Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


Implementing the NATF Supply Chain Security Assessment Model

image credit: North American Transmission Forum (NATF)
Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,537 items added with 670,806 views
  • Oct 4, 2021

The North American Transmission Forum (NATF) provides the industry with an effective supply chain security assessment model (NATFSAM) describing best practices for cyber supply chain risk management (C-SCRM) following NIST standards. The NATF guidance describes “the five steps of the Model provide a strong foundation to mitigate supply chain risks by encapsulating the necessary actions and components of supply chain risk, without regard to whether the purchase is for IT, OT, software, firmware, hardware, equipment, components, or services.”

Property of North American Transmission Forum (NATF)

When executed properly and with a focus on security, the Model will assist entities with meeting the compliance requirements of the NERC supply chain reliability standards, which initially became effective on October 1, 2020. The NERC Supply Chain standards include CIP-013-1, CIP-010-3 and CIP-005-6.

The NATF Criteria (RJB:NATFC) and the NATF Questionnaire (RJB: NATFQ) are tools for collecting information from suppliers. The NATF Criteria are “best practices” by which to measure a supplier’s security posture. The Questionnaire provides questions to assist entities in obtaining necessary information to use in the evaluations. These are not pass/fail lists; they are designed to identify risks and provide an opportunity for mitigation.

Materials provided in the NATFSAM provide clear guidelines on the steps to perform an effective security assessment, which closely follows the NIST standard for cyber supply chain risk management (C-SCRM), contained in SP 800-161. With all of this excellent guidance available from NATF and NIST some important items remain open and could benefit from additional guidance, needed to implement this best practice. REA’s, open-source, free to use, Vendor Response XML File format addresses the missing implementation guidance and is designed to help software vendors leverage existing reporting requirements, e.g. SEC, and consumers, subject to NERC CIP standards, implement these NATFSAM guidelines as efficiently and easily, as possible. The following materials describe how the open source, free to use, REA’s Vendor Response XML file helps both vendors and consumers comply with NERC Supply Chain standards following the NATFSAM guidelines by helping a software consumer collect information provided by a software vendor to conduct a risk assessment using the NATF Supply Chain Security Criteria spreadsheet, and the NATF Questionnaire (NATFQ)

A software consumer starts implementation of the NATFSAM by asking a software vendor to provide one critical piece of information, the location (URL) of their Vendor Response XML File, containing all of the information needed by a software consumer to implement NATFSAM guidelines and complete the NATFC and NATFQ during the risk assessment step. An example Vendor Response File is available at this link:

A complete use case showing examples of all evidence data needed to conduct a NIST and NATF compliant risk assessment is available online using the Amazon AWS Client Software for demonstration purposes.

Opening the link above will reveal the following vendor supplied materials in accordance with NATFSAM requirements and best practice:

NATF Guidance 

NATF Data Requirement

REA Vendor Response File Element


Organizational Information

CompanyDataURL, FinancialDataURL,  VendorLegalName, etc.


Supplier Criteria

CyberSecPolicyURL, CompanyDataURL


General Information

CompanyDataURL, FinancialDataURL,  VendorLegalName, DUNSNumber, etc.



CompanyDataURL, CyberSecPolicyURL


Company Overview

CompanyDataURL, CyberSecPolicyURL, FinancialDataURL


Supply Chain and External Dependencies Management

CyberSecPolicyURL, SDLCPolicyURL, SBOM


Workforce Management

CompanyDataURL, FinancialDataURL, CyberSecPolicyURL, SDLCPolicyURL


Identity and Access Management

CyberSecPolicyURL, SDLCPolicyURL


Cybersecurity Program Management

CyberSecPolicyURL, SDLCPolicyURL


Change and Configuration Management

CyberSecPolicyURL, SDLCPolicyURL, SDLCEvidenceDataURL, SBOM


Cybersecurity Tools & Architecture

CyberSecPolicyURL, SDLCPolicyURL


Data Protection

CyberSecPolicyURL, SDLCPolicyURL


Event and Incident Response

CyberSecPolicyURL, SDLCPolicyURL, SDLCEvidenceDataURL, UnsolvedVulnerabilities, KnownVulnInfoURL, SBOM


