Framework

NIST SP 800-82 Rev. 3
Operational Technology (OT) security, evidence, and remediation

NIST Special Publication 800-82 Revision 3 (September 2023) is the US federal guide to securing Operational Technology. It covers Industrial Control Systems, SCADA, distributed control systems, programmable logic controllers, building automation, transport systems, physical access control systems, and the safety, reliability, and performance constraints that make OT cybersecurity different from IT cybersecurity. Run an 800-82 programme end to end: scope the OT environment, tier assets by impact, apply the NIST SP 800-53 Rev. 5 OT overlay, schedule safe scans where allowed, track manual and authenticated test findings, manage compensating controls, and produce assessor-ready evidence packs from one workflow.

Get Started Free

No credit card required. Free plan available forever.

NIST SP 800-82 Rev. 3 explained

NIST Special Publication 800-82 Revision 3 (Guide to Operational Technology (OT) Security) was published by the National Institute of Standards and Technology in September 2023. It is the US federal authoritative guide to securing Operational Technology, structured as an overlay on the NIST SP 800-53 Rev. 5 control catalogue. SP 800-82 covers Industrial Control Systems (SCADA, DCS, PLC, RTU, IED, HMI, historians, engineering workstations), building automation systems, transport systems, physical access control systems, and the wider category of cyber-physical environments where safety, reliability, and availability come ahead of confidentiality.

Revision 3 widened the scope from ICS to all OT, restructured the document as an explicit 800-53 Rev. 5 overlay, tightened alignment with NIST SP 800-37 RMF, NIST CSF 2.0, and ISA/IEC 62443, and added explicit treatment of cloud and hybrid OT, remote access, third-party support, supply chain, and the safety stop inside incident response.

For internal OT security teams, AppSec functions covering OT-adjacent software, vulnerability management programmes that span IT and OT, GRC owners reconciling cross-framework evidence, and CISOs accountable for cyber-physical risk, SP 800-82 is the US-side authoritative reference that pairs with IEC 62443 on the international side and with CISA CPGs, NIS 2, and the sector-specific OT rules (TSA, NERC CIP, EPA, FDA, IMO) above. Operators adopt it because the 800-53 overlay produces the per-control evidence the higher-level obligations all read against.

Who is in scope for SP 800-82

Scope is set by the system boundary that touches OT, not by the organisation type. A single firm can be a federal contractor running OT for a federal customer, a critical infrastructure operator, a building owner with a smart building automation system, and a manufacturer with an automated plant, with the same SP 800-82 overlay applying across the four programmes inside one organisation.

US federal agencies and federal contractors operating OT

Federal agencies, civilian and defence, and the contractors operating OT on behalf of those agencies, cite NIST SP 800-82 as the OT overlay on the NIST SP 800-53 Rev. 5 control catalogue used for the agency authorisation under the NIST SP 800-37 Risk Management Framework. The OT control overlay is mandatory rather than advisory once the system boundary touches OT.

Critical infrastructure operators in the sixteen CISA sectors

Water and wastewater, energy, transport, food and agriculture, manufacturing, chemical, commercial facilities, healthcare and public health, financial services, defense industrial base, communications, information technology, government facilities, dams, emergency services, and nuclear reactors. SP 800-82 is the most frequently cited OT cybersecurity guide in CISA Cross-Sector Cybersecurity Performance Goal and sector-specific implementations.

Building automation, transport, and physical access teams

Revision 3 extended the scope beyond ICS to all Operational Technology. Building automation system operators (HVAC, fire and life safety, lighting, access), transport operators (rail signalling, aviation ground systems, port and marine), and physical access control system owners now sit inside the same OT cybersecurity overlay as the historical SCADA, DCS, and PLC environments.

OT security teams inside manufacturing, utilities, and energy enterprises

Internal OT cybersecurity teams running plant-side or fleet-side programmes, reporting up through corporate security or directly to the operations leadership, use SP 800-82 as the common reference between the IT-side CISO, the plant operations manager, the safety function, and the regulator-facing GRC team. The shared vocabulary cuts the time spent reconciling risk language across functions.

