Supply Chain Cyber Security Industry Coordination


The Industry Organizations Collaboration Effort

The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.

Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.

This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news. 

Upcoming Meetings and Activities

Expand all

Collapse all

Announcements (View All)

June 09, 2021

NATF Supply Chain Model, Criteria, and Risk Questionnaire Version 2.0 Posted for Industry Use

The “Supply Chain Security Model,” “NATF Supply Chain Security Criteria,” and “Energy Sector Supply Chain Risk Questionnaire” version 2.0 documents have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website.

Supported by the Industry Organizations Team, the model and complementary products provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supplier supply chain security practices.

The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation.

The criteria includes mapping to existing security frameworks and is categorized into two areas: (1) supplier’s organizational information and (2) supplier’s level of adherence to supply chain security practices.

A formatted and unformatted version of the questionnaire is provided. The formatted version includes guidance based upon answers to a series of “qualifier” questions that identifies optional questions for utilities to consider in a risk assessment. The unformatted version is text-only for easy incorporation into various toolsets or existing company spreadsheets.

Read More

March 05, 2021

NATF Questionnaire and Criteria Revisions Posted for Industry-Wide Comment through April 2

The NATF Questionnaire and Criteria revision team has reviewed suggestions for modifications to the Questionnaire and Criteria, and adopted changes have been posted for industry-wide comments through April 2. Please submit your comments to The redlined spreadsheets are located here:

Please review the Questionnaire and Criteria for: 

  • changes in the Questionnaire (formatted version) and Criteria
  • the questions and criteria in general for alignment to the information you collect from suppliers
  • the mapping to the security frameworks

Changes are indicated by red text and a summary of changes is available on the “Confidentiality” tab of each document. The redlines for the Questionnaire are provided in the formatted version only. Conforming final changes will be made to the unformatted version.

A webinar will be provided on March 19 from 11:30 am - 12:30 pm eastern. This webinar is open to industry. Register here.

The review team will review comments in April and will provide a summary for their determinations. The final changes will be provided to the NATF board for approval in May, and upon approval the revised Questionnaire and Criteria will be posted.

Main points to note:

  • The Questionnaire and Criteria have been reviewed by the E-ISAC and NERC for sufficiency in regards to the Solar Winds hack, and it was determined that no additional changes were needed.
  • The Questionnaire and Criteria were both reviewed to determine if they would obtain sufficient information regarding countries of origin. 
    • In the Questionnaire, mapping was added to the new supplier criteria
    • In the Criteria, three questions from the “Organizational Information” section were moved into the “Supplier Criteria” tab
  • The changes to the Questionnaire are denoted in the formatted version for comments; final changes will be included in the unformatted after approval.

Read More