Definitive View of OT Architecture: CISA and NCSC Guidance for Visibility

CISA and the UK’s NCSC have published a joint technical guidance package that tells owners and operators how to build and maintain a single, continuously refreshed “definitive view” of their operational technology (OT) architecture — a practical step intended to close the visibility gap that routinely undermines OT security programs. The guidance, titled Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture, was released on September 29, 2025 and explicitly builds on the August 13, 2025 CISA asset-inventory framework; together the documents position an accurate OT record (assets, interconnections, firmware/software relationships, and supplier data) as the foundation for risk prioritization, architectural controls, and vendor/third‑party risk management.

Background​

Operational technology governs the physical world — process control, discrete manufacturing, building access, water treatment, and the like — but its security model lags the modern IT stack by decades. OT components frequently run long-lived firmware, proprietary communication protocols, and tightly constrained maintenance windows. Modern advisories and guidance campaigns therefore focus first on visibility — know what you have before you can protect it. That principle underpins CISA’s recent asset-inventory guidance and is the explicit premise of the new “definitive view” guidance from CISA and NCSC. The asset-inventory product (Foundations for OT Cybersecurity) offers detailed fields, taxonomies, and lifecycle processes; the “definitive view” paper uses those inventories plus manufacturer-supplied data (for example, software bill of materials) to build an operational model that can be used for risk scoring and architectural decisions.
The release reflects coordinated, cross-government work: CISA and the FBI partnered with the UK National Cyber Security Centre and other international agencies to author the guidance. This mirrors prior multi-agency OT guidance from CISA and allied agencies earlier in 2025 and 2024, a sign that OT hardening is now a sustained, government-wide priority.

---

What the new guidance says — essentials for practitioners​

The definitive view: definition and purpose​

The guidance defines a definitive record as a maintained, authoritative view of OT assets, their roles, dependencies, communication channels, and configuration state. That record is not a static spreadsheet; it’s a curated, multi-source dataset that combines:

• an OT asset inventory and taxonomy,
• vendor-supplied artifacts (device models, firmware versions, configuration baselines, and where available a software bill of materials or SBOM),
• network and telemetry feeds (flow logs, IDS/ICS sensors),
• contract and supplier relationship details,
• engineering and maintenance records.

The stated objective is to enable holistic risk assessments, prioritize critical and exposed systems, and map proportionate mitigations across the estate.

Key recommendations (high level)​

The guidance emphasizes practical, actionable recommendations that will be familiar to OT and ICS teams but are packaged to encourage cross-team execution:

• Collaborate across IT and OT teams — formalize processes and shared responsibilities so inventories are comprehensive and curated.
• Leverage manufacturer data — use SBOMs, firmware release notes, and vendor configuration baselines to enrich inventory items and reduce blind spots.
• Align with standards — adopt established frameworks like IEC/ISA 62443 for zone/conduit modeling and ISO/IEC 27001 for information security governance.
• Design architectural controls — use the definitive view to place systems into zones, to prescribe conduits, and to justify compensating controls for legacy or unpatchable assets.
• Manage third‑party risk — require suppliers and integrators to provide artifact data and to support verifiable configuration management.

These points are reiterated and expanded in the accompanying CISA asset-inventory product, which supplies fields, taxonomy examples, and lifecycle management steps that communities can adopt.

---

Why this matters now: operational and threat context​

OT systems continue to be targeted in the wild; attackers increasingly use lateral movement from IT to OT to create physical disruption or to amplify impact. That trend makes full‑lifecycle visibility a first-line defense. The new guidance is important because it shifts the conversation from “we need an asset list” to “we need an operational model that ties asset attributes to risk and to supply-chain artifacts.” In practice, this enables:

• faster identification of devices impacted by a disclosed CVE,
• clearer prioritization for patch/workflow scheduling when maintenance windows are constrained,
• measurably improved incident response because responders can see upstream/downstream process dependencies.

The guidance is not theoretical: CISA has also rolled out supporting resources and outreach (webinars, tool recommendations, and agency support structures) designed to accelerate uptake, especially for small and medium owners/operators that lack dedicated OT security teams.

