The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
Resources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
NATF Supply Chain Risk Management Guidance
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Supplier Sharing Calls
The intention of the Supplier Sharing Calls calls is to encourage conversation between suppliers and with the end-users of their products and services, provide a forum to share forefront security concerns and how to address them, and to discuss general security practices. These calls will be applicable to suppliers of all sizes and security maturity.
Upcoming Meetings and Activities
Expand all
Announcements (View All)
October 07, 2024
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The annual revision process for the NATF Supply Chain Security Criteria and the Energy Sector Supply Chain Risk Questionnaire is underway. The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Industry Coordination website. The process is open to industry, suppliers, regulators, and other stakeholders to provide the opportunity for input.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business January 31, 2025, for consideration in the 2025 review cycle.
These tools are useful for risk management and compliance efforts. Both the criteria and the questionnaire are incorporated into the ERO Enterprise-endorsed implementation guidance documents for CIP-013 (available on the NERC website and the NATF public website):
- NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors
- NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans
These documents support using the criteria and questionnaire in a risk-based manner, where the entity determines which criteria or questions apply for a procurement.
As the criteria and questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments, it is important that the information you need to conduct risk analyses is included!
As a reminder: The criteria and questionnaire capture supplier information important to the energy sector for conducting risk assessments while keeping the amount of data received to a manageable level. The criteria are also verifiable. They are mapped to National Institute of Standards and Technology (NIST) frameworks; and while NIST does not have a third-party certification or assessment available, the criteria are also mapped to other security frameworks that are certified or assessed by a qualified third-party. Note that while there is not a single security framework that addresses all criteria, including NIST, most can be verified by obtaining a combination of certifications and/or assessments.
May 28, 2024
NATF Supply Chain Criteria and Risk Questionnaire Version 5.0 Posted for Industry Use
The 2024 annual revision process has been completed with NATF approval of the final documents on May 21, 2024. The NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire version 5.0 documents have been posted for industry use on the Supply Chain Industry Coordination page of the NATF public website. The “Version History” link includes all prior versions and redlines of the NATF criteria and questionnaire.
The updates were reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors and NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.
Revisions for the 2024 annual cycle include a comprehensive refresh of all framework mappings, as well as the addition of CIP-005-7 and CIP-010-4 mappings. An optional scoring mechanism was added to the NATF criteria to align with this existing feature of the questionnaire. Additionally, the questionnaire has been mapped to the same industry frameworks included in the criteria. Other changes include revised question wording for clarity, additional guidance text, and the merging of similar questions to improve efficiency.