Announcements
May 28, 2024
NATF Supply Chain Criteria and Risk Questionnaire Version 5.0 Posted for Industry Use
The 2024 annual revision process has been completed with NATF approval of the final documents on May 21, 2024. The NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire version 5.0 documents have been posted for industry use on the Supply Chain Industry Coordination page of the NATF public website. The “Version History” link includes all prior versions and redlines of the NATF criteria and questionnaire.
The updates were reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors and NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.
Revisions for the 2024 annual cycle include a comprehensive refresh of all framework mappings, as well as the addition of CIP-005-7 and CIP-010-4 mappings. An optional scoring mechanism was added to the NATF criteria to align with this existing feature of the questionnaire. Additionally, the questionnaire has been mapped to the same industry frameworks included in the criteria. Other changes include revised question wording for clarity, additional guidance text, and the merging of similar questions to improve efficiency.
March 21, 2024
NATF Announces the Supplier List
It can be challenging to request supply chain security information from potential suppliers and have to wait for responses! The NATF announces a new resource for locating suppliers that can provide security information upon request – the NATF Supplier List. This list also provides the contact information for each supplier and the certifications the suppliers can provide.
If you are a supplier, this is an opportunity to reach potential customers! Contact the NATF at supplychain@natf.net to be included on the list!
The NATF Supplier List can be located at Supply Chain Industry Coordination under "The Model".March 08, 2024
NATF Supply Chain Criteria and Questionnaire Revision Redlines Posted for Industry-Wide Comment through April 7
The NATF Criteria and Questionnaire Revision Team has reviewed suggested modifications to the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The proposed changes have been posted for industry-wide comment on the NATF Supply Chain Cyber Security Industry Coordination page. A summary of changes is available in the “Change Log” section of each document, and changes are indicated by red font.
Feedback on the proposed changes can be submitted to supplychain@natf.net through April 7.
The revision team will review comments in April and make any final determinations. The updated documents will be posted following NATF approval.October 02, 2023
NATF Supply Chain Risk Management Guidance Updated
The recently posted NATF Supply Chain Risk Management Guidance document provides a high-level overview of key supply chain risk management elements, practices, and resources that are available for entities as they consider implementing, developing, or maturing their own comprehensive supply chain risk management programs. Prominently featured are the NATF's supply chain resources, although resources from other industry participants, such as APPA and EEI, are also included and discussed.
This document revises and replaces the NATF Cyber Security Supply Chain Risk Management Guidance document, created in 2018 in response to the NERC Board of Trustees’ request that the NATF and NAGF “develop white papers to address best and leading practices in supply chain management, including procurement, specifications, vendor requirements and existing equipment management, that are shared across the membership of each Forum, and to the extent permissible under any applicable confidentiality requirements, distribute such white papers to industry.”
The revised document references updated supply chain resources created by the NATF and industry since the publication of the 2018 document, such as the Supply Chain Security Assessment Model, NATF Supply Chain Security Criteria, Energy Sector Supply Chain Risk Questionnaire, and NATF-developed implementation guidance endorsed by the ERO Enterprise. The document may be found on NATF’s public Supply Chain Cyber Security Industry Coordination site.
October 02, 2023
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The annual revision process for the NATF Supply Chain Security Criteria and the Energy Sector Supply Chain Risk Questionnaire is underway. The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. The process is open to industry, suppliers, regulators, and other stakeholders to provide the opportunity for input.
These tools are useful for risk management and compliance efforts. Both the criteria and the questionnaire are incorporated into the ERO Enterprise-endorsed implementation guidance documents for CIP-013 (available on the NERC website and the NATF public website):
- NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors
- NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans
These documents support using the criteria and questionnaire in a risk-based manner, where the entity determines which criteria or questions apply for a procurement.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business January 26 for consideration in the 2024 review cycle.June 06, 2023
NATF Supply Chain Criteria and Risk Questionnaire Version 4.0 Posted for Industry Use
The NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire version 4.0 documents have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. The “Version History” link includes all prior versions and redlines of the NATF criteria and risk questionnaire.
The updates were reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: NATF CIP-013 Implementation Guidance: Independence Assessments of Vendors and NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.
Revisions for the 2023 annual cycle include a new detailed change log for the NATF criteria and risk questionnaire. In particular, the security frameworks identified in the NATF criteria were revised and one new supplier criteria was added. The questionnaire is now available in one format merging the previous unformatted, formatted, and scorable options. Other minor changes include additional notes, references, and terminology updates to provide clarity.
