The NATF Supply Chain Controls and Monitoring Guide represents an important shift for the electric sector. It reinforces what many of us across the industry have long emphasized: third-party risk management cannot remain static, checklist-driven, or siloed. To meaningfully reduce third-party risk, the approach must be risk-based, lifecycle-oriented, and continuously monitored.

While the guide doesn’t introduce a new theory, it elevates what were once considered best practices and formalizes them into clear expectations around governance discipline, documentation rigor, and sustained oversight. The real question for organizations isn’t whether they agree with the guidance. It’s whether they can operationalize it across their thousands of vendors in a way that is consistent, defensible, and scalable.

Most organizations already have policies that reference vendor tiering, governance roles, reassessments, and oversight. The gap is execution. Risk tiering often exists, but it doesn’t always drive differentiated controls. Assessments are performed but not always revisited when risk conditions change such as a breach or a merger or acquisition. Monitoring happens, but too often it is point in time rather than continuous. NATF raises the bar by reinforcing that these controls must function as an integrated system, not as isolated activities.

This is where Fortress becomes critical.

Fortress operationalizes risk-based tiering in a structured and defensible way. Vendors are ranked using objective criteria, and that ranking can be used to directly correlate to assessment depth and the level of monitoring to meet oversight expectations. That connection is critical. As industry standards continue to mature, it will no longer be sufficient to simply state that vendors are tiered, organizations are going to need to demonstrate how those rankings actively drive downstream controls, monitoring rigor, and governance decisions.

The guide’s emphasis on continuous monitoring is equally important. Annual questionnaires are not continuous oversight. Regulators and boards are increasingly asking how vendors are being monitored today, not how they were assessed last year. Fortress addresses this through AI-driven monitoring capabilities that provide ongoing visibility into cybersecurity posture, external threat exposure, manufacturing locations, financial health, and operational risk signals. That shift moves organizations away from one-time, point-in-time assessments and toward continuous, sustained visibility into risk.

Lifecycle governance is another area where execution determines maturity. Vendor risk can change drastically with acquisitions, data access expansion, system integrations, and cyber incidents. Fortress integrates continuous monitoring through AIM and trigger-based reassessments so that material risk events automatically initiate review workflows. This reduces reliance on manual tracking and ensures that elevated risk is addressed immediately rather than discovered months later.

NATF alignment will ultimately require evidence as part of audit preparation. Organizations must be able to show how vendors are tiered, when assessments occurred, how risks were tracked, and how vendors are monitored. Fortress generates that documentation as part of the operating model, creating defensible audit trails and reducing regulatory and reputational exposure.

At its core, the NATF Supply Chain Controls and Monitoring Guide is about resilience. It recognizes that supply chain exposure is an escalating risk and an increasingly attractive target for threat actors. Organizations that succeed in implementing this framework will not be the ones that simply update policy language. They will be the ones that embed risk-based discipline, AI-enabled monitoring, vulnerability management, and enterprise intelligence into daily operations.

The guide provides the blueprint. Execution determines whether resilience is theoretical or real.

Version 2-1