FERC-NERC Supply Chain Speakers Emphasize Open Process

Workshop Focused on 2024 Supply Chain NOPR

Attendees at FERC and NERC's joint workshop on supply chain risk management standards | FERC

Mar 20, 2025 | Holden Mann

Representatives of electric utilities and manufacturers provided feedback on proposed supply chain risk management standards at a workshop hosted by FERC and NERC.

Participants in a March 20 workshop hosted by FERC and NERC said their organizations support the development of new supply chain risk management standards but urged the commission not to put overly strong burdens on the electric industry and its partners.

FERC called for the workshop after proposing new reliability standards last year aimed at securing the supply chain of critical electronic components (RM24-4). The proposal was prompted by staff observations of “multiple gaps in” supply chain risk management during audits of utilities’ compliance with NERC’s Critical Infrastructure Protection standards. (See FERC Proposes Further Cybersecurity Measures.)

In his introduction to the workshop, Kal Ayoub, director of FERC’s Office of Electric Reliability, acknowledged that the commission received “a lot of helpful comments from the industry” after publishing its Notice of Proposed Rulemaking last year. But one element of the NOPR that drew “mixed feedback” was a proposed requirement that new standards require entities to “validate the completeness and accuracy of information received from vendors during the procurement process.”

“The commission did state that we are not proposing to require the entities guarantee the accuracy of information provided by the vendors,” Ayoub said. “However, we do believe that entities should be required to take certain steps to validate such information, and that is why we’re here today: to gather information from all of you … to clarify what level of validation should be required from responsible entities to ensure appropriate risk assessment.”

Laura Schepis, executive director of regulatory and industry affairs at the National Electrical Manufacturers Association, said that NEMA’s members would be “quite happy” to give utilities any information they can on their equipment and subcontractors. The key, she continued, is to give them a voice in the process so they can provide their own perspectives to produce solutions that are as standardized as possible.

Laura Schepis, NEMA | FERC

“Our manufacturers want to be prepared to be the best possible partners,” Schepis said. “So, like any good partner, our members greatly appreciate [understanding] at the start of a process … all the hurdles and timelines and inflection points that might be on the horizon for the utility. … I think sometimes professionals in complex roles may resist a checklist … but I think the gravity of the risks and vulnerabilities that we’re all combating together means that we need to embrace standardization and trust ourselves to use tools that get us 80 to 90% of the way there.”

Alan Herd, deputy director of OER’s division of cybersecurity, asked panelists how FERC’s final rule could help ensure that the process in the resulting standard is a “scalable solution.” In response, Roy Adams, director of supply chain procurement, planning and analysis at Consolidated Edison, replied that it is “very important to look at benchmarks outside of the energy industry.”

He also suggested that scalability can be ensured through standardization and shareability so that vendors don’t necessarily have to fill out the same information over and over for different customers.

“I think it’s a bit of a compromise with centralization. If it’s been submitted once, why not reuse it, if the information is accurate and has been verified?” Adams said. “In addition, I think a system needs to be adaptable to new tools. … The system itself can’t be built once and never updated. It needs to be continuously improved to adjust to the environment it’s in.”

CIP FERC & Federal NERC & Committees Supply Chain