March 10, 2023
NATF Supply Chain Criteria and Questionnaire Revision Redlines Posted for Industry-Wide Comment through April 9
The NATF Criteria and Questionnaire Revision Team has reviewed suggested modifications to the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The proposed changes have been posted for industry-wide comment on the NATF Supply Chain Cyber Security Industry Coordination page. A summary of changes is available in the “Change Log” section of each document, and changes are indicated by red font.
Feedback on the proposed changes can be submitted to supplychain@natf.net through April 9.
The revision team will review comments in April and May and make any final determinations. The updated documents will be posted following NATF board approval in June.February 22, 2023
Registration Open for Upcoming NATF Supplier Sharing Calls
NATF supplier sharing calls are facilitated by suppliers and are typically held exclusively for the supplier community. The next two calls will bring suppliers together with potential customers from the NATF membership for constructive interchange. Supplier-only calls will resume in July.
The discussions will be led by representatives of the hosting suppliers: SEL, Siemens Energy, Hitachi Energy, Schneider Electric. In addition, the calls are supported by representatives from the International Society of Automation (ISA), the National Electrical Manufacturers Association (NEMA), and the US Chamber of Commerce.
Register today! All calls are from 1:00 p.m. – 2:30 p.m. eastern.
Wednesday, March 22, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 mins
Open to suppliers and NATF member companies
- Discussion on the information customers need, what constitutes “good” responses to questions, and the challenges for suppliers.
- Software bills of materials (SBOM) are becoming a hot topic in the industry. How are entities using, or would envision using, them?
Wednesday, May 24, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 minsOpen to suppliers and NATF companies
- What do regulations require of your customers? Overview of NERC CIP standards and CMMC (IEC 27001 & ISA/IEC 62443).
- How can suppliers partner with customers for efficient compliance management?
Wednesday, July 19, 2023
1:00 PM Eastern (US & Canada) | 1 hr 30 mins
This call will be exclusively for suppliers and serve as an opportunity to address areas identified on the March and May calls.
The intent of these calls is to encourage conversation among suppliers, provide a forum for suppliers to share forefront security concerns and how to address them, and discuss general security practices. These calls are applicable to suppliers of all sizes and security maturity.
January 20, 2023
NATF Supplier Sharing Call: January 25
Suppliers are invited to join the third in a series of NATF supplier sharing calls. These calls are facilitated by suppliers and are held exclusively for the supplier community.
Topics for this call:
- Being prepared for government actions
- Provenance concerns
- Supplier issues with software bills of materials (SBOMs)
Discussions will be led by representatives from the hosting suppliers (SEL, Siemens Energy, Hitachi-Power Grids, Schneider Electric). In addition, the calls are supported by representatives from the International Society of Automation (ISA), the National Electrical Manufacturers Association (NEMA), and the US Chamber of Commerce.
Wednesday, January 25, 2023
1:00 PM eastern (US & Canada) | 1 hr 30 mins
Register: https://natf.webex.com/weblink/register/rbf14c0903d4b7186ef4c72fe0c21da19
The intent of these calls is to encourage conversation among suppliers, provide a forum for suppliers to share forefront security concerns and how to address them, and discuss general security practices. The calls will be applicable to suppliers of all sizes and security maturity.
December 22, 2022
Scorable Version of NATF Supply Chain Risk Questionnaire Now Available
Based on industry feedback, the NATF has developed a scorable version of the Energy Sector Supply Chain Risk Questionnaire to provide an optional format for entities to help assess supply chain risk. This optional format provides all the same questions as the existing questionnaire but adds the ability for entities to provide their own per-question score and weight to a completed questionnaire. This flexible approach allows entities to adjust weights to reflect their unique needs or priorities while allowing for the consistent evaluation of multiple responses. No prescribed thresholds or requirements are made by the NATF, and all scores are provided by the entities themselves.
This new version is posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. Use the “Scorable Option” link to the right of Energy Sector Supply Chain Risk Questionnaire V3.0.November 02, 2022
NATF Congratulates Tony Eddleman
The NATF congratulates Tony Eddleman, director of NERC reliability compliance at Nebraska Public Power District, for receiving the 2022 E-ISAC Electricity Security Service Award in honor of Michael J. Assante. Manny Cancel, sr. vice president and CEO of the E-ISAC, presented the award to Tony during this week’s GridSecCon event. Tony’s commitment to excellence, work ethic, and tireless efforts have benefited industry and NATF progress in supply chain risk management.