---

Tactical verification: what to check in your environment​

The guidance is prescriptive enough to be operationalized. Use this checklist to validate where you are against the guidance:

• Inventory completeness: Do you have a current asset inventory that captures manufacturer, model, firmware, OS, IP, MAC, ports/services, physical location, and owner? The CISA asset guidance lists these as high-priority fields.
• Taxonomy and zones: Have you classified assets by criticality and function and created zone/conduit diagrams aligned to IEC 62443 concepts?
• Manufacturer artifacts: Can you match inventory entries to vendor firmware releases and SBOM records where available? If vendors cannot provide SBOMs, document that limitation and include it in supplier risk records.
• Supplier mapping: Are contracts and integrator relationships recorded and associated with the devices or systems they service?
• Telemetry linkage: Are flow logs, IDS/OT sensors, and engineering station logs linked to inventory entries for rapid hunting and correlation?

If any of these items are incomplete, the guidance treats that as the practical gap to remediate before more advanced controls (zero-trust segmentation, continuous attestation) make sense.

---

Practical implementation: phased approach for realistic operations​

The guidance is explicit about brownfield realities: many OT estates are legacy-rich and cannot accept wholesale changes. A pragmatic phased approach recommended by practitioners and reflected across the guidance corpus:

• Phase 1 — Triage & Discovery (0–30 days)
• Build or validate a minimum viable inventory that captures the high-priority attributes (manufacturer, model, firmware, criticality, location).
• Identify internet-exposed assets and immediate exposure reduction actions (remove public access, apply firewall rules).
• Phase 2 — Enrichment & Taxonomy (30–90 days)
• Add supplier/contract metadata and cross-reference vendor security notices.
• Create a simple zone/conduit model for critical systems and label systems by impact (safety, mission continuity, regulatory).
• Phase 3 — Controls & Automation (90–180 days)
• Implement automated feeds where possible (network discovery, integration with asset-management tools).
• Use the definitive view to design architectural controls: jump hosts, DMZs, least-privilege access, and segmented remote access.
• Phase 4 — Continuous Assurance (ongoing)
• Schedule periodic reconciliation, integrate SBOMs/firmware feeds, and establish supplier SLAs for security data.

This phased approach acknowledges operational constraints while aligning teams to measurable milestones.

---

Supplier and SBOM expectations — practical realities​

One of the guidance’s most consequential suggestions is that owners and operators supplement their inventories with manufacturer-provided artifacts, including firmware manifests and software bill of materials (SBOMs). SBOMs enable defenders to map vulnerable components directly to deployed devices, which is dramatically more efficient than manual correlation.
Real-world constraints remain: many OT vendors still do not produce SBOMs, and some devices use proprietary firmware without clear component metadata. The guidance therefore recommends treating SBOM availability as a supplier performance requirement and building contractual mechanisms to capture artifact data during procurement or maintenance. Where vendors cannot provide SBOMs, document the gap and apply compensating architecture and monitoring.

---

Standards alignment: IEC 62443, ISO/IEC 27001 and others​

The guidance explicitly points organizations toward international standards as the architectural and governance scaffolding for the definitive view. In particular:

• ISA/IEC 62443 (zone-and-conduit modeling, system security) is recommended for structuring asset relationships and segmentation policies.
• ISO/IEC 27001 is cited for information security governance and policy alignment where OT asset data must be handled and protected.

Adopting standards helps organizations translate a definitive view into auditable designs and into vendor-agnostic security controls.

---

Strengths of the guidance​

• Operational focus: The joint paper is practical — it couples a clear definition of the definitive view to specific sources of data and to lifecycle steps for maintaining records. That makes it actionable for teams that have historically struggled with vague “you need visibility” advice.
• Supply-chain emphasis: Requiring or encouraging vendor artifacts is forward-thinking; getting manufacturers to share SBOMs and configuration baselines materially reduces time-to-remediate when a vulnerability is disclosed.
• Standards alignment: Mapping recommendations to IEC/62443 and ISO/IEC 27001 helps organizations adopt known models rather than inventing bespoke taxonomies that are hard to scale.
• Interagency and international backing: Joint authorship (CISA, FBI, NCSC-UK and partners) increases uptake likelihood and signals sustained government support for funding and enforcement activities.

