Supply Chain Cyber Security Industry Coordination
The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
The Model (Version History)
Supply Chain Security Assessment Model
NATF Supply Chain Security Criteria (V4.0)
- Proposed Changes to Criteria (Redline)
Energy Sector Supply Chain Risk Questionnaire (V4.0)
- Proposed Changes to Questionnaire (Redline)
Supplier List - Suppliers with NATF Criteria and Questionnaire Responses Available
Resources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
NATF Supply Chain Risk Management Guidance
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Supplier Sharing Calls
The intention of the Supplier Sharing Calls calls is to encourage conversation between suppliers and with the end-users of their products and services, provide a forum to share forefront security concerns and how to address them, and to discuss general security practices. These calls will be applicable to suppliers of all sizes and security maturity.
Announcements (View All)
May 18, 2020
The Energy Sector Supply Chain Risk Questionnaire has been completed! We now have a complementary tool for the NATF Criteria to obtain information from suppliers - one that should help drive convergence in the industry regarding the information needed from suppliers.
This new open-source questionnaire to support supply chain cyber security risk assessments, developed by a group of more than 20 U.S. energy companies, is now available for your consideration and potential use. This questionnaire, called the Energy Sector Supply Chain Risk Questionnaire (“ESSCRQ” or “Questionnaire”), was developed to provide utilities with a set of supplier- and equipment-focused questions to obtain better information on a supplier’s security posture. The Questionnaire works in conjunction with the NATF Criteria, and together these complementary tools can help our industry drive convergence on information that is needed from suppliers.
The questions in the ESSCRQ will help you obtain information regarding a supplier’s adherence to the NATF Criteria plus additional valuable information. The ESSCRQ denotes where questions directly align or will provide key supporting information regarding a supplier’s adherence to each of the NATF Criteria, and the information obtained through other questions will provide additional insight. Further, in light of the May 1 Executive Order, both the Questionnaire and the NATF Criteria gather information regarding a supplier’s sourcing, activities and staffing in other countries.
This information will enable you to evaluate a supplier’s cyber security practices and identify potential risks to be mitigated, which will ultimately provide data to consider in your company’s supply chain risk assessments.
Two versions of the Questionnaire are available on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. The first includes a series of macros to provide a self-contained tool that can be used by utilities and suppliers. The second version provides a text-only version for easy incorporation into various toolsets or existing company spreadsheets.