The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
The Model (Version History)
NATF Supply Chain Security Assessment Model
NATF Supply Chain Criteria and Questionnaire Quickstart Guide
NATF Supply Chain Security Criteria (v7.0)
Energy Sector Supply Chain Risk Questionnaire (v7.0)
NATF Criteria and Questionnaire Revision Process
Resources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Supplier Sharing Calls
The intention of the Supplier Sharing Calls calls is to encourage conversation between suppliers and with the end-users of their products and services, provide a forum to share forefront security concerns and how to address them, and to discuss general security practices. These calls will be applicable to suppliers of all sizes and security maturity.
Upcoming Meetings and Activities
Expand all
Announcements (View All)
May 26, 2026
NATF Supply Chain Security Criteria and Questionnaire version 7.0 posted for industry use
The annual Criteria and Questionnaire revision process has been recently completed with NATF approval of the final documents on May 19, 2026. The NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire version 7.0 documents have been posted for industry use on the Supply Chain Industry Coordination page of the NATF public website. The Version History link on that site also includes prior versions and redlines.
Revisions to the NATF Criteria and Questionnaire include edits for clarity, completeness, and to update framework mappings for NIST SP 800-171r3 and NIST SP 800-53r5.2.0. A supplier response column has been added to the Criteria, and multiple edits have been made to the guidance text in the Questionnaire to improve coverage.
February 05, 2026
NATF Supply Chain Risk Controls and Monitoring Guidance Released
Continuing NATF’s efforts to promote leading supply chain risk management practices, the NATF has recently released the Supply Chain Risk Controls and Monitoring document for industry use. This document provides guidance on how entities can implement effective risk controls on their suppliers and highlights superior practices for monitoring changes to their suppliers’ risk posture.
Additional discussion is provided on supplier risk tiering, residual risk concepts, and areas of documentation that entities should consider developing to ensure their supply chain risk management efforts are properly recognized by key stakeholders. This guidance corresponds to Step 5: Implement controls and monitor risks of the previously published NATF Supply Chain Security Assessment Model and follows the release of the NATF Supply Chain Risk Assessment Guidance last year.
This guidance, along with other supply chain resources, may be found on NATF’s Supply Chain Industry Coordination website