November 02, 2022
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The NATF is commencing the annual revision process for the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. The process is open to industry, suppliers, regulators, and other stakeholders.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business February 17 for consideration in the 2023 review cycle.
As the criteria and questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments, it is important that the information you need to conduct risk analyses is included!
As a reminder: The criteria and questionnaire capture supplier information important to the electric sector for conducting risk assessments while keeping the amount of data received to a manageable level. The criteria are also verifiable. They are mapped to National Institute of Standards and Technology (NIST) frameworks; and while NIST does not have a third-party certification or assessment available, the criteria are also mapped to other security frameworks that are certified or assessed by a qualified third-party. Note that while there is not a single security framework that addresses all criteria, including NIST, most can be verified by obtaining a combination of certifications and/or assessments.
June 06, 2022
NATF Supply Chain Criteria and Risk Questionnaire Version 3.0 Posted for Industry Use
The “NATF Supply Chain Security Criteria” and “Energy Sector Supply Chain Risk Questionnaire” version 3.0 documents and associated revision process have been posted for industry use on the Supply Chain Cyber Security Industry Coordination page of the NATF public website. A new “Version History” link has been added, which includes all prior versions and redlines of the NATF criteria and risk questionnaire.
The updates have been reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: “NATF CIP-013 Implementation Guidance: Independence Assessments of Vendors” and “NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.” This provision has been added to the revision process so the NATF does not need to resubmit the NATF Implementation Guidance documents to the ERO Enterprise for re-endorsement after each revision cycle. Specifically, the ERO has the ability to review the proposed changes and notify the NATF if any of the proposed revisions would cause the ERO to revoke its endorsement.
In addition to the updates to the revision process, revisions for the 2022 revision cycle include three new criteria, two new questions, and the removal of four questions that were determined to be duplicative. Other minor changes include additional notes and terminology updates to provide clarity.March 14, 2022
NATF Criteria, Questionnaire, and Revision Process Revisions Posted for Industry-Wide Comment through April 13
The NATF Criteria and Questionnaire Revision Team has reviewed suggestions for modifications to the “NATF Supply Chain Security Criteria,” “Energy Sector Supply Chain Risk Questionnaire,” and associated revision process. The proposed changes have been posted for industry-wide comment through April 13 on the NATF Supply Chain Cyber Security Industry Coordination page. Input can be submitted to supplychain@natf.net.
Please review the criteria, questionnaire, and revision process for changes indicated by red text.
A summary of changes is available in the “Version History” notes section of each document. The redlines for the questionnaire are provided in the formatted version only; conforming final changes will be made to the unformatted version.
The revision team will review comments in April and May and provide a summary of its determinations. The updated documents will be posted following NATF board approval in June.
March 07, 2022
ERO Enterprise Endorses NATF Implementation Guidance for CIP-013
On February 28, the ERO Enterprise endorsed two NATF Implementation Guidance documents, further signaling the ERO Enterprise’s support of the NATF supply chain security model, criteria, and questionnaire. The endorsement provides entities confidence that using the security approach provided in the NATF model is one way to meet regulatory requirements. It is anticipated that the ERO’s endorsement will encourage further adoption of these tools, thereby supporting industry convergence.
About the Documents
"NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF supply chain security model, criteria, questionnaire, and revision process.
“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF supply chain security model, criteria, and questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).
The documents are posted on the NATF Supply Chain Cyber Security Industry Coordination website.
About the Model
Supported by the Industry Organizations Team, the NATF model and the industry-developed complementary products (e.g., the criteria and questionnaire) provide a streamlined, effective, and efficient industry-accepted approach for entities to evaluate supply chain security practices.
The five-step model provides a solid foundation for identifying, assessing, and mitigating supply chain risks; provides for inclusion of suppliers and solution providers depending upon each entity’s needs; and provides for flexibility of each entity’s implementation. See more about the model and supporting documents on the NATF Supply Chain Cyber Security Industry Coordination website.
