June 06, 2022
NATF Supply Chain Criteria and Risk Questionnaire Version 3.0 Posted for Industry Use
The “NATF Supply Chain Security Criteria” and “Energy Sector Supply Chain Risk Questionnaire” version 3.0 documents and associated revision process have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. A new “Version History” link has been added, which includes all prior versions and redlines of the NATF criteria and risk questionnaire.
The updates have been reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: “NATF CIP-013 Implementation Guidance: Independence Assessments of Vendors” and “NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.” This provision has been added to the revision process so the NATF does not need to resubmit the NATF Implementation Guidance documents to the ERO Enterprise for re-endorsement after each revision cycle. Specifically, the ERO has the ability to review the proposed changes and notify the NATF if any of the proposed revisions would cause the ERO to revoke its endorsement.In addition to the updates to the revision process, revisions for the 2022 revision cycle include three new criteria, two new questions, and the removal of four questions that were determined to be duplicative. Other minor changes include additional notes and terminology updates to provide clarity.
March 14, 2022
NATF Criteria, Questionnaire, and Revision Process Revisions Posted for Industry-Wide Comment through April 13
The NATF Criteria and Questionnaire Revision Team has reviewed suggestions for modifications to the “NATF Supply Chain Security Criteria,” “Energy Sector Supply Chain Risk Questionnaire,” and associated revision process. The proposed changes have been posted for industry-wide comment through April 13 on the NATF Supply Chain Cyber Security Industry Coordination page. Input can be submitted to email@example.com.
Please review the criteria, questionnaire, and revision process for changes indicated by red text.
A summary of changes is available in the “Version History” notes section of each document. The redlines for the questionnaire are provided in the formatted version only; conforming final changes will be made to the unformatted version.
The revision team will review comments in April and May and provide a summary of its determinations. The updated documents will be posted following NATF board approval in June.
March 07, 2022
ERO Enterprise Endorses NATF Implementation Guidance for CIP-013
On February 28, the ERO Enterprise endorsed two NATF Implementation Guidance documents, further signaling the ERO Enterprise’s support of the NATF supply chain security model, criteria, and questionnaire. The endorsement provides entities confidence that using the security approach provided in the NATF model is one way to meet regulatory requirements. It is anticipated that the ERO’s endorsement will encourage further adoption of these tools, thereby supporting industry convergence.
About the Documents
"NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF supply chain security model, criteria, questionnaire, and revision process.
“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF supply chain security model, criteria, and questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).
The documents are posted on the NATF Supply Chain Cyber Security Industry Coordination website.
About the Model
Supported by the Industry Organizations Team, the NATF model and the industry-developed complementary products (e.g., the criteria and questionnaire) provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supply chain security practices.
The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation. See more about the model and supporting documents on the NATF Supply Chain Cyber Security Industry Coordination website.
About ERO Endorsement
Endorsement of an example means the ERO Enterprise compliance monitoring and enforcement staff will give the method described in the example deference when conducting compliance monitoring activities. The NATF documents are posted on NERC’s “Compliance Guidance" site using the ERO’s naming convention:
- “CIP-013 Using Independent Assessments of Vendors (NATF)”
- “CIP-013 Supply Chain Risk Management Plans (NATF)”
February 03, 2022
NATF Submits CIP-013 Supply Chain Implementation Guidance to the ERO
The NATF has submitted two implementation guidance documents to NERC for ERO endorsement. These documents are focused on security approaches that, if applied appropriately, will meet compliance requirements, but do not create or impose any additional requirements on entities.
The ERO Enterprise’s endorsement of an example means the ERO Enterprise CMEP staff will give such an example deference when conducting compliance monitoring activities. For more information on ERO Implementation Guidance, see: https://www.nerc.com/pa/comp/guidance/Pages/default.aspx.
“NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF criteria, ESSCR questionnaire, and revision process.
“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF “Supply Chain Security Assessment Model,” the NATF criteria, and ESSCR questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).
The documents will be posted on the NERC webpage while they are under consideration for endorsement and are also available on the Supply Chain Industry Coordination page of the NATF public website.
