Hero compliance nerc supplier

NERC Security Guideline for the Supply Chain Cyber Security Risk Management Lifecycle

Identify, assess and mitigate cyber risks to critical infrastructure

In response to pervasive supply chain breaches, the North American Electric Reliability Corporation (NERC) published a Security Guideline for the Supply Chain Cyber Security Risk Management Lifecycle.

The Guideline recommends that critical infrastructure organizations such as electric utilities, natural gas providers and others identify, assess and mitigate supply chain cyber security risks to their critical operational technology (OT) assets. OT system disruptions, such as those caused by supply chain incidents, can lead to utility outages and have wide-ranging, negative societal impacts.

Relevant Requirements

  • Identify risks to critical OT assets that could have a high impact, or a high likelihood of compromise

  • Assess vendors to determine the degree of risk they pose with respect to each risk that was identified (requires questionnaire)

  • Mitigate risks identified in vendor risk assessments

  • Consider risk mitigation throughout the vendor lifecycle

  • Regularly update the risk management strategy

Align Your TPRM Program with 14 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now
Featured resource compliance handbook industry standards

Meeting NERC Security Guideline Requirements

Here's how Prevalent can help you address NERC third-party risk management best practices:

Requirement How We Help

Chapter 1: Identifying Risks

The organization’s first objective in the supply chain cyber security risk management process is to identify risks to its critical OT assets that could have a high impact, or a high likelihood of compromise, depending on the supplier.

Prevalent offers the following capabilities to address this requirement:

  • A two-axis scoring methodology based on likelihood of compromise and impact to the organization, creating a heat map-like matrix to plot risks into.

  • Automated rules to assign scores if a supplier’s answer to an assessment question fails to achieve an acceptable risk threshold, thereby plotting risks into the matrix.

  • Reporting to sort risks by the highest score in the matrix.

  • Custom remediations to recommend to the supplier to mitigate the risk.

The Prevalent platform enables you to conduct profiling and tiering assessments to track and quantify inherent risks for all suppliers. From this inherent risk assessment, your team can automatically classify and tier suppliers (including identifying those deemed as critical); set appropriate levels of further diligence off of this baseline; and determine the scope of ongoing assessments.

Chapter 2: Assessing Risks

Once the organization has identified risks, it needs to assess its vendors to determine the degree of risk they pose with respect to each risk that was identified; in most cases, the vendor assessment will be conducted via a questionnaire.

Prevalent enables you to automate risk assessments to extend the visibility, efficiency and scale of your supply chain risk management program across every stage of the supplier lifecycle.

The Prevalent platform offers a library of hundreds of standardized assessment templates, with customization capabilities and built-in workflow and remediation to automate everything from survey collection and analysis to risk rating and reporting. Be sure that your assessment platform of choice includes specific assessments for critical infrastructure reporting and best practices, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

As part of the risk assessment process, continuously track and analyze external threats to suppliers by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

An important capability at this step is to correlate continuous monitoring results against assessment responses to validate controls. This cannot be accomplished by using spreadsheets for risk assessments or disjointed tools for cyber security monitoring.

Chapter 3: Risk Mitigation

Chapter 3 recommends that the organization ask the vendor to mitigate risks identified in the assessment. The goal of risk mitigation should be to bring its value down to an acceptable level in order to reduce the likelihood and/or impact of the risk. The Guideline says this can be accomplished through RFP or contractual enforcement, but required remediations are also an important post-contract enforcement. See some selected mitigations from the Guideline below.

Include RFP language identifying security risks and any mitigations the vendor must undertake to address those risks.

Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) as part of vendor selection decisions. The ensures that suppliers are selected based on critical cyber security measures.

Include contract language documenting the vendor’s commitment to implement specific security controls, provide for the organization to review the vendor’s progress, and identify methods for future communication on these matters.

Prevalent enables you to centralize the distribution, discussion, retention and review of supplier contracts. Managing supplier contracts this way ensures that you have the proper security clauses and enforcements built into the contract.

Define specific remediations.

The Prevalent platform equips you with recommended remediations for suppliers based on risk assessment results to ensure that suppliers address risks in a timely and satisfactory manner. It also enables you to track remediations to conclusion with defined owners – inside your organization and in your supplier’s organization.

Chapter 4: Procurements and Installations

Chapter 4 of the Guideline requires that supply chain cyber security risk mitigations be considered throughout the lifecycle of a product or service to reduce the level of risk that was initially assessed as high.

With the Prevalent platform, you can conduct a baseline procurement risk assessment at the start of the procurement process followed by:

Chapter 5: Updating the Risk Management Plan

Chapter 5 of the Guideline suggests that a supply chain cyber security risk management plan be updated at least annually. This will involve identifying new risks, re-assessing suppliers, and reviewing mitigations accordingly – with tasks addressed in chapters 1-3 repeated as necessary.

Prevalent enables you to optimize your program to address the entire supplier risk lifecycle by making it easy to continuously update:

  • Governing policies, standards, systems and processes to protect systems

  • Organizational roles and responsibilities (e.g., RACI)

  • Supplier inventories and criticality

  • Risk scoring rules and thresholds based on your organization’s risk tolerance

  • Assessment and monitoring methodologies based on supplier criticality

  • Fourth-party and Nth-party mapping to understand your extended supplier ecosystem

  • Sources of continuous cyber security monitoring data

  • Key performance indicators (KPIs) and key risk indicators (KRIs)

  • Compliance and contractual reporting requirements against service levels

  • Incident response requirements

  • Risk and internal stakeholder reporting

  • Risk mitigation and remediation strategies

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo