November 08, 2017

Federal Energy Regulatory Commission (FERC) Order 829 directed the North American Electric Reliability Corporation (NERC) to develop “a forward-looking, objective-based Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”  FERC noted the standard should address software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls.

Subsequently, the NERC board asked the North American Transmission Forum (NATF) and North American Generator Forum to “develop white papers to address best and leading practices in supply chain management, including procurement, specifications, vendor requirements and existing equipment management, that are shared across the membership of each Forum, and to the extent permissible under any applicable confidentiality requirements, distribute such white papers to industry.”

The NATF developed the following two documents to support the NERC request and to serve as guidance for NATF members and the industry.

• NATF Guidance for CIP-005-6 Vendor Remote Access
• NATF Guidance for CIP-010-3 Software Integrity

The files are posted on the documents page of the NATF public website and have been submitted to NERC for consideration as “Implementation Guidance.”