Asset To Vendor

Are you ready for NERC CIP-013?

Take the CIP-013 Challenge and find out!

What is your plan to address vendor incidents, remote access, vulnerabilities and patch verification? Take the CIP-013 Challenge and find out if you’ll be ready in time.

Power utilities share cybersecurity challenges

Collaboration is the answer!

Introducing the Asset To Vendor Network (A2V)

Asset to Vendor Logo

Asset To Vendor
Network

A mutual assistance platform for third-party and asset risk management teams

Powered by Fortress written

Take the CIP-013 Challenge!

Check your preparedness

Select the time estimated for each step in the compliance process and find out whether your program will be ready in time for the October 1, 2020 deadline.

DONE?
BUDGETED TIME
ESTIMATED COMPLETION DATE
ACTIVITY
Step 1: Establish CIP-013 scope and draft “supply chain cyber security risk management plan”
  • Estimate volume for procurements related to medium and high impact BES Cyber Systems.
  • Identify steps your organization will take to “identify and assess cyber security risk.”
  • Decide how risk will be assessed (see A2V risk identification and assessment methodology).
REFERENCES:
NERC CIP-013-1 NATF implementation guidance, NATF supplier criteria, EEI model procurement language
Step 2: Establish how you will comply with NERC CIP-010 R1.6, verification of software source/authenticity and integrity REFERENCES:
NERC CIP-10-3 , CIP-010-3 NATF Software Integrity & Authenticity
Step 3: Get internal approvals on the plan Coordinate between procurement, supply chain, legal, operations, risk management/compliance, and ensure consistency in scoping CIP-013 products and services and related vendors, RACI diagram or flowchart, system of record, upcoming renewals, installation risk analysis
Step 4: Decide on Build vs. Buy; select partner Partner investigation, competitive bidding, review partner proposals and pricing, compare versus internal costs and capabilites, contracting
Step 5: Implement solution Launch system of record, execute processes, set recurring status meetings for stakeholders
Step 6: Validate effective process Perform internal audits on the process and implement remediations

Level Up Compliance

A2V achieves security beyond compliance

arrow in circle requirements icon

Access the latest and greatest in emerging industry requirements

pencil in message bubble informaiton icon

Receive instant industry information and continuous updates

down arrow cost icon

Reduce costs with our sharing model 50% SAVINGS

A2V is a network of power utilities who benefit from:

  • Shared costs of vendor risk assessments
  • Cyber asset vulnerability patches
  • Solutions to reduce duplication
  • Compliance requirements

Asset to Vendor Network

Delivering outcomes in a simple process

magnifying glass with arrow risk icon

Risk Identifications

Utility determines the right level of assessment – for the vendor and the product.

A2V offers risk ranking analytics.

magnifying glass over paper assesment icon

Assessment Selection

Utility submits the list of vendors requiring assessments.

Assessment availability and “Scheduled” or “Not Scheduled” status is appended with respective dates.

The utility selects assessments for purchase, whether it be an existing assessment or requirement to master a new one.

magnifying glass over people vendor icon

Vendor Engagement

Consent to share assessments is obtained by A2V vendors.

For new assessments, A2V works with vendors to complete.

New assessments (Masters) generate royalties of 75%, 65% and 50% on 1st, 2nd and 3rd+ sells, respectively.

Completed assessments are uploaded into the utility’s instance of the Fortress Platform, the A2V compliance system.

How does A2V compare to other assessment products?

A2V Assessment Products

A2V is aligned to industry guidance for risk identification and assessment methodologies, especially to CIP-013-1.

Why vendor assessments?

NATF points out that “the ERO has endorsed the practice of a Responsible Entity obtaining an independent assessment of the vendor’s production of BES Cyber Systems and/or related services as a means of complying with CIP-013-1.” NATF suggests:

  1. Asking vendors to provide independent assessments.
  2. Evaluating the auditor’s qualifications and cyber security framework used to perform the assessment.
  3. Evaluating the scope and results of the assessment.
  4. Documenting the process, conclusions and mitigating actions.
Comparison chart of A2V to competitors

A joint venture with Fortress and American Electric Power

Asset to Vendor Logo

ASSET TO VENDOR NETWORK

Founding utility members ensure the continued relevancy of A2V services to users of industrial control systems (ICS)

American Electric Power Logo

A2V is committed to helping American Electric Power and other leading utilities

A2V in the News

Asset to Vendor Logo

ASSET TO VENDOR
NETWORK

We love to help, contact us today.

Request a Demo

Request to speak to a solution specialist or schedule a demonstration.