TroutTrout
Back to Glossary
NIST 800-82OT securityICS security

NIST SP 800-82

2 min read

NIST Special Publication 800-82 is the NIST guide to Operational Technology security. The current edition — Revision 3, published September 2023 — is titled Guide to Operational Technology (OT) Security and replaces earlier editions that were scoped specifically to industrial control systems.

What 800-82 covers

The publication is the OT-specific companion to NIST SP 800-53 (control catalog) and NIST SP 800-171 (CUI protection). It addresses the control categories that apply to OT environments: SCADA, distributed control systems, programmable logic controllers, safety instrumented systems, building automation, and industrial IoT.

The structure follows NIST 800-53 families but reinterprets each control for OT operating conditions:

  • Availability over confidentiality. OT safety and uptime take precedence over traditional CIA ordering.
  • Deterministic behavior. Controls must not introduce latency or jitter that disrupts control loops.
  • Legacy compatibility. The guide explicitly addresses equipment with 20-year service lives and no firmware update path.
  • Physical-cyber coupling. A cyber event in OT can cause physical consequences — process upset, equipment damage, safety incident.

How 800-82 relates to other frameworks

  • NIST SP 800-53 supplies the full control catalog. 800-82 overlays OT-specific guidance on each family.
  • NIST SP 800-171 defines CUI protection for non-federal systems. 800-82 addresses the OT portion of those systems.
  • IEC 62443 is the international standard for industrial automation security. 800-82 and IEC 62443 map bidirectionally; organizations often cite both.
  • CMMC Level 2 draws its 110 controls from NIST 800-171. When CMMC scopes OT assets under the Specialized Asset category, 800-82 provides the implementation guidance.

Why it matters for OT compliance programs

A compliance program that relies only on 800-171 will have gaps for OT — the parent standard does not address the operational constraints of control-system environments. 800-82 fills those gaps with specific guidance on segmentation, remote access, incident response, and logging in OT contexts.

The current revision added substantial material on zero-trust architecture applied to OT, software bill of materials requirements, and supply-chain risk for ICS vendors. These additions align with DoD DTM 25-003 expectations.

Related terms

Access Gate connection

Access Gate aligns with NIST SP 800-82 guidance on OT segmentation and identity-based access, providing a non-inline enforcement layer appropriate for control-system environments.

Other Terms

RMFICS security

Risk Management Framework (RMF for ICS/OT)

The NIST Risk Management Framework applied to ICS and OT — how the six-step RMF process, paired with NIST SP 800-82 Rev 3, maps to control-system environments where availability and safety outrank confidentiality.

Air-gapped networkPhysical isolation

Air-gapped Network

An air-gapped network is a network that is physically isolated from the public internet and all external networks, with no wired or wireless connectivity path between the isolated environment and outside systems.

CMMC shared responsibility matrixCMMC compliance

CMMC Shared Responsibility Matrix

A CMMC shared responsibility matrix maps every NIST 800-171 control to the party responsible for enforcing it, showing which controls are handled by a security tool, which are customer-owned, and which require compensating controls for OT assets.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles