Supply Chain Industry Coordination

Supply Chain Cyber Security Industry Coordination

The Industry Organizations Collaboration Effort

The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.

Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.

This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.

The Model

NATF Supplier Cyber Security Assessment Model Overview

Supplier Cyber Security Assessment Model

NATF Cyber Security Criteria for Suppliers

Cyber Security Criteria for Suppliers – V2.0 DRAFT Revisions Redline

Energy Sector Supply Chain Risk Questionnaire (Unformatted, Formatted)

ESSCR Questionnaire – V2.0 DRAFT Revision Redline (Formatted)

Revision Process for the Energy Sector Supply Chain Risk Questionnaire and NATF Cyber Security Criteria for Suppliers

Resources (View All)

Contributing Organizations

NERC Supply Chain Working Group (SCWG) Security Guidelines

NERC Supply Chain Risk Mitigation Program Initiatives Webpage

EEI Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk V2

Understanding Third-Party Assessments

Projects

Projects/Activities (in Progress or Upcoming)

Upcoming Meetings and Activities

Expand all

Announcements (View All)

March 05, 2021

NATF Questionnaire and Criteria Revisions Posted for Industry-Wide Comment through April 2

The NATF Questionnaire and Criteria revision team has reviewed suggestions for modifications to the Questionnaire and Criteria, and adopted changes have been posted for industry-wide comments through April 2. Please submit your comments to supplychain@natf.net. The redlined spreadsheets are located here:

Please review the Questionnaire and Criteria for:

changes in the Questionnaire (formatted version) and Criteria
the questions and criteria in general for alignment to the information you collect from suppliers
the mapping to the security frameworks

Changes are indicated by red text and a summary of changes is available on the “Confidentiality” tab of each document. The redlines for the Questionnaire are provided in the formatted version only. Conforming final changes will be made to the unformatted version.

A webinar will be provided on March 19 from 11:30 am - 12:30 pm eastern. This webinar is open to industry. Register here.

The review team will review comments in April and will provide a summary for their determinations. The final changes will be provided to the NATF board for approval in May, and upon approval the revised Questionnaire and Criteria will be posted.

Main points to note:

The Questionnaire and Criteria have been reviewed by the E-ISAC and NERC for sufficiency in regards to the Solar Winds hack, and it was determined that no additional changes were needed.
The Questionnaire and Criteria were both reviewed to determine if they would obtain sufficient information regarding countries of origin.
- In the Questionnaire, mapping was added to the new supplier criteria
- In the Criteria, three questions from the “Organizational Information” section were moved into the “Supplier Criteria” tab
The changes to the Questionnaire are denoted in the formatted version for comments; final changes will be included in the unformatted after approval.

NATF is hosting an Industry Organizations webinar for suppliers!

This webinar will be provided twice, on December 1 and January 12, to help suppliers understand the requests they are receiving from entities and how they can be prepared to provide entities will responses. The webinar will cover the NATF Criteria and Questionnaire, as well as how suppliers can work directly with entities and with solution providers. Just as the IO Team is working to converge industry on what information is necessary to obtain from suppliers, the Team is also working with suppliers so they will have the information you need readily available. The invitation to attend this webinar is provided on the Industry Organizations webpage. Click HERE for the Supplier Communication Webinar Invitation.

Many entities and solution providers involved in the Industry Organizations collaboration effort have agreed to distribute the letter invitation to their suppliers. We are also asking that you, as you are able, distribute the letter invitation to your organization’s suppliers.

You are also welcome to attend these webinars. Registration is required to join this event. If you plan to attend and have not registered, please do so now.

Click HERE to register for the December 1, 2020 webinar
Click HERE to register for the January 12, 2021 webinar