---

Risks, limitations, and realistic constraints​

• Vendor and device limits: Many OT vendors do not yet supply SBOMs or fine-grained firmware manifests. Guidance recommending their use is correct in principle but will create procurement friction until vendors mature their offerings. Document these gaps and use compensating controls.
• Resource demands: Creating and maintaining a definitive view requires cross-functional labor: asset managers, OT engineers, procurement, security teams, and provider relations. Smaller operators will need external support or agency assistance. CISA’s outreach and tools can help, but resourcing remains the bottleneck.
• Brownfield complexity: Legacy devices with proprietary protocols and long patch cycles cannot be remedied solely by better inventory; they demand architectural workarounds (segmentation, compensating monitoring) that can be operationally costly. The guidance acknowledges this but does not remove the fundamental tradeoff between uptime and security.
• Data protection and sensitivity: The definitive view contains sensitive operational and supplier data; if handled insecurely it becomes a target. The guidance discusses securing OT information, but organizations must treat the inventory itself as a high-value asset (controlled access, encryption at rest and in transit, MFA, and strict change control).
• Verification and enforcement: The guidance recommends supplier artifacts but lacks global enforcement mechanisms; absent contractual requirements, some vendors may be slow to comply. Organizations must bake these requirements into procurement and service-level agreements.

These limitations are not fatal, but they require an honest assessment and programmatic funding to remediate.

---

Integration with IT/OT operations — bridging the cultural gap​

A recurring theme is that process matters as much as technology. The guidance insists on formal collaboration between IT and OT teams for asset curation, threat detection, and incident response. Forum-level discussions and practitioner experience show that many exposures arise because engineering workstations (often Windows-based) have weak ACLs, permissive admin practices, or unmanaged remote access — weaknesses that attackers exploit to pivot to OT. Integrating Windows/IT hardening with the OT definitive view is therefore not optional.
Practical steps for improving collaboration:

• Create joint triage boards that include OT engineering, IT security, procurement, and legal.
• Institute change-management rules that require inventory updates for every production change.
• Harden engineering hosts that interact with OT assets — application allowlisting, least privilege accounts, and jump-host mediated access.

---

Measuring success: KPIs and governance​

Good KPIs are specific and auditable. Consider these metrics tied to the definitive view program:

• Percentage of critical OT assets with complete attribute records (target: 95% within 90 days).
• Mean time to triage a new CVE for affected OT assets (target: reduce by 50% after definitive view implementation).
• Percentage of suppliers that provide SBOMs or firmware manifests within contract windows.
• Number of unauthorized internet-exposed OT devices found via scanning (target: zero after mitigation stage).

Governance should assign an asset owner for each facility or zone, and require quarterly validation cycles and incident-playbook drills that use the definitive view.

---

Cross-referencing and independent verification​

The joint guidance and the earlier asset-inventory product are publicly available through CISA and are supported by allied releases (NSA and press outreach) that reinforce the recommendations and provide operational context for uptake. Industry groups and standards bodies have already begun commenting about the standards alignment and the value of SBOMs for OT risk management. Those multiple, independent touchpoints validate both the recommendations and the direction of travel: stronger inventory, supplier data, and standards alignment.
Where guidance suggests vendor-provided artifacts, practitioners should verify availability during procurement and not assume universal compliance — treat that as a program risk and mitigate accordingly. If a vendor refuses or is unable to provide SBOMs, record the limitation and escalate to risk committees.

---

Recommended next steps for owners/operators (practical checklist)​

• Convene a cross-functional kickoff with OT engineering, IT security, procurement, and vendor management. Record responsibilities and timelines.
• Adopt the recommended inventory fields from the CISA asset guidance and create a prioritized list of critical assets.
• Map upstream/downstream dependencies for critical assets and create a zone/conduit diagram aligned to IEC 62443 concepts.
• Push for vendor artifacts (firmware release notes, SBOMs) in new procurement, and require artifact delivery in maintenance contracts for existing systems.
• Harden engineering and management hosts used to interact with OT devices; treat them as high-risk endpoints.
• Schedule periodic reconciliation and integrate telemetry and IDS feeds to tie runtime behavior to inventory entries.

---

Conclusion​

The joint CISA–NCSC guidance on creating and maintaining a definitive view of OT architecture is a timely, operationally focused product that moves the needle from “visibility as a concept” to “visibility as an executable program.” By combining disciplined asset inventories, supplier artifacts (including SBOMs where available), and standards-based architectural modeling, organizations can gain the situational awareness necessary to prioritize scarce operational windows, reduce exposure, and execute targeted remediation. The benefits are real, but the work is long — delivering a definitive view requires cross‑discipline cooperation, supplier pressure, and consistent governance. For organizations that take the guidance seriously and fund the required operational changes, this document provides a practical roadmap to measurably reduce OT risk and improve resilience.

---

Source: CISA CISA and UK NCSC Release Joint Guidance for Securing OT Systems | CISA