership for constructive interchange. Supplier-only calls will resume in July.
The discussions will be led by representatives of the hosting suppliers: SEL, Siemens Energy, Hitachi Energy, Schneider Electric. In addition, the calls are supported by representatives from the International Society of Automation (ISA), the National Electrical Manufacturers Association (NEMA), and the US Chamber of Commerce.
Register today! All calls are from 1:00 p.m. – 2:30 p.m. eastern.
Wednesday, March 22, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 mins
Open to suppliers and NATF member companies
- Discussion on the information customers need, what constitutes “good” responses to questions, and the challenges for suppliers.
- Software bills of materials (SBOM) are becoming a hot topic in the industry. How are entities using, or would envision using, them?
Wednesday, May 24, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 minsOpen to suppliers and NATF companies
- What do regulations require of your customers? Overview of NERC CIP standards and CMMC (IEC 27001 & ISA/IEC 62443).
- How can suppliers partner with customers for efficient compliance management?
Wednesday, July 19, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 mins
This call will be exclusively for suppliers and serve as an opportunity to address areas identified on the March and May calls.
The intent of these calls is to encourage conversation among suppliers, provide a forum for suppliers to share forefront security concerns and how to address them, and discuss general security practices. These calls are applicable to suppliers of all sizes and security maturity.