Updates
October 07, 2024
The annual revision process for the NATF Supply Chain Security Criteria and the Energy Sector Supply Chain Risk Questionnaire is underway. The revision process, the criteria, and the questionnaire are posted on the NATF’s public Supply Chain Industry Coordination website. The process is open to industry, suppliers, regulators, and other stakeholders to provide the opportunity for input.
Input on the criteria and questionnaire can be submitted to supplychain@natf.net until close of business January 31, 2025, for consideration in the 2025 review cycle.
These tools are useful for risk management and compliance efforts. Both the criteria and the questionnaire are incorporated into the ERO Enterprise-endorsed implementation guidance documents for CIP-013 (available on the NERC website and the NATF public website):
- NATF CIP-013 Implementation Guidance: Using Independent Assessments of Vendors
- NATF CIP-013 Implementation Guidance: Supply Chain Risk Management Plans
These documents support using the criteria and questionnaire in a risk-based manner, where the entity determines which criteria or questions apply for a procurement.
As the criteria and questionnaire are mechanisms to drive convergence on the information needed to conduct supplier risk assessments, it is important that the information you need to conduct risk analyses is included!
As a reminder: The criteria and questionnaire capture supplier information important to the energy sector for conducting risk assessments while keeping the amount of data received to a manageable level. The criteria are also verifiable. They are mapped to National Institute of Standards and Technology (NIST) frameworks; and while NIST does not have a third-party certification or assessment available, the criteria are also mapped to other security frameworks that are certified or assessed by a qualified third-party. Note that while there is not a single security framework that addresses all criteria, including NIST, most can be verified by obtaining a combination of certifications and/or assessments.