May 18, 2020
The Energy Sector Supply Chain Risk Questionnaire has been completed! We now have a complementary tool for the NATF Criteria to obtain information from suppliers - one that should help drive convergence in the industry regarding the information needed from suppliers.
This new open-source questionnaire to support supply chain cyber security risk assessments, developed by a group of more than 20 U.S. energy companies, is now available for your consideration and potential use. This questionnaire, called the Energy Sector Supply Chain Risk Questionnaire (“ESSCRQ” or “Questionnaire”), was developed to provide utilities with a set of supplier- and equipment-focused questions to obtain better information on a supplier’s security posture. The Questionnaire works in conjunction with the NATF Criteria, and together these complementary tools can help our industry drive convergence on information that is needed from suppliers.
The questions in the ESSCRQ will help you obtain information regarding a supplier’s adherence to the NATF Criteria plus additional valuable information. The ESSCRQ denotes where questions directly align or will provide key supporting information regarding a supplier’s adherence to each of the NATF Criteria, and the information obtained through other questions will provide additional insight. Further, in light of the May 1 Executive Order, both the Questionnaire and the NATF Criteria gather information regarding a supplier’s sourcing, activities and staffing in other countries.
This information will enable you to evaluate a supplier’s cyber security practices and identify potential risks to be mitigated, which will ultimately provide data to consider in your company’s supply chain risk assessments.
Two versions of the Questionnaire are available on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. The first includes a series of macros to provide a self-contained tool that can be used by utilities and suppliers. The second version provides a text-only version for easy incorporation into various toolsets or existing company spreadsheets.