FERC's Notice of Inquiry  is available here. Here is the main point of my filed comments:

REA recommends the adoption of best practices for software supply chain risk assessments within the NERC CIP standards that leverages years of lessons learned and best practices from the Department of Defense, Department of Commerce (NIST/NTIA), Department of Energy and Industry groups, i.e. Edison Electric Institute, that have developed guidelines to identify and mitigate risks in a software supply chain.

REA recommends enhancements to the NERC CIP-010-3 Part 1.6 standards requiring a BES entity “to conduct a comprehensive software supply chain risk assessment based on the NIST Cybersecurity Framework V1.1, utilizing a Software Bill of Materials (SBOM), as a starting point for the risk assessment.
I encourage other parties with a vested intererst in protecting the Nation's Electric Grid from cybersecurity threats to also file comments with FERC on docket RM20-19-000

Energy Central hosted a PowerSession on 8/12/2020 that you may wish to consider to help in understanding software supply chain risk assessment steps: Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3 [an Energy Central PowerSession™]

You will also find a follow-up "Happy Hour" recording held approximately one week after the PowerSession to address audience questions. On Demand - Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3 - Happy Hour Follow-up Discussion