TL;DR
NIST has initiated a major overhaul of SP 800-82, its primary guidance for securing Operational Technology (OT) environments. The revision aligns with NIST CSF 2.0, expands framework mapping requirements, and directly raises the compliance bar for critical infrastructure operators. For organizations running ICS, SCADA, and OT systems, especially in air-gapped or segmented networks, this is also a forcing function to modernize the infrastructure behind GRC: deploy and localize on your terms (SaaS, sovereign cloud, self-hosted, or certified appliance), and connect into OT and restricted environments with agentic connectivity so evidence can be collected and mapped continuously.
In January 2026, the National Institute of Standards and Technology (NIST) announced a full revision of SP 800-82, its foundational guide to securing Operational Technology environments. This is not a minor update. It is a comprehensive overhaul incorporating lessons from the last several years of critical infrastructure incidents and aligning the guidance with NIST Cybersecurity Framework (CSF) 2.0, NIST IR 8286 Rev 1, and SP 800-53 Rev 5.
For security and compliance leaders in critical infrastructure (energy, water, defence, telecommunications, aviation, and government), this revision arrives at a time when OT attack surfaces are expanding and regulators globally are watching more closely than ever. The stakes of non-compliance are operational, not just reputational.
Dragos' 2026 OT Cybersecurity Report found that 119 ransomware groups impacted more than 3,300 industrial organizations in 2025, while fewer than 10% of OT networks worldwide have sufficient visibility and monitoring in place. This highlights a persistent gap between OT risk and defensive capability, one that the updated NIST SP 800-82 is designed to address.
What's changing in NIST SP 800-82: Key updates
The overhaul covers a wide range of changes, from structural alignment to technical controls expansion. The table below outlines the primary updates, what each one means operationally, and how 6clicks is adapting to support compliance teams navigating the transition.
| NIST SP 800-82 update | What it means for your organisation | How 6clicks supports this |
|---|---|---|
| Alignment with NIST CSF 2.0 | OT security programs must now map to the updated CSF 2.0 core functions. (Govern, Identify, Protect, Detect, Respond, Recover) The new "Govern" function adds explicit requirements for OT-specific risk governance frameworks. |
6clicks' Content Library includes pre-built CSF 2.0 control mappings. Compliance teams can cross-map OT controls to CSF 2.0 directly within the platform, with Hailey AI automatically identifying gaps and suggesting remediation actions. |
| Integration of NIST IR 8286 Rev 1 (enterprise risk integration) | OT risk should be integrated into enterprise-wide risk management. Siloed OT security programs that don't connect to broader Governance, Risk, and Compliance (GRC) structures may struggle to align with the revised guidance. |
6clicks' Hub & Spoke architecture allows enterprise risk programs to span OT and IT environments in a single platform. OT-specific risks surface in the enterprise risk register with no manual re-entry or reconciliation. |
| Expanded SP 800-53 Rev 5 control mapping | The revision aligns with SP 800-53 Rev. 5 control mappings for OT contexts. Organizations should be able to demonstrate how applicable controls are implemented within their OT environments, including controls traditionally applied in IT systems. |
6clicks pre-maps SP 800-53 Rev 5 controls and provides automated evidence collection workflows. For OT environments, the platform's agent-based connectivity layer can pull evidence directly from industrial control systems without requiring manual extraction. |
| Heightened guidance for air-gapped and segmented networks | OT security guidance places greater emphasis on segmented and connectivity-constrained environments, where continuous connectivity cannot be assumed. Organizations should ensure security controls, monitoring, and assurance activities are designed to operate effectively within these architectural constraints. | 6clicks is the only GRC platform with an on-premises deployment option (the 6clicks GRC Appliance) that operates entirely inside a customer's environment. For air-gapped OT networks, evidence collection agents can run within the network boundary, no cloud connection required. |
| New ICS and SCADA-specific control guidance | Guidance expands on how existing security controls should be applied within ICS and SCADA environments. Organizations are expected to consider OT-specific context, system behaviour, and operational impact when implementing and assessing controls, rather than relying solely on IT-centric interpretations. | 6clicks' Requirement-Based Assessment workflows support OT-specific control sets. Compliance officers can configure assessment templates aligned directly to ICS/SCADA requirements, with AI-guided evidence requests sent to the right system owners. |
| Stronger supply chain risk requirements for OT vendors | The updated guidance reflects increasingly interconnected OT ecosystems, including dependencies on third-party technologies and service providers. Organizations should account for these relationships when assessing risk and implementing security controls across their environments. | 6clicks' Vendor Risk Management solution supports structured OT vendor assessments, with automated questionnaire distribution and risk scoring. Vendor responses map directly to SP 800-82 supply chain controls. |
The compliance challenge: why OT security is harder than IT
security
The reason SP 800-82 exists as a separate publication, distinct from SP 800-53, is that OT environments operate under fundamentally different constraints. Systems like programmable logic controllers (PLCs), distributed control systems (DCS), and SCADA platforms were often designed decades before cybersecurity was a design consideration. Patching cycles are often measured in months, and in some cases, years rather than weeks. Downtime is not a software inconvenience; it can mean power outages, supply chain failures, or safety incidents.
Compliance programs built for IT environments routinely fail when applied to OT. Evidence collection requires physical access or specialized tooling. Assessment workflows assume internet connectivity that may not exist. And audit timelines that work for a corporate IT environment can conflict with operational schedules that cannot be interrupted.
Why the revised SP 800-82 raises the compliance bar significantly
The overhaul's alignment with CSF 2.0 and SP 800-53 Rev 5 means organizations can no longer treat OT security as a separate, lighter-weight compliance stream. OT risk must be visible at the enterprise level, OT controls must be documented with the same rigor as IT controls, and evidence collection must be systematic and auditable; not ad hoc.
For organizations that have been managing OT compliance through spreadsheets, disconnected tools, or periodic manual audits, this revision is a forcing function. The question is not whether to modernize your OT GRC approach, it is how fast you can do it.
What good OT GRC looks like under the revised SP 800-82
The revised SP 800-82 provides a clearer picture of what effective OT GRC looks like in practice, shifting from static, siloed processes to continuous, integrated, and operationally grounded assurance.
Continuous, not periodic
The revised guidance moves away from point-in-time compliance assessments toward continuous monitoring. Organizations should be able to demonstrate the current state of OT controls at any time, not just at the time of audit. This requires automated evidence collection that connects directly to OT systems, even in constrained network environments.
Integrated, not siloed
OT risk must flow into the enterprise risk register. IT and OT compliance programs must reference the same control framework. Audit evidence collected in an OT environment must be accessible to enterprise GRC teams without manual translation or re-entry.
Deployable in restricted environments
Perhaps the most operationally significant aspect of the revised SP 800-82 is its explicit recognition that many OT environments cannot use cloud-first tools. Any GRC platform used to manage OT compliance must be capable of operating within the network boundary of the OT environment itself.
How 6clicks helps you get ahead of the SP 800-82 revision
6clicks was built for exactly this environment. While most GRC platforms assume always-on cloud connectivity and IT-centric workflows, 6clicks is architected for the environments where those assumptions break down.
Sovereign GRC Infrastructure (the infrastructure layer that underpins the 6clicks platform) directly addresses the compliance challenges the SP 800-82 overhaul creates:
Deploy and localize on your terms: Run 6clicks in hyperscaler SaaS, sovereign cloud, self-hosted, or via the 6clicks GRC Appliance (certified hardware) for environments where the cloud is not an option.
Sovereign-by-design AI: Select your own AI model, language, and compliance frameworks for complete localization and sovereignty without breaking auditability or workflow integrity.
Agentic connectivity into constrained environments: Upload evidence manually, pull it via APIs, or deploy agents that continuously collect, monitor, and remediate. Connect into OT, legacy systems, and air-gapped networks when your environment allows; when it doesn’t, manual upload still triggers the same AI validation and control mapping.
Operationally audit-ready: Evidence maps to controls, controls map to frameworks, and frameworks map to risk so OT compliance can be governed with the same rigour as enterprise GRC, without spreadsheet drift.
Frequently asked questions
What is NIST SP 800-82 and why is it being revised?
NIST SP 800-82 is the primary US federal guidance document for securing operational technology environments, including ICS, SCADA, and distributed control systems used in critical infrastructure. NIST initiated a major overhaul in January 2026 to align the guidance with CSF 2.0 and SP 800-53 Rev 5, and to address the growing complexity of OT attack surfaces. The revision reflects lessons from recent critical infrastructure incidents and significantly raises the compliance bar for organizations in energy, defense, government, telco, and aviation sectors.
Does the NIST SP 800-82 revision apply outside the United States?
While SP 800-82 is a US federal publication, it is widely referenced by critical infrastructure operators and regulators globally, including in regions such as Australia, the UK, and the Middle East. Its alignment with NIST CSF 2.0 means organizations that have adopted NIST-based frameworks in any jurisdiction may need to revisit how their OT security practices align with the updated guidance.
How do I collect compliance evidence from air-gapped OT environments?
This is a common challenge in OT environments, particularly in air-gapped or connectivity-constrained networks. The revised SP 800-82 highlights the importance of designing security and monitoring approaches that can operate within these constraints. Organizations need GRC tooling that can operate inside the air-gapped network boundary. (collecting, storing, and surfacing evidence without requiring an external cloud connection) 6clicks' on-premises deployment option and agent-based connectivity layer are specifically designed for this use case.
What is the difference between IT GRC and OT GRC?
IT GRC applies to information technology systems: servers, applications, cloud infrastructure, and corporate networks. OT GRC applies to operational technology systems: industrial control systems, SCADA, PLCs, and the physical processes they manage. OT environments have longer patching cycles, stricter uptime requirements, physical safety implications, and often operate in network-isolated environments. The revised SP 800-82 reinforces that these environments require dedicated tooling and governance approaches, not IT-centric platforms adapted for OT use.
How long do organizations have to align with the revised SP 800-82?
NIST has not mandated a specific compliance deadline for the SP 800-82 revision, but organizations subject to federal regulation, defense contracting requirements, or sector-specific frameworks that reference SP 800-82 should begin gap assessments now. The revision process is underway and final guidance is expected later in 2026. Early alignment reduces the remediation burden significantly.
Join us: GRC that works where others can't
If you're a security, risk, or compliance leader navigating the implications of the NIST SP 800-82 overhaul, or managing GRC in a complex, restricted, or sovereign environment, join us for our upcoming webinar, GRC that works where others can't.
We'll cover how the Sovereign GRC Stack addresses the compliance requirements of critical infrastructure environments, walk through live deployment scenarios for air-gapped and OT networks, and answer your questions directly.
.png?width=282&height=526&name=GRC%20that%20works%20where%20others%20can%E2%80%99t%20(1).png)
