Vendor Risk Management Requirements of NERC CIP-013-1

Energy organizations rely on complex supply chains worldwide, which can expose them to third-party cyberattacks and data breaches. It's crucial to identify, assess, mitigate, and manage the cybersecurity risks associated with third-party suppliers. To that end, the North American Electric Reliability Corporation (NERC) has established standard CIP-013-1 Cyber Security – Supply Chain Risk Management to protect energy organizations from cyberattacks.

These requirements apply to "Responsible Entities," which can include transmission system operators, balancing authorities, and reliability coordinators in Canada, the U.S., and parts of Mexico. Let's explore the requirements of CIP-013-1 and how your energy organization can comply. 

Vendor Risk Management Requirements of NERC CIP-013-1

Many cybersecurity risks originate in energy organizations' supply chains. That's why NERC requires them to develop and implement vendor risk management and cybersecurity plans.

Here are 3 key requirements of CIP-013-1:

1. Develop a supply chain cybersecurity risk management plan – According to NERC, vendor risk management should be the most important component of an organization's supply chain cybersecurity risk management plan. The plan should address risks associated with a vendor's services and products, as well as the vendor relationship. Once supply chain cybersecurity plans have been developed and documented, they must be reviewed and approved by a CIP Senior Manager (or their delegate). Approved plans must be implemented, reviewed, and approved at least every 15 months.
2. Identify and assess supply chain cybersecurity risks – A well-defined plan and robust processes are essential for thoroughly assessing a vendor's cybersecurity risks associated with their products and services. 
3. Follow the vendor risk management lifecycle – NERC developed a vendor risk management lifecycle unique to the energy industry. Although it varies from the more common lifecycle model (onboarding, ongoing, and offboarding), the same vendor risk management principles still apply. Essential practices must be followed, such as identifying vendor risks, assessing risks during procurement, verifying vendor compliance, and safely terminating a vendor relationship.

How to Comply With the Vendor Risk Management Requirements of NERC CIP-013-1

There are important practices and processes to outline in supply chain cybersecurity plans to mitigate vendor risks. Let's examine 5 key practices to develop, implement, and include in supply chain cybersecurity plans:

1. Complete risk assessments – According to NERC, energy organizations should first assess cybersecurity risks before beginning the vendor relationship. An inherent risk assessment, which is completed internally, identifies the types and amounts of risk associated with a vendor's product or service. Vendor risk assessments then consider the vendor's risk controls, expertise, and background. 
   
   Note: These assessments should be completed periodically throughout the relationship as supply chain and vendor risks constantly evolve and emerge. The highest-risk vendors should be reviewed the most frequently. 
2. Conduct due diligence – Vendors should provide evidence of their risk management practices and controls, gathered through questionnaires completed by the vendor. Documentation as evidence of risk management practices and controls must also be provided by the vendor, collected through the procurement stage, and updated throughout the relationship. Your energy organization should include verification of software authenticity and integrity, such as reviewing a software bill of materials (SBOM).
3. Set compliant contracts – NERC expects energy organizations to secure the vendor's commitment to mitigate risks, meet performance expectations, and comply with laws and regulations. Commitment is evidenced through the vendor's contract, which should include provisions like a right to audit, service level agreements, regulatory compliance, and data protection and security. 
   
   Note: NERC requires vendors to notify energy organizations of vendor-identified incidents related to any of the energy organization's products or services. It’s important to include data breach notification requirements in the contract, including timing and details. 
4. Establish an incident response plan – Your energy organization and your vendors must be prepared for any future incidents. It’s crucial to coordinate with vendors to ensure identified threats or incidents are reported in a timely manner, and appropriate mitigation and response activities are conducted. Your plan’s processes should include tested control mechanisms for receiving, assessing, and responding to identified threats or in the event of an incident. 
5. Terminate the relationship safely – When or if the vendor relationship ends, it's important to ensure data remains safe and secure. The risks associated with ending vendor relationships should be identified in advance of any possible termination with established exit strategies and plans. This includes considering the continuity of services during transition, the safe transfer of data, and the return or destruction of data. 

NERC CIP-013-1 requires energy organizations to develop a plan to oversee and manage vendor risks. Plans must include essential processes to conduct vendor risk assessments, perform due diligence, establish contracts, and appropriately terminate relationships. By diligently implementing these practices, energy organizations can manage their vendor relationships throughout the supply chain. This proactive approach not only aids compliance, but also significantly reduces the risk of cyberattacks, empowering organizations to stay more secure.