February 03, 2022

The NATF has submitted two implementation guidance documents to NERC for ERO endorsement. These documents are focused on security approaches that, if applied appropriately, will meet compliance requirements, but do not create or impose any additional requirements on entities.

The ERO Enterprise’s endorsement of an example means the ERO Enterprise CMEP staff will give such an example deference when conducting compliance monitoring activities. For more information on ERO Implementation Guidance, see: https://www.nerc.com/pa/comp/guidance/Pages/default.aspx.

“NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors”
This guidance describes one way a Responsible Entity may meet the obligations in Requirements R1 and R2 when relying upon a qualified independent assessment of suppliers' security practices. It is an update to the existing ERO-endorsed NATF CIP-013 implementation guidance to include CIP-013-2 and to incorporate the NATF criteria, ESSCR questionnaire, and revision process.

“NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans”
This guidance addresses how the use of the NATF “Supply Chain Security Assessment Model,” the NATF criteria, and ESSCR questionnaire, if implemented appropriately, offers one method to meet compliance with CIP-013-1 and CIP-013-2 Requirements R1 and R2 to develop and implement supply chain cyber security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and their associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).

The documents will be posted on the NERC webpage while they are under consideration for endorsement and are also available on the Supply Chain Industry Coordination page of the NATF public website.