NIST's National Cybersecurity Center of Excellence (NCCoE) is launching a cross-sector operational technology (OT) asset visibility project, signaling a strategic shift from sector-specific guidance toward unified risk management across critical infrastructure. NCCoE Director Cherilyn Pascoe disclosed the initiative at GovCIO's "CyberScape" conference in Arlington, Virginia, on April 16, 2026. The project responds to a consistent finding across multiple critical infrastructure sectors: asset management and visibility represent the single largest cybersecurity challenge operators face.
Background
The NCCoE has historically addressed OT cybersecurity through targeted, sector-specific programs. The center produced water and wastewater cybersecurity guidance and released a draft document to help transit agencies implement the NIST Cybersecurity Framework, among other initiatives. Those efforts yielded actionable reference architectures but left a systemic gap: no unified methodology for cross-sector OT asset visibility existed.
That gap is now squarely in focus. According to Pascoe, discussions with representatives across multiple critical infrastructure sectors consistently surfaced the same deficiency. "We had several conversations with different critical infrastructure sectors and asked them, 'What are your biggest challenges?' And across the board, the largest challenge that came up was asset management, asset visibility," Pascoe stated. She added that visibility is particularly difficult in industrial control system environments due to legacy equipment and geographically distributed operational footprints.
The project arrives as NIST simultaneously advances a broader revision of its OT security standards. On January 22, 2026, NIST initiated a pre-draft revision of SP 800-82, its primary Guide to Operational Technology Security, to incorporate lessons learned, align with CSF 2.0, SP 800-53 Rev. 5, and address changes in the OT threat landscape. The comment period closed February 23, 2026. Additionally, an initial public draft of NIST IR 8183 Revision 2, the Cybersecurity Framework 2.0 Manufacturing Profile, was released for public comment in September 2025.
Project Scope and Technical Implications
The new cross-sector initiative builds directly on prior NCCoE work in OT asset management, including the energy sector asset management practice guide (NIST SP 1800-23), which demonstrated core capabilities: automated discovery of assets connected to a network, baselining of asset attributes such as manufacturer, model, operating system, IP and MAC addresses, firmware versions, and physical location, and continuous monitoring with alerting for newly connected or disconnected devices.
The current project extends this approach beyond any single vertical. By focusing on cross-sector OT visibility, the NCCoE addresses a structural weakness that threat actors-including nation-state groups and ransomware operators-have repeatedly exploited. OT infrastructure, unlike conventional IT systems, was designed for reliability and safety rather than security, and many legacy OT systems operate with minimal real-time monitoring capability, limited logging, and weak authentication mechanisms.
The NCCoE documents its example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details replication steps for other organizations. Outputs from the new visibility project are expected to follow this format, providing practical, commercially implementable reference designs mapped to existing frameworks including SP 800-82, SP 800-53, and the Cybersecurity Framework (CSF) 2.0. For organizations in manufacturing, energy, and water utilities, such guidance can support compliance reporting, anomaly detection program design, and supplier risk assessments by establishing a documented, auditable baseline of OT assets.
Outlook
The NCCoE has not published a formal project timeline or list of technology collaborators for the cross-sector OT visibility initiative as of early May 2026. Per the center's established practice, formal collaboration agreements with private-sector technology partners are typically solicited through Federal Register notices before reference architecture development begins. Early-adopter organizations engaging with the NCCoE's Community of Interest (COI) process stand to shape the resulting guidance and gain early access to reference designs. The parallel revision of SP 800-82 suggests that any practice guide produced by the visibility project will likely align with the forthcoming Revision 4, tightening the link between asset inventory requirements and broader OT security controls across industries.
