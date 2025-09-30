CISA logo. CISA and partners issued guidance to help organizations create a definitive view of their OT architecture.
CISA, the UK NCSC and international partners issued joint guidance to help organizations create and maintain a definitive view of their operational technology architecture.
"CISA Logo" by the Department of Homeland Security - CISA, https://www.cisa.gov, Licensed under Public Domain
//

CISA, UK NCSC Release Joint Guidance on Operational Technology Security

3 mins read

The United Kingdom’s National Cyber Security Centre, in partnership with the Cybersecurity and Infrastructure Security Agency, the FBI and other international partners, has published new joint guidance aimed at helping organizations secure their operational technology environments.

The document, titled “Creating and Maintaining a Definitive View of Your Operational Technology Architecture,” builds on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance and provides actionable steps to strengthen defenses against cyberthreats, CISA said.

CISA is a DHS agency. Potomac Officers Club’s 2025 Homeland Security Summit offers an inside look at the latest programs, technologies and strategies shaping America’s defense against evolving threats. Register to be part of the homeland security conversation.

CISA, UK NCSC Release Joint Guidance on Operational Technology Security

Building a Definitive OT Record

The guidance emphasizes that a central, authoritative record of an organization’s OT architecture is essential for effective risk management. The record should incorporate data from multiple sources, including asset inventories, vendor documentation and software bills of materials, to ensure accuracy and visibility across systems. Maintaining the record allows operators to identify vulnerabilities, understand interdependencies and prioritize protections for the most critical and exposed assets.

Architectural Controls and Standards Alignment

According to the guidance, organizations should implement strong architectural controls such as segmentation, zoning and access restrictions to protect critical OT systems. The measures should align with international standards like International Electrotechnical Commission 62443 for industrial control system security and International Organization for Standardization/IEC 27001 for information security management.

The document also highlights the need to manage third-party and supply chain risks by integrating supplier-provided data and patching requirements into the OT record.

CISA and its partners note that OT security is not a one-time exercise. To remain effective, the definitive OT record must be continuously updated through configuration management, monitoring and change management processes.

The guidance recommends fostering collaboration between IT and OT teams to align governance, security policies and incident response procedures.

Enabling Risk Reduction and Resilience

By maintaining an accurate and comprehensive view of OT environments, organizations are meant to be able to conduct more thorough risk assessments, address cost asymmetries between threats and defenses, and implement security controls more effectively.

According to the guidance, establishing a definitive OT record is a critical step toward reducing risk and strengthening resilience. It urges operators to adopt a proactive approach to safeguarding systems that are essential to national infrastructure.

Related Articles

Pete Hegseth. The defense secretary announced reforms aimed at boosting warfighter readiness.
Defense Secretary Details Reforms to Strengthen DOD Warfighting Readiness

Defense Secretary Pete Hegseth, a 2025 Wash100 Award recipient, has unveiled new directives aimed at reshaping the culture and standards of the Department of Defense during a 45-minute address to senior military leaders at Quantico, Virginia. Hegseth outlined reforms that he said will restore focus on warfighter readiness, discipline and leadership, DOD said Tuesday. “The topic today is about the nature of ourselves because no plan, no program, no reform [and] no formation will ultimately succeed unless we have the right people and the right culture at the Department of War,” Hegseth told the audience, underscoring his view that the

Zachary Terrell. Terrell was named chief technology officer at the Department of Health and Human Services.
Zachary Terrell Appointed CTO of Department of Health and Human Services

Zachary Terrell has been named chief technology officer of the Department of Health and Human Services, FedScoop reported Monday. Three anonymous officials confirmed his designation, which aligns with HHS’ broader restructuring of its technology operations under Secretary Robert Kennedy Jr. This effort includes consolidating IT offices and implementing ChatGPT department-wide, highlighted by an OpenAI agreement with the General Services Administration to provide agencies with ChatGPT access for $1 each over the next year. DOGE Background and NSF Involvement Terrell previously held a role related to the Department of Government Efficiency at HHS and the National Science Foundation, where he was involved

Department of the Air Force logo. DAF issued a new memorandum classifying SaaS as a commodity-based subscription service.
Air Force Issues New Guidance on SaaS Procurement, Usage

The Department of the Air Force has issued a new memorandum that classifies software as a service as a commodity-based subscription service rather than a licensed software asset. In a LinkedIn post, the DAF chief information officer said the policy change shifts the department’s focus to usage, consumption and performance, unlocking real-time visibility into SaaS utilization, centralized procurement and cost control, stronger alignment with zero trust and data ownership mandates, and reduced sustainment burden on the workforce. Unlike traditional licenses, which grants ownership of the product, SaaS provides only access to applications. That distinction, according to the memo, makes it