Why OT cybersecurity is different from IT cybersecurity

SP 800-82 opens with the differences between OT and IT cybersecurity because every control decision downstream depends on them. The differences below are not soft preferences; they are the constraints the overlay is built against, and they shape the cybersecurity programme more than any single control choice.

  • Safety, reliability, and availability come first, ahead of confidentiality. A safety-instrumented function (SIF) failing to a known-safe state is acceptable; a data-confidentiality compromise that breaks the safety stop is not.
  • Real-time deterministic communications. OT protocols (Modbus, DNP3, IEC 60870-5-104, OPC UA, EtherNet/IP, PROFINET, BACnet) operate on tight timing budgets; scan traffic, deep packet inspection, or fail-safe authentication challenges can disrupt control loops.
  • Decade-plus equipment lifecycles. PLCs, RTUs, and IEDs frequently run for 15 to 30 years and cannot be patched on an IT cadence. The supplier may have ended firmware support before the device leaves service.
  • Restricted patching and restart windows. Production OT changes are gated by physical change windows, supplier qualification, and safety attestation. A monthly patch Tuesday discipline does not transfer.
  • Proprietary protocols and embedded operating systems. Many devices run Windows XP, Windows CE, VxWorks, QNX, embedded Linux variants, or vendor-proprietary firmware, with limited security capability and limited supplier patch responsiveness.
  • Physical and cyber-physical consequence. A successful attack on an OT environment can move a physical mass, change a chemical composition, change a power flow, or change the operational state of a vehicle. The consequence frame is materially different from a corporate IT compromise.
  • Restricted active scanning. The default position in production OT is that active scanning is prohibited or constrained. Passive monitoring, manual inspection, and constrained testing against engineering copies and the IT-OT bridge replace the typical IT scan cadence.

What changed in Revision 3

Revision 3 (September 2023) is a substantial update to SP 800-82. The changes below are the ones that most often affect a programme already operating against Revision 2 or against the Revision 2 OT overlay. Programmes adopting SP 800-82 for the first time read against Revision 3 directly.

  • Scope widened from Industrial Control Systems to all Operational Technology. Building automation, physical access control, transport, and other cyber-physical environments are now in scope under a single OT cybersecurity overlay.
  • Restructured to read as a NIST SP 800-53 Rev. 5 overlay. Each 800-53 control family carries OT-specific guidance, supplemental controls, and tailoring rationale, so the 800-53 control implementation evidence carries straight into the 800-82 evidence pack.
  • Tightened alignment with NIST SP 800-37 Risk Management Framework, NIST CSF 2.0, NIST SP 800-30 risk assessment guidance, and ISA/IEC 62443. The cross-references are explicit per topic so the cross-walk between the four frameworks is published rather than improvised.
  • New OT-specific guidance on cloud and hybrid OT environments, remote access, third-party support, supply chain, and the engineering workstation and historian boundary.
  • Expanded incident response coverage with explicit treatment of the safety stop, the move to a known-safe operating mode, and the integration with the safety lifecycle (where IEC 61511 or equivalent applies).
  • Stronger coverage of vulnerability disclosure, CISA ICS-CERT advisories, the CISA Known Exploited Vulnerabilities catalog, and the OT-side patch management discipline that pairs supplier advisories with compensating controls during the gap.

The NIST SP 800-53 Rev. 5 OT overlay by control family

SP 800-82 Rev. 3 reads against the SP 800-53 Rev. 5 control catalogue family by family. The groupings below cover the most operationally consequential families and the OT-specific refinements the overlay introduces. The published guide carries the full per-control treatment; the summary below is the operating shape of the overlay rather than the per-control text.

AC (Access Control), IA (Identification and Authentication)

OT overlay refinements cover least privilege on the engineering workstation, separation of operator and engineering roles, restrictions on remote access, supplier and contractor access, the maintenance laptop discipline, and authenticator rotation against devices that cannot support modern protocols. Capture per-control evidence on the engagement record so the compensating-control rationale (smart-card workaround, USB-disabled HMI, jump-server only) reads against the named OT-specific guidance.

