Many critical infrastructure operator organizations have turned to the NIST Cybersecurity Framework (CSF) to have a common lexicon to describe risk and activities to increase their cybersecurity protection. The NIST Framework is aimed at the operators but not really their suppliers. Best practices for handling suppliers as seen in the new ISO 20243 standard for supply chain is tied to CSF.