Lifetime Citizen Portal Access — AI Briefings, Alerts & Unlimited Follows
FERC, NERC convene workshop on validating vendor information in proposed supply‑chain rule
Loading...
Summary
FERC and NERC hosted a joint technical workshop (docket RM24‑4) to gather industry views on whether and how utilities should validate vendor-supplied information for supply‑chain risk management; panelists agreed on risk‑based priorities but split on who should shoulder verification work and how prescriptive rules should be.
FERC and the North American Electric Reliability Corporation (NERC) convened a joint technical workshop on supply‑chain risk management, focusing on a proposal in docket RM24‑4 that would require responsible entities to take steps to validate information from vendors.
Cal Ayub, director of FERC’s Office of Electric Reliability, said the commission issued a Notice of Proposed Rulemaking to address gaps in the critical infrastructure protection (CIP) standards and is asking what level of validation should be required. “We are not proposing to require the entities guarantee the accuracy of information provided by their vendors, but…we do believe that entities should be required to take certain steps to validate such information,” Ayub said during opening remarks.
Panelists from utilities, manufacturers and third‑party risk firms described practical approaches and limits. Manny Cancel of NERC said stakeholders broadly support developing standards but urged a balance between objective outcomes and overly prescriptive requirements. “Entities need the flexibility to determine how to best comply with the security objective and address risk based on their potential impact,” he said.
Utility and industry practitioners recommended a risk‑based process that begins with the responsible entity’s inherent‑risk questionnaire (to define what the vendor will do for the utility) and follows with targeted due‑diligence questionnaires (DDQs), secondary data checks and periodic reassessments for high‑criticality vendors. Roy Adams of Con Edison summarized the approach as a combination of “people, data, and systems” to manage third‑party risk.
Not all panelists agreed on how far validation should go. AJ Jacobs of SMUD warned that requiring every utility to independently verify completeness and accuracy of vendor claims would be “highly inefficient,” costly and could create a false sense of security; he urged centralized or government‑assisted validation for some supplier practices. By contrast, others said third‑party attestations (for example, SOC 2‑type reports) and industry‑wide information sharing can reduce burden while improving confidence in vendor representations.
Manufacturers represented by Laura Shepis (NEMA) expressed willingness to provide more technical details—such as bills of materials and standards mappings—to help utilities assess risk, but she and others cautioned against embedding a single tool or checklist into an enforceable standard. Several panelists raised legal and competition concerns about any centralized ‘approved vendor’ lists.
The workshop included two roundtables and an extended public Q&A. Staff reminded attendees that written comments to docket RM24‑4 will be accepted after the event (the transcript will be entered into the record) and encouraged continued engagement as the rulemaking proceeds. The exchange left clear points of agreement—prioritize by risk, prefer plan‑based compliance and reuse of verified information—and continuing debates over centralization, certification thresholds and the operational burden on smaller utilities.
The workshop is a fact‑gathering step in FERC’s rulemaking; staff urged stakeholders to submit detailed technical comments during the NOPR comment period and to provide examples of feasible validation steps or shared tools.
