Supply Chain Cyber Security Industry Coordination


The Industry Organizations Collaboration Effort

The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.

Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.

This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news. 

Upcoming Meetings and Activities

MRO SAC Webinar on the Supply Chain Effectiveness Survey Results (April 12)
  • April 12, 2022│10:00 a.m. to 11:30 a.m. Central
  • Registration is required; to register for this event, please click here.
  • Additional information below


Event Announcement

MRO SAC to Host Upcoming Webinar

Supply Chain Effectiveness Survey Results

April 12, 2022│10:00 a.m. to 11:30 a.m. Central

Event Details

MRO’s Security Advisory Council (SAC) is pleased to announce it is hosting a webinar on Supply Chain Effectiveness Survey Results. The NERC Supply Chain Working Group (SCWG) surveyed industry in 2021 on the effectiveness of the Supply Chain Risk Management requirements. Industry responded well to the survey and provided good feedback and comments. The SCWG reviewed the results of the survey and developed key take-aways and conclusions. The results of the survey will be discussed during this Webinar.


  • Jason Nations, Director of Enterprise Security, Oklahoma Gas and Electric Corp., MRO SAC Member
  • Tony Eddleman, Director of NERC Reliability Compliance, Nebraska Public Power District, MRO SAC Member


To register for this event, please click here. Registration closes on April 12, 2022.WebEx information will be provided to registrants upon approval.

For questions on this event please contact

Expand all

Collapse all

Announcements (View All)

March 14, 2022

NATF Criteria, Questionnaire, and Revision Process Revisions Posted for Industry-Wide Comment through April 13

The NATF Criteria and Questionnaire Revision Team has reviewed suggestions for modifications to the “NATF Supply Chain Security Criteria,” “Energy Sector Supply Chain Risk Questionnaire,” and associated revision process. The proposed changes have been posted for industry-wide comment through April 13 on the NATF Supply Chain Cyber Security Industry Coordination page. Input can be submitted to

Please review the criteria, questionnaire, and revision process for changes indicated by red text.

A summary of changes is available in the “Version History” notes section of each document. The redlines for the questionnaire are provided in the formatted version only; conforming final changes will be made to the unformatted version.

The revision team will review comments in April and May and provide a summary of its determinations. The updated documents will be posted following NATF board approval in June.

Read More

March 07, 2022

ERO Enterprise Endorses NATF Implementation Guidance for CIP-013

On February 28, the ERO Enterprise endorsed two NATF Implementation Guidance documents, further signaling the ERO Enterprise’s support of the NATF supply chain security model, criteria, and questionnaire. The endorsement provides entities confidence that using the security approach provided in the NATF model is one way to meet regulatory requirements. It is anticipated that the ERO’s endorsement will encourage further adoption of these tools, thereby supporting industry convergence.

About the Documents

"NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF supply chain security model, criteria, questionnaire, and revision process.

“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF supply chain security model, criteria, and questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).

The documents are posted on the NATF Supply Chain Cyber Security Industry Coordination website.

About the Model

Supported by the Industry Organizations Team, the NATF model and the industry-developed complementary products (e.g., the criteria and questionnaire) provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supply chain security practices.

The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation. See more about the model and supporting documents on the NATF Supply Chain Cyber Security Industry Coordination website.

About ERO Endorsement

Endorsement of an example means the ERO Enterprise compliance monitoring and enforcement staff will give the method described in the  example deference when conducting compliance monitoring activities. The NATF documents are posted on NERC’s “Compliance Guidance" site using the ERO’s naming convention:

  • “CIP-013 Using Independent Assessments of Vendors (NATF)”
  • “CIP-013 Supply Chain Risk Management Plans (NATF)”

Read More