Mobile Devices and Applications



Risk Management

CompanyDataURL, FinancialDataURL, CyberSecPolicyURL, SDLCPolicyURL, SDLCEvidenceDataURL, UnsolvedVulnerabilities, KnownVulnInfoURL, SBOM


Vulnerability Management

CyberSecPolicyURL, SDLCPolicyURL, SDLCEvidenceDataURL, SBOM, UnsolvedVulnerabilities, KnownVulnInfoURL


A software consumer begins the NATFSAM process by asking a software vendor to provide a link to their Vendor Response XML File along with any access control credentials required to access the response file. Vendor Response files, and the linked materials contained within, contains sensitive information, that a software vendor would want to protect this response file through an access-controlled gateway, such as a secure customer portal. After a software consumer obtains the Vendors Response XML File the information is saved in an evidence folder along with downloaded files for each of the URL elements contained in the Response File, listed in the table above. This completes the Collection step activities specified in the NATFSAM.

Software consumers continue with the NATFSAM process by verifying all of the downloaded information stored in the evidence folder and perform a risk assessment on the downloaded materials. During the vendor data verification risk assessment process steps the consumer fills-in the NATFC and NATFQ spreadsheets based on the findings of this process. Any unanswered NATFQ and/or NATFC questions will need to be addressed with the software vendor in order to complete the process. Software vendors leverage all existing materials they may have available, such as SEC reporting requirements, Company Overview documents and any policy documents that can be provided to customers in order to satisfy the NATFC and NATFQ risk assessment requirements, including a Software Bill of Materials (SBOM) per product release.

Software consumers are advised to use the EEI Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk​​​  in their procurement process.

Software customers perform the final step in the NATFSAM process, Monitor Risks, by implementing controls that are capable of processing the Vendor Response XML File. Product level risks can be monitored on an on-going basis using information provided in a product SBOM and KnownVulnInfoURL documents provided by the software vendor.   

The approach described above is intended to minimize the efforts of software vendors by leveraging existing, on-hand, documents that may have been produced to satisfy SEC or other regulatory requirements and/or operational documents produced during the normal course of business, i.e. SBOM, to help software customers implement NATFSAM risk assessment requirements described in the NATFC and NATFQ documents.

Software consumers can start implementing the NATFSAM process, and comply with NERC Supply Chain Standards, by asking their software vendors to provide a link to their Vendor Response XML File, using the open-source, free to use, Vendor Response File XML Schema, and Known Vulnerabilities Disclosure Statement boiler-plate. An example Vendor Response File document is available.

Tom Alrich's picture
Tom Alrich on Oct 7, 2021

Dick, the NATF document has not been approved by NERC as official guidance on the NERC Supply Chain Reliability Standards, and the document says nothing about those standards. You are misleading your readers by suggesting otherwise.

Richard Brooks's picture
Richard Brooks on Oct 7, 2021

Tom, my readers are independent thinkers and would not be mislead by me or anyone else - including you. I stand by my statements and refer you to the NATF Security Assessment Model document page 5 and 6 which do indeed refer to the NERC supply chain standards, as shown below:

"When executed properly and with a focus on security, the Model will assist entities with meeting the compliance requirements of the NERC supply chain reliability standards,4 which initially became effective on October 1, 2020"

Footnote 4, on page 6, makes the correlation to NERC CIP standards abundantly clear:

4 In response to FERC Order No. 829, NERC Reliability Standards Project 2016-03 Cyber Security Supply Chain Risk Management developed new Reliability Standard CIP-013-1 and modified Reliability Standards CIP-005-6 and CIP-010-3, which collectively have become known as the “supply chain standards.

I see no room for misinterpretation with these NATF supplied materials and respectfully request that you apologize for claiming that I mislead my readers.

Tom Alrich's picture
Tom Alrich on Oct 12, 2021

OK, I apologize. The first quote shows I'm wrong, although the second quote has nothing to do with this.

Richard Brooks's picture
Richard Brooks on Oct 12, 2021

Thank you.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »