Announcements
October 10, 2025
The annual revision process for the NATF Supply Chain Security Criteria (Criteria) and the Energy Sector Supply Chain Risk Questionnaire (Questionnaire) is now underway. As a reminder, the Criteria and Questionnaire are simple tools that entities can use when performing risk assessments on suppliers, and are intended to reduce the need for multiple, bespoke questionnaires or other data collection tools. The revision process, Criteria, and Questionnaire are posted on the NATF’s public Supply Chain Industry Coordination website. The process is open to industry, suppliers, regulators, and other stakeholders to provide the opportunity for input.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business January 30, 2026, for consideration in the 2025 review cycle.
Both the Criteria and the Questionnaire are incorporated into the ERO Enterprise-endorsed implementation guidance documents for CIP-013 (available on the NERC website and the NATF public website):
- NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors
- NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans
These documents support using the Criteria and Questionnaire in a risk-based manner, where the entity determines which criteria or questions apply for procurement. The criteria and questionnaire are useful for supply chain risk management as well as ensuring potential threat vectors are identified via these industry-developed and adopted tools.
As the Criteria and Questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments, it is important that the information you need to conduct risk analyses is included.
As a reminder: The Criteria and Questionnaire capture supplier information important to the energy sector for conducting risk assessments while keeping the amount of data received to a manageable level. The Criteria and Questionnaire are also verifiable via mappings to several industry frameworks. Note that while there is not a single security framework that addresses all criteria or questions, most can be verified by obtaining a combination of certifications and/or assessments.