MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...
Transcript of MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance,...
![Page 1: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/1.jpg)
MRO SAC and CMEPAC Webinar
“Industry Organizations' Aligned Approach for Supply Chain Cyber Security”
Valerie Agnew, Program Manager, Compliance, North American Transmission Forum (NATF)
Tony Eddleman, NERC Compliance Manager, Nebraska Public Power District/MRO SAC Member
Mahmood Safi, NERC Compliance Manager, Omaha Public Power District/MRO CMEPAC Member
Michael Spangenberg, MRO CIP Risk Assessment & Mitigation Engineer
April 8, 2020
![Page 2: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/2.jpg)
MRO SAC Update
MRO SAC Quarter 2 Meeting on June 24, 2020 (In Person or Via WebEx) REGISTRATION IS NOW OPEN!MRO Regional Security Risk Assessment will be in place of the MRO SAC Quarter 3 Meeting on October 8, 2020 (In Person Only and Registration is not open)MRO SAC Quarter 4 Meeting on November 5, 2020 (Via WebEx) REGISTRATION IS NOW OPEN!MRO Security Conference October 7, 2020
2
![Page 3: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/3.jpg)
Industry Organizations' Aligned Approach for Supply Chain Cyber SecurityMRO SAC Webinar NERC Supply ChainApril 8, 2020
Valerie AgnewProgram Manager, ComplianceNorth American Transmission Forum
Tony EddlemanNERC Compliance ManagerNebraska Public Power District
![Page 4: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/4.jpg)
Supply Chain Risk Management Regulatory Requirements
• The Federal Energy Regulatory Commission (FERC) approved new Supply Chain Risk Management requirements and these will be effective on July 1, 2020▫ CIP-013-1 (new); CIP-005-6 (updated);
CIP-010-3 (updated)▫ Initial scope is limited to Control Centers and more
impactful substations and generators
4
![Page 5: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/5.jpg)
Overview
• MRO SAC and CMEPAC Webinar (March 18, 2020)▫ New and Updated NERC Reliability Standards▫ NERC Website Resources▫ NERC Supply Chain Working Group (SCWG) Security Guidelines
▫ North American Transmission Forum (NATF)▫ Future Directions
• Today▫ Deeper Dive into Industry Organizations' Aligned
Approach
5
![Page 6: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/6.jpg)
Industry CoordinatedSupply Chain
Activities
Open DistributionCopyright © 2020 North American Transmission Forum. Not for sale or commercial use. All rights reserved.
Community Confidentiality Candor Commitment
![Page 7: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/7.jpg)
Objectives for Today’s Webinar Provide an overview of the Supplier Cyber Security Assessment Model
• Convergence on use of the Model• How the Model Works • Contributing Organizations• Where to find information
7
![Page 8: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/8.jpg)
Overview - Objectives of Supply Chain Activities
Industry Convergence• Achieve industry convergence on the approach (Model) to facilitate
addressing the following objectivesSecurity
• Identifying and addressing cyber security risks introduced via supply chain
Efficiency and Effectiveness• Convergence on common approaches to achieve reasonable assurance
of suppliers’ security practicesCompliance
• Implementation guidance to meet supply chain related CIP standards (CIP-013-1; CIP-005-6 R2.4; CIP-010-3 R1.6)
8
![Page 9: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/9.jpg)
Overview – Build on existing Supply Chain Work
9
![Page 10: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/10.jpg)
Overview - Supply Chain Activities to Date• June 2019 NATF Criteria Version 0• July 2019 NATF Criteria Application Guide• October 2019 NATF Proof of Concept Team
Strawman• December 2019 Industry Organizations’ Team
alignment on Supplier Assessment Model
• January 30 NATF Criteria Refinement, EEI Procurement Language Refinement
• In Progress Questionnaire, Additional Projects
10
NATF Supply Chain Criteria
Team
NATF Proof of Concept Team
NATF-led Industry
Organizations Team
NATF Supply Chain
Steering Team
![Page 11: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/11.jpg)
Alignment of Organizations
A list of participating organizations is available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
![Page 12: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/12.jpg)
Value Proposition• Broader than Industry Organizations• The Supplier Cyber Security Assessment Model and
complementary products provide a streamlined, effective, and efficient industry-accepted approach for entities to assess supplier cyber security practices, which, if applied widely, will
• reduce the burden on suppliers, • provide entities with more and better information and • improve cyber security.
12
![Page 13: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/13.jpg)
Industry Organization Team MembersOrganizations, Forums and Working Groups
• EEI• LPPC• APPA• TAPS• NAGF• NAESB• ConEd Working
Group• SCWG/CIPC• NERC CCC• NRECA
13
How is a supplier’s
adherence to criteria verified and reported?
Proof of Concept
October 2019
Suppliers
• ABB• GE Grid Software
Solutions• OSI• Siemens Industry,
Inc.• Schneider Electric• Schweitzer
Engineering
Third-Party Assessors
• Ernst & Young• KPMG LLP• PWC• Deloitte
Vendor Organizations for support products or services
• EPRI• Fortress/A2V
![Page 14: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/14.jpg)
The Industry Coordination Web Page
Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
![Page 15: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/15.jpg)
NATF-hostedweb page for Industry Coordination
15
![Page 16: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/16.jpg)
The NATF Criteria
Available on the NATF Public Website:https://www.natf.net/industry-initiatives/supply-chain-industry-coordination
![Page 17: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/17.jpg)
• Version 1 posted on the NATF Public Website• 60 criteria for supplier supply chain cyber
security practices • 26 organizational information considerations• Maps to existing frameworks
17
What is the criteria or security
framework?
