October 30, 2020
NATF is hosting an Industry Organizations webinar for suppliers!
This webinar will be provided twice, on December 1 and January 12, to help suppliers understand the requests they are receiving from entities and how they can be prepared to provide entities will responses. The webinar will cover the NATF Criteria and Questionnaire, as well as how suppliers can work directly with entities and with solution providers. Just as the IO Team is working to converge industry on what information is necessary to obtain from suppliers, the Team is also working with suppliers so they will have the information you need readily available. The invitation to attend this webinar is provided on the Industry Organizations webpage. Click HERE for the Supplier Communication Webinar Invitation.
Many entities and solution providers involved in the Industry Organizations collaboration effort have agreed to distribute the letter invitation to their suppliers. We are also asking that you, as you are able, distribute the letter invitation to your organization’s suppliers.
You are also welcome to attend these webinars. Registration is required to join this event. If you plan to attend and have not registered, please do so now.
Click HERE to register for the December 1, 2020 webinar
Click HERE to register for the January 12, 2021 webinar
September 23, 2020
NATF Posts Revision Process for Supply Chain Criteria and Questionnaire
The NATF has posted the "Revision Process for the Energy Sector Supply Chain Risk Questionnaire and NATF Cyber Security Criteria for Suppliers" for industry use.
The purpose of this process is to facilitate periodic reviews and modifications of the NATF “Energy Sector Supply Chain Risk Questionnaire” (Questionnaire) and the “NATF Cyber Security Criteria for Suppliers” (Criteria), which were developed for industry-wide use to drive consistency of information obtained from suppliers of bulk power system hardware, software, and services.
Consistent with the NATF’s open, collaborative, and consensus-based approach, modifications via this process will be made with consideration of input from across industry and will include adding, deleting, or modifying individual questions in the Questionnaire or individual criterion in the Criteria as well as adding, deleting, or modifying mappings to security frameworks (e.g., SOC2, ISO27001, etc.).
The process is available on the NATF Supply Chain Cyber Security Industry Coordination page.
May 18, 2020
NATF Posts Energy Sector Supply Chain Risk Questionnaire
The Energy Sector Supply Chain Risk Questionnaire has been completed! We now have a complementary tool for the NATF Criteria to obtain information from suppliers - one that should help drive convergence in the industry regarding the information needed from suppliers.
This new open-source questionnaire to support supply chain cyber security risk assessments, developed by a group of more than 20 U.S. energy companies, is now available for your consideration and potential use. This questionnaire, called the Energy Sector Supply Chain Risk Questionnaire (“ESSCRQ” or “Questionnaire”), was developed to provide utilities with a set of supplier- and equipment-focused questions to obtain better information on a supplier’s security posture. The Questionnaire works in conjunction with the NATF Criteria, and together these complementary tools can help our industry drive convergence on information that is needed from suppliers.
The questions in the ESSCRQ will help you obtain information regarding a supplier’s adherence to the NATF Criteria plus additional valuable information. The ESSCRQ denotes where questions directly align or will provide key supporting information regarding a supplier’s adherence to each of the NATF Criteria, and the information obtained through other questions will provide additional insight. Further, in light of the May 1 Executive Order, both the Questionnaire and the NATF Criteria gather information regarding a supplier’s sourcing, activities and staffing in other countries.
This information will enable you to evaluate a supplier’s cyber security practices and identify potential risks to be mitigated, which will ultimately provide data to consider in your company’s supply chain risk assessments.
Two versions of the Questionnaire are available on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. The first includes a series of macros to provide a self-contained tool that can be used by utilities and suppliers. The second version provides a text-only version for easy incorporation into various toolsets or existing company spreadsheets.
February 03, 2020
NATF Launches Industry Coordination Webpage
Today, the NATF launched the “Supply Chain Cyber Security Industry Coordination” web page under a new “Industry Initiatives” section of the site. The supply chain cyber security industry coordination page provides information on the collaborative work conducted by NATF subject-matter experts, industry organizations (including trade and forums), key suppliers, and third-party assessors on this important topic.