Supply Chain Risk Mitigation Program

On August 10, 2017, the NERC Board of Trustees (Board) adopted proposed Reliability Standards CIP-005-6, CIP-010-3, and CIP-013-1 (Supply Chain Standards), addressing cyber security supply chain risk management issues, and approved the associated implementation plans. NERC has initiated a collaborative program with industry, trade organizations, and key stakeholders to manage the effective mitigation of supply chain risks.  

In adopting the Supply Chain Standards, the Board concurrently adopted additional resolutions related to their implementation and evaluation. The resolutions outlined six actions, developed by NERC management and stakeholders, to assist in the implementation and evaluation of the Supply Chain Standards and other activities to address potential supply chain risks for assets not currently subject to the Supply Chain Standards. Those resolutions, in summary form, include the following actions:

Action 1: Support Effective and Efficient Implementation

NERC to commence preparations for implementation of the Supply Chain Standards using similar methods as the CIP V5 transition and regularly report to the Board on those activities.  

Action 2: Cyber Security Supply Chain Risk Study

Study the nature and complexity of cyber security supply chain risks, including risks associated with low impact assets not currently subject to the Supply Chain Standards, and develop recommendations for follow-up actions that will best address any issues identified.

Action 3: Communicate Supply Chain Risks to Industry

Communicate supply chain risk developments and risks to industry and in connection with the Cyber Security Supply Chain Risk Study.

Action 4: Forum White Papers

The Board requests the North American Transmission Forum and the North American Generation Forum to develop white papers to address best and leading practices in supply chain management, as described in the resolution.

Action 5: Association White Papers

The Board requests the National Rural Electric Cooperative Association and the American Public Power Association to develop white papers to address best and leading practices in supply chain management, as described in the resolution, focusing on smaller entities that are not members of the Forums, for the membership of the Associations.

Action 6: Evaluate Effectiveness

Collaborating with NERC technical committees and other experts, develop a plan to evaluate the effectiveness of the Supply Chain Standards, as described in the resolution, and report to the Board as appropriate.

This site is dedicated to consolidating and sharing Supply Chain-related documents and deliverables for industry stakeholders. If you have any questions, please contact Howard Gugel.

 

 Key Resources

Background Documents

CIP-013-1, Supply Chain Risk Management, effective in U.S. July 1, 2020

Supply Chain Risk Management Standard Development

Executive Order 13873 - Securing the Information and Communications Technology and Services Supply Chain, May 2019 (U.S. Government)

Supply Chain Risk Assessment: Final Report, July 2018 (EPRI)

Supply Chain Risk Assessment: Final Report, redline to Board policy input version

Board Resolution, August 2017

Supply Chain FERC Order No. 829, July 2016

Project 2016-03 Cyber Security Supply Chain Risk Management

Procurement Language for Energy Delivery Systems, April 2014 (DOE)

Compliance Information

Supply Chain Small Group Advisory Sessions: FAQs, February 2020 (ERO)

Plan to Evaluate Effectiveness of Supply Chain Standards, December 2019

Supply Chain Small Group Advisory Sessions FAQs - October 2019

Discussions and Recommendations

Supply Chain Working Group, (SCWG)

Critical Infrastructure Protection Committee Security Guidelines, (CIPC)

Supply Chain Risks: Staff Report and Recommendations, May 2019 (NERC)

Supply Chain Cyber Security Practices - Letter to Industry, March 2019 (CIPC)

Cyber Security Supply Chain Management White Paper, September 2018 (NAGF)

Cyber Security Supply Chain Risk Management Guidance, June 2018 (NATF)

Managing Cyber Supply Chain Risk-Best Practices for Small Entities, April 2018 (APPA, NRECA) 

Data Requests

Supply Chain Risk Assessment Data Request (Draft), August 2019

Draft Supply Chain Risk Assessment Data Request Unofficial Comment Form, August 2019

Supply Chain Risk Management Assessment Data Request (Final), August 2019

Supply Chain Risk Management Assessment Data Request (Final; Redline to Draft), August 2019

Response to Comments: Supply Chain Risk Assessment Data Request, August 2019

Supply Chain Risk Assessment: Analysis of Data Collected Under the NERC Rules of Procedure Section 1600 Data Request, December 2019

Title/Summary
  
collapse Grouping : 2019 Webinars ‎(2)

Supply Chain Data Request

Presentation | Streaming Webinar

9/23/2019

Supply Chain Small Group Advisory General Session

Presentation

10/30/2019