Implementing the NATF Supply Chain Security Assessment Model

When executed properly and with a focus on security, the Model will assist entities with meeting the compliance requirements of the NERC supply chain reliability standards, which initially became effective on October 1, 2020. The NERC Supply Chain standards include CIP-013-1, CIP-010-3 and CIP-005-6.

The NATF Criteria (RJB:NATFC) and the NATF Questionnaire (RJB: NATFQ) are tools for collecting information from suppliers. The NATF Criteria are “best practices” by which to measure a supplier’s security posture. The Questionnaire provides questions to assist entities in obtaining necessary information to use in the evaluations. These are not pass/fail lists; they are designed to identify risks and provide an opportunity for mitigation.

Materials provided in the NATFSAM provide clear guidelines on the steps to perform an effective security assessment, which closely follows the NIST standard for cyber supply chain risk management (C-SCRM), contained in SP 800-161. With all of this excellent guidance available from NATF and NIST some important items remain open and could benefit from additional guidance, needed to implement this best practice. REA’s, open-source, free to use, Vendor Response XML File format addresses the missing implementation guidance and is designed to help software vendors leverage existing reporting requirements, e.g. SEC, and consumers, subject to NERC CIP standards, implement these NATFSAM guidelines as efficiently and easily, as possible. The following materials describe how the open source, free to use, REA’s Vendor Response XML file helps both vendors and consumers comply with NERC Supply Chain standards following the NATFSAM guidelines by helping a software consumer collect information provided by a software vendor to conduct a risk assessment using the NATF Supply Chain Security Criteria spreadsheet, and the NATF Questionnaire (NATFQ)

A software consumer starts implementation of the NATFSAM by asking a software vendor to provide one critical piece of information, the location (URL) of their Vendor Response XML File, containing all of the information needed by a software consumer to implement NATFSAM guidelines and complete the NATFC and NATFQ during the risk assessment step. An example Vendor Response File is available at this link:

https://github.com/rjb4standards/REA-Products/raw/master/SAGVendorResponseSAMPLE.xml

A complete use case showing examples of all evidence data needed to conduct a NIST and NATF compliant risk assessment is available online using the Amazon AWS Client Software for demonstration purposes.

Opening the link above will reveal the following vendor supplied materials in accordance with NATFSAM requirements and best practice:

A software consumer begins the NATFSAM process by asking a software vendor to provide a link to their Vendor Response XML File along with any access control credentials required to access the response file. Vendor Response files, and the linked materials contained within, contains sensitive information, that a software vendor would want to protect this response file through an access-controlled gateway, such as a secure customer portal. After a software consumer obtains the Vendors Response XML File the information is saved in an evidence folder along with downloaded files for each of the URL elements contained in the Response File, listed in the table above. This completes the Collection step activities specified in the NATFSAM.

Software consumers continue with the NATFSAM process by verifying all of the downloaded information stored in the evidence folder and perform a risk assessment on the downloaded materials. During the vendor data verification risk assessment process steps the consumer fills-in the NATFC and NATFQ spreadsheets based on the findings of this process. Any unanswered NATFQ and/or NATFC questions will need to be addressed with the software vendor in order to complete the process. Software vendors leverage all existing materials they may have available, such as SEC reporting requirements, Company Overview documents and any policy documents that can be provided to customers in order to satisfy the NATFC and NATFQ risk assessment requirements, including a Software Bill of Materials (SBOM) per product release.

Software consumers are advised to use the EEI Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk​​​  in their procurement process.

Software customers perform the final step in the NATFSAM process, Monitor Risks, by implementing controls that are capable of processing the Vendor Response XML File. Product level risks can be monitored on an on-going basis using information provided in a product SBOM and KnownVulnInfoURL documents provided by the software vendor.   

The approach described above is intended to minimize the efforts of software vendors by leveraging existing, on-hand, documents that may have been produced to satisfy SEC or other regulatory requirements and/or operational documents produced during the normal course of business, i.e. SBOM, to help software customers implement NATFSAM risk assessment requirements described in the NATFC and NATFQ documents.

Software consumers can start implementing the NATFSAM process, and comply with NERC Supply Chain Standards, by asking their software vendors to provide a link to their Vendor Response XML File, using the open-source, free to use, Vendor Response File XML Schema, and Known Vulnerabilities Disclosure Statement boiler-plate. An example Vendor Response File document is available.