AU (Audit and Accountability), SI (System and Information Integrity)

Logging in OT is shaped by the device. Historians, engineering workstations, jump servers, and OT network sensors carry the audit evidence the OT overlay reads against; PLCs and IEDs frequently emit constrained logs that need to be aggregated upstream. Tie scanner output (where authenticated scans are permitted on IT-side or DMZ assets) and finding evidence to the affected AU and SI control with the operating cadence the overlay expects.

CA (Assessment, Authorisation, and Monitoring), CM (Configuration Management)

OT configuration management reads against the baseline build per device class, the change-window discipline, the supplier-qualified change procedure, and the post-change verification step. CA assessments in OT often substitute passive monitoring and engineering-environment testing for the active scans typical of IT, so the assessment plan, the named substitutions, and the residual coverage reads against the per-control evidence record.

CP (Contingency Planning), IR (Incident Response)

OT contingency planning includes the safety stop, the manual operating fall-back, the alternate processing site for the SCADA and historian layer, and the recovery procedure with safety checks. IR includes the OT-specific response playbook, the named operator with safety authority, the regulator-notification timeline, and the coordination with the supplier and the sector ISAC. The evidence pack covers the plan, the exercises, the incident records, and the post-incident review.

MA (Maintenance), MP (Media Protection), PE (Physical and Environmental Protection)

Maintenance discipline covers the contractor laptop, the supplier remote support session, the spare-parts handling, and the firmware-update lifecycle. Media protection covers removable media on engineering workstations and the trusted-media procedure. Physical and environmental protection covers the plant access control, the cabinet locks, the cable trays, the environmental sensors, and the physical penetration scenarios the OT overlay specifically calls out.

RA (Risk Assessment), SA (System and Services Acquisition), SC (System and Communications Protection)

OT risk assessment reads cybersecurity threat together with safety classification and consequence-of-loss. SA covers the supplier security expectations, the secure-development evidence the OEM is expected to ship (which dovetails with IEC 62443-4-1), and the procurement gating. SC covers the network segmentation, the IT-OT bridge, the protocol gateway, the cryptography on constrained devices, and the unidirectional data diode pattern where it applies.

PS (Personnel Security), PM (Programme Management), PT (PII Processing and Transparency), SR (Supply Chain Risk Management)

PS covers the OT personnel screening, supplier and contractor vetting, and the role-based authorisation lifecycle. PM covers the OT cybersecurity programme leadership and the integration with the corporate cybersecurity programme. SR is heavily exercised by the OT supplier ecosystem: the OEM patch cadence, the firmware authenticity, the third-party software supply chain, and the dependency on a small number of suppliers per device class.

Where active scanning is permitted, constrained, or prohibited

The single most consequential operational decision in an OT cybersecurity programme is the per-asset-class scan-scope decision. The list below is the practical mapping that most programmes converge on; the engagement record carries the per-target decision, the named approver, the supplier attestation where applicable, and the safety-side review on the scope of each scan window.

  • Production PLCs, RTUs, IEDs, and historians: active scanning constrained or prohibited by default. Document the prohibition, the named approver of any exception, the supplier attestation of compatibility, and the safety-side review on the engagement record.
  • Engineering workstations and HMIs: typically Windows-based, IT-managed in modern programmes. Authenticated scans frequently in scope where the OT change-management process permits and the change window aligns with the scan window.
  • Historians and reporting servers (data side): often IT-managed and IT-segmented. Authenticated scans in scope on a defined cadence; output feeds the OT vulnerability management cadence.
  • IT-OT bridge, DMZ, jump servers, and protocol gateways: high-value test surface. Authenticated and unauthenticated scans in scope; pentest activity at the bridge surface is the most frequent OT-adjacent assessment.
  • Remote-access portals, vendor maintenance entry points, and supplier-managed connections: in scope for credential review, MFA enforcement, session recording verification, and authenticated scans against the access layer.
  • Corporate IT segment that connects to OT (factory IT, plant business systems, plant SCADA reporting): in scope under the IT overlay with the OT-side dependency mapped on the engagement record so the consequence-of-loss read is visible.
  • Engineering copies, staging environments, and supplier digital twins: high-value test surface where active scanning, exploitation testing, and disruptive techniques can be applied without production safety impact. Document the parity with production on the engagement record.

