Supply Chain Cyber Security Industry Coordination
The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
Resources (View All)
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Upcoming Meetings and Activities
Announcements (View All)
October 02, 2023
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The annual revision process for the NATF Supply Chain Security Criteria and the Energy Sector Supply Chain Risk Questionnaire is underway. The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. The process is open to industry, suppliers, regulators, and other stakeholders to provide the opportunity for input.
These tools are useful for risk management and compliance efforts. Both the criteria and the questionnaire are incorporated into the ERO Enterprise-endorsed implementation guidance documents for CIP-013 (available on the NERC website and the NATF public website):
- NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors
- NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans
These documents support using the criteria and questionnaire in a risk-based manner, where the entity determines which criteria or questions apply for a procurement.Input on the criteria and questionnaire can be submitted to email@example.com until close of business January 26 for consideration in the 2024 review cycle.
October 02, 2023
NATF Supply Chain Risk Management Guidance Updated
The recently posted NATF Supply Chain Risk Management Guidance document provides a high-level overview of key supply chain risk management elements, practices, and resources that are available for entities as they consider implementing, developing, or maturing their own comprehensive supply chain risk management programs. Prominently featured are the NATF's supply chain resources, although resources from other industry participants, such as APPA and EEI, are also included and discussed.
This document revises and replaces the NATF Cyber Security Supply Chain Risk Management Guidance document, created in 2018 in response to the NERC Board of Trustees’ request that the NATF and NAGF “develop white papers to address best and leading practices in supply chain management, including procurement, specifications, vendor requirements and existing equipment management, that are shared across the membership of each Forum, and to the extent permissible under any applicable confidentiality requirements, distribute such white papers to industry.”The revised document references updated supply chain resources created by the NATF and industry since the publication of the 2018 document, such as the Supply Chain Security Assessment Model, NATF Supply Chain Security Criteria, Energy Sector Supply Chain Risk Questionnaire, and NATF-developed implementation guidance endorsed by the ERO Enterprise. The document may be found on NATF’s public Supply Chain Cyber Security Industry Coordination site.