On August 10, 2017, the NERC Board of Trustees (Board) adopted proposed Reliability Standards CIP-005-6, CIP-010-3, and CIP-013-1 (Supply Chain Standards), addressing cyber security supply chain risk management issues, and approved the associated implementation plans. NERC has initiated a collaborative program with industry, trade organizations, and key stakeholders to manage the effective mitigation of supply chain risks.
In adopting the Supply Chain Standards, the Board concurrently adopted additional resolutions related to their implementation and evaluation. The resolutions outlined six actions, developed by NERC management and stakeholders, to assist in the implementation and evaluation of the Supply Chain Standards and other activities to address potential supply chain risks for assets not currently subject to the Supply Chain Standards. Those resolutions, in summary form, include the following actions:
Action 1: Support Effective and Efficient Implementation
NERC to commence preparations for implementation of the Supply Chain Standards using similar methods as the CIP V5 transition and regularly report to the Board on those activities.
Action 2: Cyber Security Supply Chain Risk Study
Study the nature and complexity of cyber security supply chain risks, including risks associated with low impact assets not currently subject to the Supply Chain Standards, and develop recommendations for follow-up actions that will best address any issues identified.
Action 3: Communicate Supply Chain Risks to Industry
Communicate supply chain risk developments and risks to industry and in connection with the Cyber Security Supply Chain Risk Study.
Action 4: Forum White Papers
The Board requests the North American Transmission Forum and the North American Generation Forum to develop white papers to address best and leading practices in supply chain management, as described in the resolution.
Action 5: Association White Papers
The Board requests the National Rural Electric Cooperative Association and the American Public Power Association to develop white papers to address best and leading practices in supply chain management, as described in the resolution, focusing on smaller entities that are not members of the Forums, for the membership of the Associations.
Action 6: Evaluate Effectiveness
Collaborating with NERC technical committees and other experts, develop a plan to evaluate the effectiveness of the Supply Chain Standards, as described in the resolution, and report to the Board as appropriate.
This site is dedicated to consolidating and sharing Supply Chain-related documents and deliverables for industry stakeholders. If you have any questions, please contact Howard Gugel.
Supply Chain FERC Order
Supply Chain Standard
DOE Procurement Language
Supply Chain Small Group Advisory Sessions FAQs
Managing Cyber Supply Chain Risk-Best Practices for Small Entities
EPRI Supply Chain Risk Assessment Report
NATF Cyber Security Supply Chain Risk Management Guidance
NAGF Cyber Security Supply Chain Management White Paper
Supply Chain Cyber Security Practices - Letter to Industry
Final Supply Chain Report
Final Supply Chain Report redline to Board policy input version
Executive Order on Securing the Information and Communications Technology and Services Supply Chain
Draft Supply Chain Risk Assessment Data Request
Draft Supply Chain Risk Assessment Data Request Unofficial Comment Form
Final Supply Chain Risk Management Assessment Data Request
Final Supply Chain Risk Management Assessment Data Request - Redline to Draft
Supply Chain Risk Assessment Data Request Response to Comments
Cyber Security Supply Chain Risk Management Plans
CIP-010-3 R1.6 Software Integrity and Authenticity (NATF)
CIP-013-1, R1, R2 - Supply Chain Management (NATF)
home | account log-in/register | legal and privacy/trademark policy | site map | careers | contact us
Atlanta Office | 3353 Peachtree Road NE, Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560 Washington Office | 1325 G Street NW, Suite 600, Washington, DC 20005| 202-400-3000
Copyright 2017 North American Electric Reliability Corporation. All rights reserved.