Vulnerability handling against decade-plus device lifecycles

OT vulnerability handling has to absorb the gap between an immediate CVE disclosure and the practical patch cadence on the affected device. The mechanics below are the ones SP 800-82 explicitly references and the ones a programme has to operate against to produce the audit read of vulnerability handling the framework expects.

  • CISA ICS-CERT advisories: the public OT vulnerability disclosure feed for ICS, OT, and medical device vendors. Each advisory carries the affected product, the CVE entries, the supplier mitigation guidance, and the disclosure timeline. Track each applicable advisory against the affected OT asset, the named owner, the mitigation status, the supplier-supplied verification step, and the closure evidence.
  • CISA Known Exploited Vulnerabilities (KEV) catalog: the moving public list of CVEs with confirmed in-the-wild exploitation, including ICS and OT entries. The 800-82 vulnerability management discipline pairs the KEV signal with the OT change-window constraint, with the compensating control during the gap captured on the override register.
  • Supplier security advisories from OEM PSIRTs: vendor-issued advisories from the OEM PSIRT (product security incident response team) carry the patch availability date, the applicability per firmware version, the prerequisite, and the regression risk. Track the advisory in the same finding queue as the scanner output and the manual test result.
  • Manual test findings from OT-aware penetration tests: findings from the IT-OT bridge, the DMZ, the engineering workstation, and the remote-access portal carry CVSS 3.1 scoring, named owner, and remediation evidence in the same workflow as the scanner output.
  • Supplier coordination on long-lifecycle patches: where the OEM cannot deliver a patch on a usable timeline, document the supplier acknowledgement, the compensating control during the gap, the change window for the eventual patch, and the post-patch verification step. The override register carries the named approver and the hard expiry, so the gap does not become silent residual risk.
  • Continuous monitoring on permitted asset classes: external scanning, authenticated DAST on the engineering workstation and historian layer, and configuration drift detection on a daily, weekly, biweekly, or monthly cadence aligned with the OT change-window discipline. The cadence is the audit-read evidence; the scan history is the proof.

Evidence the assessor expects

SP 800-82 programmes pass review when the evidence pack is built as a side effect of the operating work rather than reconstructed under audit pressure. The artefacts below are the minimum set the assessor reads against, and the same pack feeds an internal review, a NIST SP 800-82 self-assessment, an IEC 62443 assessment, a NIS 2 supervisory review, and a sector-regulator inspection.

  • OT asset inventory with asset class, supplier, firmware version, safety classification, consequence-of-loss rating, named owner, and physical site
  • Network architecture diagram with the IT-OT bridge, the DMZ, the OT zone boundaries, the protocol gateways, the remote-access portals, the data diodes (where used), and the data flows annotated per direction
  • Per-control implementation evidence aligned to the 800-53 Rev. 5 control identifier and the 800-82 OT overlay refinement, with the supporting artefact pointer (configuration, scan output, screenshot, contract clause, attestation)
  • OT risk assessment record with the cybersecurity threat, the safety classification, the consequence-of-loss rating, the existing controls, the residual risk, and the named risk owner per assessed scenario
  • Vulnerability and finding tracker with scanner output, CISA ICS-CERT entries, OEM PSIRT advisories, manual test findings, KEV catalog entries, and the closure evidence per finding
  • Compensating control register with the named approver, the scope, the rationale, the hard expiry, the compensating control description, and the refresh trigger per override
  • Incident response artefacts including the OT-specific response plan, the named operator with safety authority, the tabletop exercise records, the live incident records (where any), and the post-incident review
  • Recovery and safety records including the backup and restore test results, the manual operating fall-back evidence, the safety-stop drill record, and the integration with the corporate business continuity plan
  • Supplier coordination log with the OEM PSIRT correspondence, the advisory tracking, the patch availability dates, the qualification evidence, and the contractor and maintenance entry records

