Empowering Vendors to Secure the Grid

Asset to Vendor Network is a collaboration between utilities and vendors to secure the grid and achieve compliance with NERC CIP standards

NERC CIP-013 requires utilities to proactively assess the cybersecurity posture of their vendors and their products and services

  • Completing annual cybersecurity risk assessment questionnaires and providing evidentiary documentation for multiple utilities is resource intensive.
  • Self-attestation (self assessments) may be insufficient and will require validation.
  • Utilities will pay independent agents such as Fortress to conduct and validate assessments
  • Assessments will need to be normalized (standardized) and mapped to assessment frameworks.
The logo for fortress information security

Launches the Asset to Vendor Network (A2V)

a mutual assistance network for utilities and their vendors to secure the supply chain and comply with NERC CIP standards.

Implementation guidelines from the
North American Transmission Forum (NATF) suggests the following:

Figure of a person with acheck mark on his left and an x on his right

– Perform Vendor Risk Assessments

– Implement Product Risk Assessments

Figure of a person with acheck mark on his left and an x on his right

– Verifying the integrity and authenticity of software

– Implement Product Risk Assessments

Figure of a person with acheck mark on his left and an x on his right

– Multiple cybersecurity framework mapping

– Recurring reviews to identify risks, risk assessment conclusions, and risk mitigations

A joint venture with Fortress, American Electric Power, and Southern Company

American Electric Power Logo

A2V is committed to helping American Electric Power and other leading utilities

Southern Company provides provide clean, safe, reliable and affordable energy to 9 million customers through their subsidiaries

A2V in the News

Asset to Vendor Logo

Asset to Vendor Network

Asset to Vendor (A2V) is a collaborative network of utilities and vendors that share risk management information.

A2V Risk Management Information

Risk Assessments

An icon of an arrow

IT/OT vulnerability & patch subscriptions

An icon of an arrow
An icon of a lock with a cross in it

Increased Security

Reduced turn-times, decisive remediation, on-demand evidence

An icon of an arrow

Significant cost reduction

An icon of an arrow
An icon of people

“We already share the risk. Now let’s share the cost.”

How does Fortress A2V work?

Fortress Information Security manages and validates assessments for vendors who join A2V and provides them with a secure link to grant assessment requests from the utilities

A step chart for the asset to vendor network

A2V Solves Security Challenges

  • Companies have limited resources for security

    A2V allows vendors to focus on security, not assessment requests reducing internal cost

  • Risk assessments traditionally take months to produce

    A2V ensures up-to-date renewals and instant availability

  • Product solutions are fragmented and expensive

    A2V provides a unified solution at reduced cost

  • Vendors retain control of their data

    Vendors control who sees their data

  • Product solutions are fragmented and expensive

    A2V provides a unified solution at reduced cost

Fortress A2V Benefits

Results and advantages of our partnership

  • Reduced Costs
  • Transparent Process
  • Operational Fourth-Party Vendor Assessments
  • Data Storage
  • Increased Security
  • Insight into Purchasing Intent
  • First Mover Competitive Advantage
  • Demonstrate leadership in securing the grid with joint PR

Fortress A2V Offers You Control
Over the Vendor and Product Assessment Process

Vendor Security Risk Assessments and

Product Security Risk Assessments

  • Fortress conducts complete risk assessments on organizations one time to save vendors time and cost of interacting with multiple utilities.
  • Vendors retain control over who the assessments are shared with.

Asset Risk Management

  • Fortress verifies software sources and validates patch integrity in accordance with CIP-010 and CIP-013

Fortress Guardian – Continuous Risk Monitoring

  • Continuous monitoring of both cyber and business-risk.


  • Fortress works with you to identify and remediate areas of risk.


  • Human-assisted solutions which deliver significant value leveraging the Fortress Platform technology; for example, recommendations for how best to remediate possible risks across an organization’s critical infrastructure assets.

Fortress Platform – Supply Chain Risk Management Insights

Scalable, Modular System with Customizable Dashboards

a laptop showing a the fotress platform
  • Built on lightning-fast, modern architecture
  • Has the simplicity of a spreadsheet with all the sophistication and power of an enterprise system
  • Features include workflow management, task assignment, approvals and vendor portal
  • Flexible architecture for integrations and enhancements
  • Robust analytics module included, enabling simple self-service for reporting