About ERO Endorsement
Endorsement of an example means the ERO Enterprise compliance monitoring and enforcement staff will give the method described in the example deference when conducting compliance monitoring activities. The NATF documents are posted on NERC’s “Compliance Guidance" site using the ERO’s naming convention:
- “CIP-013 Using Independent Assessments of Vendors (NATF)”
- “CIP-013 Supply Chain Risk Management Plans (NATF)”
February 03, 2022
NATF Submits CIP-013 Supply Chain Implementation Guidance to the ERO
The NATF has submitted two implementation guidance documents to NERC for ERO endorsement. These documents are focused on security approaches that, if applied appropriately, will meet compliance requirements, but do not create or impose any additional requirements on entities.
The ERO Enterprise’s endorsement of an example means the ERO Enterprise CMEP staff will give such an example deference when conducting compliance monitoring activities. For more information on ERO Implementation Guidance, see: https://www.nerc.com/pa/comp/guidance/Pages/default.aspx.
“NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF criteria, ESSCR questionnaire, and revision process.
“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF “Supply Chain Security Assessment Model,” the NATF criteria, and ESSCR questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).
The documents will be posted on the NERC webpage while they are under consideration for endorsement and are also available on the Supply Chain Industry Coordination page of the NATF public website.
January 20, 2022
Annual Supply Chain Criteria and Questionnaire Revision Process Underway
The NATF is commencing the annual revision process for the “NATF Supply Chain Security Criteria” and the “Energy Sector Supply Chain Risk Questionnaire.” The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Cyber Security Industry Coordination site. The process is open to industry, suppliers, regulators, and other stakeholders.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business February 18 for consideration in the 2022 review cycle.
As the criteria and questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments and are expected to be the basis for information included in a potential central library, it is important that the information you need to conduct risk analyses is included!
As a reminder: The criteria and questionnaire capture supplier information important to the electric sector for conducting risk assessments while keeping the amount of data received to a manageable level. The criteria are also verifiable. They are mapped to the National Institute of Standards and Technology (NIST) framework; and while NIST does not have a third-party certification or assessment available, the criteria are also mapped to other security frameworks that are certified or assessed by a qualified third-party. Note that while there is not a single security framework that addresses all criteria, including NIST, most can be verified by obtaining a combination of certifications and/or assessments.
January 11, 2022
Survey for Suppliers of Products or Services for the Electric Industry
The North American Transmission Forum (NATF), working with the organizations identified below, is facilitating a survey to obtain initial input on the development of a central repository/library to support the efficient sharing of required supply-chain-related security information from companies that supply products or services for the electric system and energy sector.
The primary objective is to reduce supply chain risks; a repository could serve to significantly reduce the level of effort to achieve this objective—for both companies required to ensure adequate vendor security and for vendors supporting this sector by limiting the number of times they have to provide the same security information.
This survey provides you an opportunity to include your ideas and input in the development of this central library.
The survey can be accessed HERE and will be open through January 24. A pdf version of the survey is available for your convenience.
Background
Supply chain breaches continue to be a risk to operational reliability and national security. Entities looking to implement supply chain risk management—as well as government, insurers, and other interested parties—have begun requiring the submission of basic security and hygiene data to better assess risks across third-party vendors. The development of a central repository, or library, of this commonly and repeatedly requested data is an opportunity for the electric industry to forward the implementation of a vendor assessment solution mitigating supply chain risks rather than having a solution imposed upon the industry through an executive order, regulation, or other method.
A viable central library that can provide information to help all participants identify and mitigate supply-chain risks will significantly reduce the level of effort associated with these evolving requirements. However, developing and establishing this library in a manner that meets your needs and security objectives relies on your support/participation and the support/participation from industry companies. The first step is to obtain good input and feedback. Your responses to this supplier-side survey will be used to ensure the development of a central library will best support these efforts across all stakeholders. A parallel effort is also underway to obtain input from industry companies. Collectively, these will be used to build a leading practice library to enhance our ability to more efficiently conduct supplier risk assessments and supplement our approach to mitigating supplier risk.
The survey consists of 26 questions, with a free-form write-in option at the end of the survey for you to provide additional input. Please provide responses to as many of the questions as you can. Your feedback is important to guide the appropriate development of a central library.
If you have any difficulty in accessing the survey or questions, please contact Valerie Agnew at vagnew@natf.net.
We appreciate you taking the time to complete the survey!
Supporting Organizations
CNK Solutions
Exelon
Hitachi Power Grids
Hubbell
International Society of Automation (ISA)
Schneider Electric
Schweitzer Engineering Labs (SEL)
Siemens
US Chamber of Commerce