Failure modes the overlay is designed to surface

SP 800-82 is forgiving on the choice of tooling and on the per-control implementation approach. It is unforgiving about the patterns below, which recur across OT cybersecurity adoptions and are the ones that cost both operational time and regulator credibility.

  • Assuming the IT scan cadence applies to OT without supplier attestation. Active scans against unattested PLCs, RTUs, and IEDs have caused production stops and equipment damage. The default position is prohibited; the exception is documented, approved, and supplier-attested.
  • Treating the safety stop as out of scope for cybersecurity. The OT incident response plan must name the safety stop, the safety-authority operator, and the criteria. Programmes that defer this to the safety lifecycle alone find under regulatory review that the cybersecurity response artefacts do not name the safety interaction.
  • Operating a parallel OT risk register that drifts from the live state. The IT risk register and the OT risk register must reconcile because the consequence chains cross the IT-OT bridge. Treating them as separate documents produces inconsistent residual-risk reads that audit and regulator reviews both flag.
  • Letting OEM advisories accumulate without a tracker. PSIRT advisories pile up faster than long-lifecycle OT can absorb them. Without a tracker that holds each advisory, the named owner, the compensating control during the gap, and the eventual closure evidence, the programme cannot show the audit read of vulnerability handling that 800-82 expects.
  • Confusing 800-82 with IEC 62443. The two are complementary, not interchangeable. SP 800-82 is the US federal OT cybersecurity guide structured as an 800-53 overlay; IEC 62443 is the international ISA/IEC standard family covering asset owners, integrators, and product suppliers. Programmes operating in both regimes carry one evidence pack that reads against both, not two parallel packs.
  • Treating remote support as outside the cybersecurity envelope. Vendor maintenance, OEM remote diagnostics, and contractor laptop access are the most common attack paths into OT and the most consistently weak evidence area. The remote-access portal, the session recording, the credential discipline, and the supplier attestation all sit on the engagement record.

How SP 800-82 relates to adjacent frameworks

SP 800-82 sits in a busy frameworks neighbourhood: 800-53 underneath, CSF 2.0 above, RMF as the lifecycle, IEC 62443 alongside, and the sector-specific OT rules on top. The relationships below are the ones programmes encounter most often, and they matter because operators that try to operate each framework in isolation rebuild the same evidence multiple times.

NIST SP 800-82 vs IEC 62443

NIST SP 800-82 is the US federal OT cybersecurity guide structured as an overlay on NIST SP 800-53 Rev. 5. IEC 62443 is the international ISA/IEC standard family covering the asset owner (62443-2-1), the system integrator (62443-2-4), the product supplier secure development lifecycle (62443-4-1), and the component technical requirements (62443-4-2). The two are complementary: programmes operating in both regimes carry one evidence pack that reads against the 800-53 control overlay (800-82 side) and against the zones and conduits, security levels, and foundational requirements (IEC 62443 side).

NIST SP 800-82 vs NIST SP 800-53 Rev. 5

SP 800-82 Rev. 3 is built as an overlay on SP 800-53 Rev. 5. For each 800-53 control, the OT overlay adds OT-specific guidance, supplemental controls, and tailoring rationale. Programmes already implementing 800-53 Rev. 5 (for federal authorisation under SP 800-37 RMF or for the wider control catalogue) inherit most of the structure; the OT overlay is the per-control refinement that captures what changes when the control lands in an OT environment.

NIST SP 800-82 vs NIST CSF 2.0

NIST CSF 2.0 is the outcome-based cybersecurity framework organised under six functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER). SP 800-82 is the OT control-level guidance that implements the CSF outcomes in an OT environment. Programmes adopt CSF 2.0 as the programme framework and SP 800-82 as the OT-side implementation guidance, with the same evidence pack reading against both layers.

