The Industry Organizations Collaboration Effort
The NATF and other industry organizations are working together to provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices. The model, if applied widely, will reduce the burden on suppliers so their efforts with purchasers can be prioritized and entities can be provided with more information effectively and efficiently. The industry organizations collaboration effort is focused on improving cyber security, and assisting registered entities with compliance to regulatory requirements.
Each of the industry organizations and many individual entities are working on solutions for various stages of the supply chain cyber security risk assessment lifecycle. These solutions are brought together in this effort to provide a cohesive approach. This approach may change over time as it matures but staying cohesive will be key to maintaining streamlined effective and efficient cyber security.
This website provides information on the approach (also referred to as the “model”), projects/activities that have been accomplished, and projects/activities in progress, upcoming presentations, links and contact information, and recent news.
Resources (View All)
NATF CIP-013 Implementation Guidance-Independent Assessments of Vendors (ERO Endorsed)
NATF CIP-013 Implementation Guidance-Supply Chain Risk Management Plans (ERO Endorsed)
NATF Industry Collaboration: Using Solution Providers for Third-Party Risk Management
Click "View All" above to access additional documents, presentations, supply-chain sites, and support products and services.
Supplier Sharing Calls
The intention of the Supplier Sharing Calls calls is to encourage conversation between suppliers and with the end-users of their products and services, provide a forum to share forefront security concerns and how to address them, and to discuss general security practices. These calls will be applicable to suppliers of all sizes and security maturity.
Upcoming Meetings and Activities
Expand all
Announcements (View All)
May 30, 2025
NATF Criteria and Questionnaire version 6.0 and updated Revision Process posted for industry use
The 2025 annual revision process has been completed with NATF approval of the final documents on May 20, 2025. The NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire version 6.0 documents have been posted for industry use on the Supply Chain Industry Coordination page of the NATF public website. The Version History link on that site includes prior versions and redlines. In addition, the NATF Criteria and Questionnaire Revision Process (formerly known as the Revision Process for the Energy Sector Supply Chain Risk Questionnaire and NATF Supply Chain Security Criteria) has also been updated.
Revisions to the NATF Criteria and Questionnaire include updated mappings for NIST’s Cybersecurity Framework (CSF) 2.0, the addition of Artificial Intelligence to several items, and wording edits for enhanced clarity. The layout has been slightly updated to facilitate navigation and readability, with a new “Area of Focus” drop-down box added to the Questionnaire to conserve space and improve specificity when using the optional scoring feature. Updates to the Revision Process include the removal of an unused committee, clarifying participation requirements for revision team members, and dropping an unneeded consulting step before publication.
These updates were reviewed and accepted by the ERO Enterprise to ensure its continued endorsement of the two NATF CIP-013 Implementation Guidance documents: NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors and NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans.
March 18, 2025
NATF Supply Chain Risk Assessment Guidance is Published
Given the dynamic supplier landscape, how can entities ensure they are performing effective and consistent risk assessments of potential - and current - suppliers? Additionally, how can entities ensure the results of those assessments are properly documented and maintained? These are the core questions that the newly-published NATF Supply Chain Risk Assessment Guidance is designed to address.
Expanding on "Step 3: Conduct Risk Assessment" of the NATF Supply Chain Risk Assessment Model, this guidance provides various methodologies for performing supplier risk assessments, along with a discussion on the relative advantages and disadvantages of each. Various documentation techniques are also discussed along with suggested risk dispositions and definitions, along with a brief review on how supplier risk assessments fit into a larger Supply Chain Risk Management (SCRM) program.
This guidance, along with many other Supply Chain resources, may be found on NATF’s Supply Chain Industry Coordination website.