The NATF Criteria
July 2019
Establishing Criteria for Evaluations: The NATF Criteria
![Page 18: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/18.jpg)
NATF Criteria Spreadsheet
18
![Page 19: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/19.jpg)
The Supplier Cyber Security Assessment Model
For further explanation, see the“Industry Organizations’ Supplier Cyber Security Assessment Model” Document
available on the Industry Coordination page of the NATF Public Website
![Page 20: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/20.jpg)
• Adherence to the NATF Criteria• What is the Supplier’s level of adherence to the NATF
Criteria for the product or service to be purchased
• Assurance for information provided• What level of assurance is provided for supplier’s
information/responses and is the level of confidence appropriate for the product or service to be purchased
• Address identified risks• Mitigate (either the entity or supplier) or • Determine if risk can or must be accepted; document
rationale
20
Supplier Cyber Security Assessment: Evaluations
Supplier Evaluation
How is a supplier’s adherence to criteria
verified and reported?
![Page 21: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/21.jpg)
• Obtain information• Evaluate Information• Conduct Risk Assessment• Make Purchase Decision
21
Supplier Cyber Security Assessment: Steps
Supplier Evaluation
How is a supplier’s adherence to criteria
verified and reported?
![Page 22: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/22.jpg)
22
The Model
Purchase Decision
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Identify possible suppliers for needed product or service
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
Evaluate Information
Document
Conduct Risk Assessment
The purchasing entity’s inherent risk and risk appetite
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
![Page 23: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/23.jpg)
23
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Identify possible suppliers for needed product or service
![Page 24: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/24.jpg)
24
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Open Distribution
![Page 25: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/25.jpg)
25
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
![Page 26: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/26.jpg)
26
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
![Page 27: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/27.jpg)
27
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
![Page 28: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/28.jpg)
28
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II) Questionnaire/
Supplier Attestation
![Page 29: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/29.jpg)
29
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
![Page 30: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/30.jpg)
30
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
![Page 31: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/31.jpg)
31
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
![Page 32: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/32.jpg)
32
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
![Page 33: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/33.jpg)
33
Obtain Information on Supplier’s Adherence
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Qualif ied Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
![Page 34: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/34.jpg)
34
Evaluate the Information Obtained
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Evaluate Information
![Page 35: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/35.jpg)
35
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
![Page 36: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/36.jpg)
36
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
![Page 37: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/37.jpg)
37
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
![Page 38: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/38.jpg)
38
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
![Page 39: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/39.jpg)
39
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
![Page 40: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/40.jpg)
40
Evaluate the Information Obtained
Evaluate Information
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
![Page 41: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/41.jpg)
41
Document!
Document
![Page 42: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/42.jpg)
42
Conduct Risk Assessment
Conduct Risk Assessment
![Page 43: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/43.jpg)
43
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk Assessment
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
![Page 44: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/44.jpg)
44
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
![Page 45: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/45.jpg)
45
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
The purchasing entity’s inherent risk and risk appetite
![Page 46: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/46.jpg)
46
Conduct Risk Assessment
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Conduct Risk AssessmentOther factors identified by the
purchasing entity (financial, operational, reputational,
regulatory, etc.)
The purchasing entity’s inherent risk and risk appetite
![Page 47: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/47.jpg)
47
Make Purchase Decision
Purchase Decision
![Page 48: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/48.jpg)
48
The Model
Purchase Decision
Use existing means to obtain Information regarding supplier’s
adherence to theNATF Criteria
Independent Assessment/Audit(e.g. SOC 2 Type II)
Questionnaire/Supplier Attestation
Shared Entity Assessments or other
data sources
Combination of means
Certification to Existing Framework/Standard
(e.g. IEC 62443, ISO 27001)
Identify possible suppliers for needed product or service
Is Supplier’s level of adherence to the NATF Criteria appropriate
for product or service?
What level of assurance is provided for Supplier’s information/responses
and is the level of confidence appropriate for the product or
service?
Were any cyber security risks identified? Can risks be
mitigated, addressed via contract, or accepted?
Evaluate Information
Document
Conduct Risk Assessment
The purchasing entity’s inherent risk and risk appetite
Other factors identified by the purchasing entity (financial, operational, reputational,
regulatory, etc.)
![Page 49: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/49.jpg)
Implementation of the Model• Tools are being developed that can assist entities and suppliers
in sharing supplier information• Locating supplier data
• Adherence to NATF Criteria (at various levels of assurance)• Responses to the Questionnaire• Shared Assessments
• Streamlining Risk Assessments• Organization of Data
49
![Page 50: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/50.jpg)
Next Steps
![Page 51: MRO SAC and CMEPAC Webinar Webinar - Industr… · Valerie Agnew, Program Manager, Compliance, North American Transmission Forum ... NERC Compliance Manager, Omaha Public Power District/MRO](https://reader036.fdocuments.in/reader036/viewer/2022070907/5f7b1e06866ec112047fbd10/html5/thumbnails/51.jpg)
Next Steps• Continued collaboration across industry• Socializing Model with suppliers and third-party assessor
industries• Completing current projects• Addressing implementation issues that arise and creating
projects where needed• Continue on our Journey!
51