NIST SP 800-82 vs NIS 2 and CISA CPGs

NIS 2 is the EU directive that obliges essential and important entities to implement cybersecurity risk management measures, with sector-specific implementing acts. The CISA Cybersecurity Performance Goals are the US voluntary, prioritised baseline. Both reference OT cybersecurity outcomes that SP 800-82 implements at the control level. Operators running NIS 2 or CPG programmes use SP 800-82 as the OT-side control reference that produces the per-control evidence the higher-level obligation reads against.

NIST SP 800-82 vs the sector-specific OT cybersecurity rules

TSA security directives for pipelines and rail, NERC CIP for the bulk electric system, the EPA cybersecurity expectations for water utilities, the FDA premarket cybersecurity guidance for medical devices, and the IMO 2021 maritime cybersecurity expectations all sit on top of an OT cybersecurity baseline that SP 800-82 cleanly implements. Programmes adopting any of these as primary use SP 800-82 as the operating-control reference underneath the sector mandate.

Where SecPortal fits in an SP 800-82 programme

SecPortal is the operating layer for the 800-82 cycle, not a replacement for the NIST publication, the supplier coordination, or the OT engineering practice. The platform handles the cybersecurity-side workstreams (engagement structure, finding intake, severity scoring, override and compensating-control register, retest evidence, leadership reporting), so the inputs the 800-53 overlay families expect are produced as structured records rather than reconstructed at audit time. Compliance tracking covers SP 800-82 alongside the other frameworks the same operator has to satisfy, including NIST SP 800-53, NIST CSF 2.0, IEC 62443, NIS 2, CISA CPGs, and MITRE ATT&CK (including ATT&CK for ICS).

  • Engagement management dedicated to the 800-82 OT cycle, with workstreams per 800-53 control family carrying the OT overlay refinement, the implementation evidence, the compensating control, and the residual risk per control identifier
  • Findings management with CVSS 3.1 scoring, CWE tags, structured fields, and named owner, so scanner output, CISA ICS-CERT advisories, OEM PSIRT advisories, KEV catalog entries, and manual test findings feed one queue rather than several parallel trackers
  • External scanning and authenticated scanning on a continuous monitoring schedule (daily, weekly, biweekly, monthly) against the IT-OT bridge, the DMZ, the engineering workstations, the historians, and the remote-access portals where the OT change-window discipline and the supplier attestation permit
  • Code scanning (SAST and dependency analysis) on the OT-adjacent software (engineering workstation tooling, historian add-ons, custom HMI applications), so the first-party software findings feed the OT overlay evidence pack rather than a separate IT-side queue
  • Continuous monitoring schedules that match the OT change-window cadence rather than the IT default, so the evidence cadence reads against the operational reality and not against a generic scan schedule the operations team cannot honour
  • Encrypted credential storage (AES-256-GCM, scoped to verified domain) for the authenticated scan credentials, supporting the access control discipline the AC and IA control families read against, and the supplier-side requirements where SecPortal is itself the supplier
  • MFA enforcement and team management with role-based access on owner, admin, member, viewer, and billing roles, so the access-decision evidence reads into the activity log against the AC and AU control families
  • Compliance tracking that reads the same evidence pack across NIST SP 800-82, NIST SP 800-53, NIST CSF 2.0, NIST SP 800-37 RMF, IEC 62443, NIS 2, and the CISA Cross-Sector CPGs, so the cross-framework footprint stays consistent rather than reconciled per audit
  • Activity log with CSV export that captures every state change to a finding, an engagement, a credential, or a configuration record, so the auditor can reconstruct the operating cadence and the response chain without a multi-team excavation
  • Document management with versioning for the SSP, the OT inventory, the network architecture diagram, the risk assessment, the incident response plan, the exercise records, and the supplier correspondence, so the artefact pack is reproducible at any point against the named version
  • AI report generation that turns the operating record into a board-ready OT cybersecurity progress summary, a sector-regulator-ready report, and a cross-functional communication artefact without rewriting the underlying record
  • Finding overrides with the eight-field exception decision chain (named approver, scope, rationale, hard expiry, compensating control, refresh trigger, effective period, framework reference), supporting the OT-specific compensating-control discipline where the OEM cannot deliver a patch on a usable timeline