January 20, 2022
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The NATF is commencing the annual revision process for the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. The process is open to industry, suppliers, regulators, and other stakeholders.
Input on the criteria and questionnaire can be submitted to firstname.lastname@example.org until close of business February 18 for consideration in the 2022 review cycle.
As the criteria and questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments and are expected to be the basis for information included in a potential central library, it is important that the information you need to conduct risk analyses is included!
As a reminder: The criteria and questionnaire capture supplier information important to the electric sector for conducting risk assessments while keeping the amount of data received to a manageable level. The criteria are also verifiable. They are mapped to the National Institute of Standards and Technology (NIST) framework; and while NIST does not have a third-party certification or assessment available, the criteria are also mapped to other security frameworks that are certified or assessed by a qualified third-party. Note that while there is not a single security framework that addresses all criteria, including NIST, most can be verified by obtaining a combination of certifications and/or assessments.
January 11, 2022
Survey for Suppliers of Products or Services for the Electric Industry
The North American Transmission Forum (NATF), working with the organizations identified below, is facilitating a survey to obtain initial input on the development of a central repository/library to support the efficient sharing of required supply-chain-related security information from companies that supply products or services for the electric system and energy sector.
The primary objective is to reduce supply chain risks; a repository could serve to significantly reduce the level of effort to achieve this objective—for both companies required to ensure adequate vendor security and for vendors supporting this sector by limiting the number of times they have to provide the same security information.
This survey provides you an opportunity to include your ideas and input in the development of this central library.
The survey can be accessed HERE and will be open through January 24. A pdf version of the survey is available for your convenience.
Supply chain breaches continue to be a risk to operational reliability and national security. Entities looking to implement supply chain risk management—as well as government, insurers, and other interested parties—have begun requiring the submission of basic security and hygiene data to better assess risks across third-party vendors. The development of a central repository, or library, of this commonly and repeatedly requested data is an opportunity for the electric industry to forward the implementation of a vendor assessment solution mitigating supply chain risks rather than having a solution imposed upon the industry through an executive order, regulation, or other method.
A viable central library that can provide information to help all participants identify and mitigate supply-chain risks will significantly reduce the level of effort associated with these evolving requirements. However, developing and establishing this library in a manner that meets your needs and security objectives relies on your support/participation and the support/participation from industry companies. The first step is to obtain good input and feedback. Your responses to this supplier-side survey will be used to ensure the development of a central library will best support these efforts across all stakeholders. A parallel effort is also underway to obtain input from industry companies. Collectively, these will be used to build a leading practice library to enhance our ability to more efficiently conduct supplier risk assessments and supplement our approach to mitigating supplier risk.
The survey consists of 26 questions, with a free-form write-in option at the end of the survey for you to provide additional input. Please provide responses to as many of the questions as you can. Your feedback is important to guide the appropriate development of a central library.
If you have any difficulty in accessing the survey or questions, please contact Valerie Agnew at email@example.com.
We appreciate you taking the time to complete the survey!
Hitachi Power Grids
International Society of Automation (ISA)
Schweitzer Engineering Labs (SEL)
US Chamber of Commerce
October 01, 2021
NATF Posts Guidance for Entities Working with Solution Providers
The NATF has posted the “NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management” guide for industry use. The document clarifies the role of a solution provider and provides guidance for entities that are considering a solution provider’s services to assist with evaluations of suppliers’ cyber security practices. These services, such as gathering supplier information and providing analysis, can provide significant support for an entity’s ongoing supply cyber security risk management.The Industry Organization Team suppliers and solution providers jointly developed the document. They have provided entities with items to consider based on insights from both perspectives and, through the development of this document, strengthened the relationships between the two industries.
October 01, 2021
Additional Supply Chain Resources Available!
Links to the following document and presentations have been posted to the Resources page.
Advancing Supply Chain Security in Oil and Gas (World Economic Forum)
The Industry Organizations Team (IO Team) is excited to share the World Economic Forum’s latest publication to which we contributed: “Advancing Supply Chain Security in Oil and Gas: An Industry Analysis.” It includes actionable guidance, methodologies, and examples to improve the oversight of third-party risks and improve cyber resilience across the oil and gas business environment. The World Economic Forum convened over 40 senior executives to help define a practical guide for cybersecurity leaders managing third-party cyber risks within oil and gas supply chains. IO Team companies Schneider Electric and PwC were actively involved in the development of this document, and the IO Team was directly involved through participation from Tony Eddleman and NATF staff. The IO Team was proud to be a part of this unique multi-stakeholder community that is shaping the future of cyber resilience across the oil and gas industry.
Supply Chain Compliance Joint ERO and CCC Webinar
APPA Cyber Supply Chain Risk Management Webinar hosted by MRO Webinar Recording
The Midwest Reliability Organization's (MRO) Security Advisory Council is pleased to announce it hosted a webinar on “Strategies for Securing Your Supply Chain.” Supply chain compromises have made headlines and pose a risk to your organization. Do you know how to secure your supply chain? Are you looking for ideas for enhancing your approach to supply chain security? This presentation provided insights and an overview of the "Cyber Supply Chain Risk Management Practical Guide," which was produced as a collaboration among the American Public Power Association, the Large Public Power Council, and the Transmission Access Policy Study Group. Whether you are just getting started or are looking to identify areas for potential improvement, the manual should provide useful insights and program support for utilities. Learn about this useful manual and how it can improve security within your supply chain.
July 20, 2021
Supply Chain Security Assessment Model Adoption Survey Results Posted
The results of the Industry Organizations Metric Team’s survey to determine adoption of the model, criteria, and questionnaire have been posted to the supply chain industry coordination resources page under the "Resources/Documents" headings.
The posting consists of a spreadsheet containing responses and a PDF containing charts and graphs of the responses. The response was lower than anticipated; however, the respondents provided thoughtful comments that will help guide future activities to help align industry on what information is needed from suppliers to conduct a supply chain risk assessment.
June 09, 2021
NATF Supply Chain Model, Criteria, and Risk Questionnaire Version 2.0 Posted for Industry Use
The “Supply Chain Security Assessment Model,” “NATF Supply Chain Security Criteria,” and “Energy Sector Supply Chain Risk Questionnaire” version 2.0 documents have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website.
Supported by the Industry Organizations Team, the model and complementary products provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supplier supply chain security practices.
The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation.
The criteria includes mapping to existing security frameworks and is categorized into two areas: (1) supplier’s organizational information and (2) supplier’s level of adherence to supply chain security practices.A formatted and unformatted version of the questionnaire is provided. The formatted version includes guidance based upon answers to a series of “qualifier” questions that identifies optional questions for utilities to consider in a risk assessment. The unformatted version is text-only for easy incorporation into various toolsets or existing company spreadsheets.
March 05, 2021
NATF Questionnaire and Criteria Revisions Posted for Industry-Wide Comment through April 2
The NATF Questionnaire and Criteria revision team has reviewed suggestions for modifications to the Questionnaire and Criteria, and adopted changes have been posted for industry-wide comments through April 2.
Please review the Questionnaire and Criteria for:
- changes in the Questionnaire (formatted version) and Criteria
- the questions and criteria in general for alignment to the information you collect from suppliers
- the mapping to the security frameworks
Changes are indicated by red text and a summary of changes is available on the “Confidentiality” tab of each document. The redlines for the Questionnaire are provided in the formatted version only. Conforming final changes will be made to the unformatted version.
A webinar will be provided on March 19 from 11:30 am - 12:30 pm eastern. This webinar is open to industry. Register here.
The review team will review comments in April and will provide a summary for their determinations. The final changes will be provided to the NATF board for approval in May, and upon approval the revised Questionnaire and Criteria will be posted.
Main points to note:
- The Questionnaire and Criteria have been reviewed by the E-ISAC and NERC for sufficiency in regards to the Solar Winds hack, and it was determined that no additional changes were needed.
- The Questionnaire and Criteria were both reviewed to determine if they would obtain sufficient information regarding countries of origin.
- In the Questionnaire, mapping was added to the new supplier criteria
- In the Criteria, three questions from the “Organizational Information” section were moved into the “Supplier Criteria” tab
- The changes to the Questionnaire are denoted in the formatted version for comments; final changes will be included in the unformatted after approval.
