The U.S. National Institute of Standards and Technology (NIST) has published Special Publication 800-238, the FY 2025 Annual Report for its Cybersecurity and Privacy Program, covering the period October 1, 2024 through September 30, 2025. Released on May 21, 2026, the report sets a materially higher compliance benchmark for manufacturers, industrial operators, and critical infrastructure owners, consolidating new requirements across operational technology (OT), artificial intelligence (AI), 5G network security, Internet of Things (IoT) governance, and post-quantum cryptography (PQC).
Background
OT environments - including industrial control systems (ICS), SCADA platforms, and programmable logic controllers (PLCs) - have historically operated under lighter cybersecurity governance than their IT counterparts. That gap has narrowed steadily since NIST released Cybersecurity Framework 2.0 in early 2024, which introduced a dedicated "Govern" function requiring organizations to embed leadership accountability and risk management into day-to-day security operations. The FY 2025 report now catalogs the concrete standards and practice guides that operationalize those obligations.
The threat context underpinning the report is significant. Ransomware, destructive malware, and targeted attacks on connected industrial systems continue to grow in frequency and sophistication, according to NIST's National Cybersecurity Center of Excellence (NCCoE). Meanwhile, IT-OT convergence through Industrial Internet of Things (IIoT) integration is expanding attack surfaces that legacy architectures were not designed to defend.
Details
The most operationally relevant release accompanying the report is SP 1800-41, an initial public draft practice guide developed through the NCCoE that provides manufacturers with guidelines for responding to and recovering from cyberattacks targeting ICS and OT environments, with public comments due by July 8, 2026. The guidance directly addresses ransomware response workflows and operational resilience - gaps cited repeatedly in post-incident reviews across the manufacturing, energy, and water sectors.
On AI governance, NIST launched the Control Overlays for Securing AI Systems (COSAiS) project to develop security control overlays for AI systems using SP 800-53 controls, SP 800-218A, and related publications, supporting responsible and secure AI adoption. Separately, NIST researchers published a concept note describing the AI Risk Management Framework (AI RMF) Trustworthy AI in Critical Infrastructure Profile, which aims to align AI risk management with the performance and reliability expectations of OT, ICS, and cyber-physical environments - including legacy systems and physically distributed assets.
For 5G, NIST's 5G Cybersecurity project released white papers CSWP 36C, CSWP 36D, and CSWP 36E, addressing potential security concerns and mitigation strategies for 5G systems. Industrial operators deploying private 5G networks for shop-floor connectivity will need to map these mitigations against existing OT network segmentation architectures.
On post-quantum readiness, NIST completed 170 validations for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) from FIPS 204 and the Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) from FIPS 203, bringing vendor product certification within practical reach for procurement teams. More than 50 organizations participated in NIST's Migration to Post-Quantum Cryptography Project, demonstrating discovery and inventory tools to ease PQC migration decisions.
The workforce dimension carries equal weight for OT managers. NIST issued NICE Workforce Framework Version 2.2.0, which introduced a new Operational Technology Cybersecurity Engineering work role, providing a formal taxonomy for hiring, role definition, and skills benchmarking in industrial security functions. The FY 2025 report also confirmed publication of the CSF 2.0 Manufacturing Profile through the NCCoE, providing manufacturers with a voluntary, risk-based framework to manage activities and reduce cyber risk.
Vendor risk management is implicated across multiple workstreams. Supply chain cybersecurity strengthening features as an explicit priority in SP 800-238, alongside advancing IoT cybersecurity guidelines - both areas directly relevant to procurement teams evaluating third-party OT software and device vendors. Separately, CISA's updated Cybersecurity Performance Goals (CPG) 2.0, aligned with NIST CSF 2.0, introduced new goals specifically targeting risks from third-party providers with deep system access, such as managed service providers, and zero-trust principles to mitigate lateral movement across IT-OT networks.
Outlook
Industrial operators face a defined action window. Public comment on SP 1800-41 closes July 8, 2026, giving ICS security and operations teams a near-term opportunity to shape the final guidance before it becomes a reference standard for audits and procurement requirements. Organizations that have not yet mapped their OT environments to the CSF 2.0 Manufacturing Profile or assessed their supply chain against the updated CISA CPG 2.0 vendor-risk goals should treat the SP 800-238 publication as the starting point for that gap analysis. The convergence of PQC validation milestones with active AI and 5G guidance suggests NIST intends FY 2026 to translate these frameworks into enforceable technical baselines across critical sectors.