The IDENTIFY-side of the overlay reads against operational workflows that already exist as named use cases. The vulnerability prioritisation workflow translates the CISA KEV signal, the OEM PSIRT advisory, and the CVSS-plus-EPSS severity into the per-finding queue the OT vulnerability cadence reads against. The vulnerability SLA management workflow carries the timeline discipline against the change-window constraint, with the compensating-control register holding the named-approver record while the patch is scheduled. The scanner result triage workflow is the place where the IT-OT bridge, the engineering workstation, and the historian scan output becomes structured findings rather than CSV exports, and the asset criticality scoring workflow carries the asset-tier discipline the OT consequence-of-loss read expects. The vulnerability acceptance and exception management workflow carries the override register that holds the named approver, the scope, the compensating control, and the hard expiry when the OEM cannot deliver a patch on the change-window cadence.

For internal OT security teams running the 800-82 baseline, the internal security teams workspace bundles the platform with the engagement structure the audit cadence reads against. For manufacturing operators carrying the asset-owner side of an OT cybersecurity programme, the manufacturing security teams workspace covers the plant-side OT evidence, the change-window discipline, and the supplier coordination log. For vulnerability management functions feeding the OT overlay, the vulnerability management teams workspace covers the lifecycle work that turns CISA ICS-CERT advisories, OEM PSIRT entries, scanner output, and manual findings into one queue. For CISOs accountable for cyber-physical risk, the CISOs and security leaders workspace covers the leadership reporting model that sits on top of the OT operating record.

For deeper reading on the disciplines this framework reads against, the CISA KEV catalog guide covers the operational discipline the OT vulnerability handling pairs with against the moving public KEV list, including the ICS and OT entries. The vulnerability management program guide covers the IDENTIFY-and-PROTECT operating cycle the 800-82 overlay reads against on the IT-side and the OT-adjacent surface. The vulnerability remediation SLA policy guide covers the SLA structure that has to absorb the OT change-window constraint without silently widening into the long tail. For analytical context on how compensating-control overrides age between cycles, the aged compensating control half-life research covers the patterns that erode override discipline between annual reviews, which is exactly where long-lifecycle OT environments are most exposed.

Key control areas

SecPortal helps you track and manage compliance across these domains.

Scope: what counts as OT under SP 800-82 Rev. 3

Revision 3 widened the scope beyond Industrial Control Systems to all Operational Technology. The guide explicitly covers ICS (SCADA, DCS, PLC, RTU, IED, HMI, historians, engineering workstations), building automation systems, physical access control systems, transport systems, and other cyber-physical environments where availability, reliability, and human safety matter more than data confidentiality. Document the OT inventory, the asset class per system, the safety classification, and the physical site so the scope decisions and the compensating-control rationale sit on the engagement record from day one.

Why OT cybersecurity is different from IT cybersecurity

SP 800-82 names the differences that drive every control decision: real-time operating constraints, decade-plus equipment lifecycles, deterministic communications, safety and reliability priority over confidentiality, restricted ability to patch or restart, proprietary protocols (Modbus, DNP3, IEC 60870-5-104, OPC UA, EtherNet/IP, PROFINET), and the consequence of a control loop failing to a known-unsafe state. Active scanning, credentialed authentication, and disruptive testing are constrained or prohibited in production. The platform should reflect those constraints rather than assume an IT scan cadence is viable.