October 30, 2020
NATF is hosting an Industry Organizations webinar for suppliers!
This webinar will be provided twice, on December 1 and January 12, to help suppliers understand the requests they are receiving from entities and how they can be prepared to provide entities will responses. The webinar will cover the NATF Criteria and Questionnaire, as well as how suppliers can work directly with entities and with solution providers. Just as the IO Team is working to converge industry on what information is necessary to obtain from suppliers, the Team is also working with suppliers so they will have the information you need readily available. The invitation to attend this webinar is provided on the Industry Organizations webpage. Click HERE for the Supplier Communication Webinar Invitation.
Many entities and solution providers involved in the Industry Organizations collaboration effort have agreed to distribute the letter invitation to their suppliers. We are also asking that you, as you are able, distribute the letter invitation to your organization’s suppliers.
You are also welcome to attend these webinars. Registration is required to join this event. If you plan to attend and have not registered, please do so now.
Click HERE to register for the December 1, 2020 webinar
Click HERE to register for the January 12, 2021 webinar
September 23, 2020
NATF Posts Revision Process for Supply Chain Criteria and Questionnaire
The NATF has posted the "Revision Process for the Energy Sector Supply Chain Risk Questionnaire and NATF Cyber Security Criteria for Suppliers" for industry use.
The purpose of this process is to facilitate periodic reviews and modifications of the NATF “Energy Sector Supply Chain Risk Questionnaire” (Questionnaire) and the “NATF Cyber Security Criteria for Suppliers” (Criteria), which were developed for industry-wide use to drive consistency of information obtained from suppliers of bulk power system hardware, software, and services.
Consistent with the NATF’s open, collaborative, and consensus-based approach, modifications via this process will be made with consideration of input from across industry and will include adding, deleting, or modifying individual questions in the Questionnaire or individual criterion in the Criteria as well as adding, deleting, or modifying mappings to security frameworks (e.g., SOC2, ISO27001, etc.).
The process is available on the NATF Supply Chain Cyber Security Industry Coordination page.
May 18, 2020
NATF Posts Energy Sector Supply Chain Risk Questionnaire
The Energy Sector Supply Chain Risk Questionnaire has been completed! We now have a complementary tool for the NATF Criteria to obtain information from suppliers - one that should help drive convergence in the industry regarding the information needed from suppliers.
This new open-source questionnaire to support supply chain cyber security risk assessments, developed by a group of more than 20 U.S. energy companies, is now available for your consideration and potential use. This questionnaire, called the Energy Sector Supply Chain Risk Questionnaire (“ESSCRQ” or “Questionnaire”), was developed to provide utilities with a set of supplier- and equipment-focused questions to obtain better information on a supplier’s security posture. The Questionnaire works in conjunction with the NATF Criteria, and together these complementary tools can help our industry drive convergence on information that is needed from suppliers.
The questions in the ESSCRQ will help you obtain information regarding a supplier’s adherence to the NATF Criteria plus additional valuable information. The ESSCRQ denotes where questions directly align or will provide key supporting information regarding a supplier’s adherence to each of the NATF Criteria, and the information obtained through other questions will provide additional insight. Further, in light of the May 1 Executive Order, both the Questionnaire and the NATF Criteria gather information regarding a supplier’s sourcing, activities and staffing in other countries.
This information will enable you to evaluate a supplier’s cyber security practices and identify potential risks to be mitigated, which will ultimately provide data to consider in your company’s supply chain risk assessments.
Two versions of the Questionnaire are available on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. The first includes a series of macros to provide a self-contained tool that can be used by utilities and suppliers. The second version provides a text-only version for easy incorporation into various toolsets or existing company spreadsheets.
February 03, 2020
NATF Launches Industry Coordination Webpage
Today, the NATF launched the “Supply Chain Cyber Security Industry Coordination” web page under a new “Industry Initiatives” section of the site. The supply chain cyber security industry coordination page provides information on the collaborative work conducted by NATF subject-matter experts, industry organizations (including trade and forums), key suppliers, and third-party assessors on this important topic.