Announcement: Supply Chain Risk Assessment Data Request
Data Submission Due October 3, 2019

NERC is requiring that all registered entities complete the NERC Rules of Procedure Section 1600 Data Request for Supply Chain Risk Assessment data by 7 p.m. Central on Thursday, October 3, 2019, using this electronic form.

Registered entity contacts may have received this request from NERC; however, based on feedback received, Texas RE is resending this Supply Chain Risk Mitigation Program request on behalf of NERC to ensure all registered entities in the Interconnection are cognizant of the request to help facilitate a more complete response.

Background
In 2017, NERC developed new and revised critical infrastructure protection (CIP) Reliability Standards to help mitigate cyber security risks associated with the supply chain for high and medium impact Bulk Electric System (BES) Cyber Systems. These standards, collectively referred to as Supply Chain Standards, consist of new Reliability Standard CIP-013-1 and revised Reliability Standards CIP-010-3 and CIP-005-6. When adopting the Supply Chain Standards in August 2017, the NERC Board of Trustees (Board) directed NERC to undertake further action on supply chain issues. Among other things, the Board directed NERC to study the nature and complexity of cyber security supply chain risks, including those associated with low impact assets not currently subject to the Supply Chain Standards, and develop recommendations for follow-up actions that will best address identified risks.

In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external routable connectivity by issuing a Request for Data or Information pursuant to Section 1600 of the NERC Rules of Procedure. NERC staff worked with the Critical Infrastructure Protection Committee (CIPC) Supply Chain Working Group (SCWG) to develop the questions in this data request.

For more information, contact NERC's Vice President of Engineering and Standards, Howard Gugel by email or at (404) 446-9693.