The 800-53 Rev. 5 OT overlay and the seven OT-specific guidance themes

SP 800-82 Rev. 3 is built as an overlay on the NIST SP 800-53 Rev. 5 control catalogue. For each 800-53 control family (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, RA, SA, SC, SI, SR), the guide adds OT-specific guidance, supplemental controls, and tailoring rationale. Capture the 800-53 control identifier, the OT overlay refinement, the implementation evidence, the compensating control where the named control is constrained, and the residual risk on a per-control record so the cross-reference between the IT and OT control packs stays explicit.

OT risk management with safety and reliability as first-class outcomes

The OT risk management process in SP 800-82 Rev. 3 extends the NIST SP 800-37 Risk Management Framework with safety, reliability, and physical-consequence considerations. The risk assessment reads the cybersecurity threat together with the safety classification (SIL where IEC 61511 applies, or equivalent), the operational impact, and the recovery posture if the control loop is lost. Track the cybersecurity risk, the safety read, the consequence-of-loss rating, and the compensating control on the engagement record so the risk decisions remain reproducible across cycles and across audit reviews.

Safe scanning, passive monitoring, and constrained active testing

Active scanning of PLCs, RTUs, IEDs, and historians in production is constrained or prohibited because the device cannot tolerate the scan traffic. The practical test surface is the IT-OT bridge, the DMZ, the engineering workstations, the remote-access portals, the vendor jump servers, the corporate-IT segment that touches OT, and the development and staging copies of the OT environment. Authenticated scans against IT-side systems where the supplier has attested compatibility are in scope; the engagement record carries the scope decision, the operating window, the named approver, and the safety attestation per scan.

Vulnerability and patch management against decade-plus lifecycles

OT equipment often runs for 15 to 30 years and frequently cannot be patched on an IT cadence. SP 800-82 reads against the documented vulnerability handling process: the discovery source (scanner, supplier advisory, CISA ICS-CERT, ISAC), the patch availability date, the change window, the compensating control during the gap, the supplier-supplied verification step, and the closure evidence. Tie scanner output (where authenticated scans are permitted in IT-side or DMZ assets), supplier advisories, ICS-CERT entries, and CISA Known Exploited Vulnerabilities catalog entries to the affected control and to the time-to-remediate evidence per finding.

Incident response, recovery, and the safety stop

OT incident response includes a step IT response rarely has: the safety stop, the move to a known-safe operating mode, and the manual operating fall-back. SP 800-82 reads against the documented OT-specific incident response plan, the named operator with safety authority, the criteria for stopping operations, the manual fall-back procedures, the recovery procedure with safety checks, and the post-incident review that feeds the next cycle. The platform carries the engagement record, the activity log, and the document-management trail the regulator and the internal safety review both read.

OT cybersecurity programme structure and the evidence pack

A mature 800-82 programme reads as a multi-cycle cybersecurity management system rather than a one-off assessment. Carry the OT inventory, the network architecture and zone diagrams, the IT-OT data flow map, the per-control implementation evidence, the scan and assessment results, the compensating control register, the supplier coordination log, the incident response artefacts, and the recovery and safety records on one operating record. The same artefact pack feeds an internal review, a NIST SP 800-82 self-assessment, an IEC 62443 assessment, a NIS 2 supervisory review, and a sector regulator inspection without rebuilding.

Related features

Compliance tracking without a full GRC platform

Vulnerability management software that tracks every finding

Orchestrate every security engagement from start to finish

AI-powered reports in seconds, not days

Test web apps behind the login

Vulnerability scanning tools that map your attack surface

Monitor continuously catch regressions early

Document management for every security engagement

Every action recorded across the workspace

Finding overrides that survive every scan cycle

Encrypted credential storage for authenticated scans

Verify fixes and track reopens on the same finding record

Bulk finding import bring your scanner data with you

Run a defensible NIST SP 800-82 programme on one operating record

Scope OT assets, apply the NIST SP 800-53 Rev. 5 OT overlay, schedule safe scans where allowed, track findings, manage compensating controls, and ship assessor-ready evidence from one workflow. Start free.

Get Started Free

No credit card required. Free plan available forever.