NIST's National Cybersecurity Center of Excellence (NCCoE) is launching a cross-sector project to establish common practices for asset discovery and visibility across operational technology (OT) environments in critical infrastructure, structured around a public-private consortium model. NCCoE Director Cherilyn Pascoe disclosed the project on April 16, 2026, at GovCIO's "CyberScape" conference in Arlington, Virginia, citing asset management as the most consistently raised challenge across the critical infrastructure sectors the center has consulted. The project aims to demonstrate how existing standards, commercial technologies, and established frameworks can build replicable OT visibility architectures.
Background
The NCCoE initiative responds to a well-documented gap in how industrial operators understand their own shop floors. "Most sectors have not done an OT asset inventory," said Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, during a House Homeland Security Committee hearing. The problem is compounded by the age and heterogeneity of installed equipment: Pascoe noted that visibility remains difficult in industrial control systems due to legacy equipment and distributed environments.
The NCCoE's move follows a parallel government effort by CISA and partner agencies. In August 2025, CISA - alongside the NSA, FBI, EPA, and cybersecurity agencies from Australia, Canada, Germany, the Netherlands, and New Zealand - published "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators," establishing OT asset inventory as an official Cybersecurity Performance Goal. That guidance, developed through eight virtual working sessions with approximately 14 organizations across the oil and gas, electricity, and water sectors in early 2025, specified 14 required asset attributes and mandated continuous - not point-in-time - inventory updates.
The vulnerability data underpinning these efforts is stark. Research from Forescout Technologies found that ICS cybersecurity risk hit a record in 2025, with 508 advisories covering 2,155 vulnerabilities - the highest volume since tracking began. The average CVSS severity score for ICS advisories rose to 8.07 in 2025, up from 6.44 in 2010, reflecting a sustained shift from moderate to high-severity disclosures.
Details
Pascoe confirmed that the NCCoE will form a consortium of industry and government agencies to advance the project, consistent with the center's standard Cooperative Research and Development Agreement (CRADA) model, which brings together technology vendors alongside government and academic partners. The intended output is a demonstrable reference architecture for OT asset visibility using off-the-shelf commercial technologies.
The scope is explicitly cross-sector, differentiating this effort from earlier NCCoE work targeting individual verticals. The center previously produced NIST SP 1800-23, focused on the energy sector's OT asset management needs, and more recently issued draft guidance for transit agencies on implementing the NIST Cybersecurity Framework. The new project abstracts from these sector-specific engagements to produce guidance applicable to all 16 critical infrastructure sectors.
Pascoe indicated the center will also explore whether artificial intelligence can augment asset visibility workflows. "Maybe we'll be looking at how to use AI to be able to enhance that as well, depending on what the community's interests are," she said. The NCCoE is concurrently developing a Cybersecurity Framework Profile for AI and reviewing plans for AI agent identity and authorization - work that could inform how AI-assisted discovery tools are governed within industrial environments.
The project also builds on NIST's broader OT security posture. In January 2026, NIST announced plans to update its Guide to Operational Technology Security (Special Publication 800-82) to incorporate lessons learned, align with related agency guidance, and address emerging risks.
Outlook
The NCCoE is expected to issue a formal call for consortium members once the project scope is finalized, a process the center typically conducts through a Federal Register notice. Outputs will likely include a NIST Special Publication 1800-series practice guide mapping reference architectures to the NIST Cybersecurity Framework.
For OT vendors and asset management platform providers, consortium participation represents an opportunity to shape data schemas and interoperability requirements that could inform future procurement specifications across federal and regulated sectors. For operators, the project's emphasis on commercially available, standards-aligned tooling signals that the resulting guidance will be actionable for organizations at varying levels of cybersecurity maturity - including smaller utilities and water systems that lack dedicated OT security teams.
