U.S. Manufacturers Brace for Tighter OT Governance as NIST FY2025 Report Sets Higher Standards

Manufacturing has been the number-one targeted industry for cyberattacks for four consecutive years, according to DeNexus risk intelligence - yet until recently, governance frameworks covering shop-floor operational technology (OT) remained far less mature than those protecting enterprise IT. The NIST FY2025 Cybersecurity and Privacy Program Annual Report^[3] (SP 800-238), published in May 2026, signals a deliberate shift: the federal standards agency has moved from prevention-focused guidance to a comprehensive OT governance architecture encompassing risk management, incident response, supply chain transparency, post-quantum cryptography, and board-level accountability - all at once.

For directors, VPs, and plant managers evaluating compliance posture, the FY2025 report is not routine housekeeping. It consolidates interlocking standards that collectively raise the baseline for responsible OT governance in U.S. critical manufacturing.

What the FY2025 Report Actually Delivered for OT

Throughout Fiscal Year 2025 - October 1, 2024, through September 30, 2025 - the NIST Information Technology Laboratory Cybersecurity and Privacy Program addressed numerous challenges and opportunities in security and privacy. For the manufacturing sector, three deliverables stand out.

CSF 2.0 Manufacturing Profile (IR 8183r2)

NIST published the Cybersecurity Framework 2.0 Manufacturing Profile through the NCCoE, providing manufacturers with a voluntary, risk-based framework to manage activities and reduce cyber risk.^[1] The revision carries structural significance beyond previous versions. It realigns guidance to CSF 2.0 Functions - including the new Govern Function - and adds guidance for supply chain risk management, platform security, and technology infrastructure resilience categories.

The introduction of a standalone Govern function is the most consequential change. The framework organizes guidance around CSF 2.0's six functional areas - Govern, Identify, Protect, Detect, Respond, and Recover - enabling manufacturers to prioritize cybersecurity outcomes aligned with business needs, risk tolerance, and available resources.

SP 1800-41: Incident Response and Recovery for Manufacturing ICS/OT

NIST released the initial public draft of Special Publication 1800-41, a cybersecurity practice guide focused on helping manufacturers respond to and recover from cyberattacks targeting ICS and OT environments. Developed through the NCCoE, the guide addresses mounting operational disruption risks from ransomware, destructive malware, and attacks against connected industrial systems.

SP 1800-41 is significant precisely because of what it is not. It is a rare post-breach guidance document for OT environments rather than another prevention-focused framework. Most ICS security guidance concentrates on hardening and detection, leaving the question of what happens after a compromise far less formally addressed.

The publication defines a five-phase reference architecture covering detection, containment, eradication, recovery, and post-incident analysis. Critically, defense-in-depth security architecture mitigates cyber risks but cannot eliminate them; manufacturing organizations must also maintain plans to recover and restore operations when a cyber incident disrupts production.

The public comment period for SP 1800-41 remains open through July 8, 2026. NIST encourages organizations to review the publication and share feedback. Those interested in staying current can join the NCCoE Manufacturing Community of Interest.

SP 800-82 Overhaul and the OT Workforce Role

NIST has initiated a revision of SP 800-82, the Guide to Operational Technology Security, to incorporate lessons learned, align with current OT cybersecurity standards, and address changes in the threat landscape. In parallel, NIST issued NICE Workforce Framework Version 2.2.0, which introduced a new Operational Technology Cybersecurity Engineering work role - a formal acknowledgment that OT security requires distinct competencies that cannot be delegated to IT security teams alone.

Three Elevated Governance Pillars for Manufacturers

The FY2025 output coalesces around three governance pillars that U.S. manufacturers - regardless of size or sector - must address.

1. Board-Level Cyber Risk Accountability

NIST's Cybersecurity Framework 2.0, its first major update since 2014, introduced a new "Govern" function that pushes cybersecurity governance directly into boardroom oversight. The Govern component emphasizes accountability, risk management, and strategic integration of cybersecurity into daily operations, reinforcing the principle that effective governance is the cornerstone of a resilient cyber posture.

Market data suggests the sector is already responding. In 2025, 52% of organizations place OT security under the CISO - up from 16% in 2022 - with 80% planning to follow suit, elevating security as a board-level priority. However, organizational elevation alone is insufficient without formal risk quantification. Q3 2025 data demonstrated that qualitative risk assessments fall short for critical business decisions - cyber risk quantification transforms technical vulnerabilities into business metrics that executives and board members can understand and act upon.

2. Structured Incident Response for OT Environments

As OT systems such as ICS become more interconnected with IT networks, they face increasing cyber threats that put factory operations, safety, and property at risk. Organizations need plans and capabilities to respond to incidents and restore operations.

Organizations operating these environments face growing pressure to build more mature cybersecurity capabilities, yet many manufacturers struggle to keep pace with evolving security requirements. SP 1800-41 directly addresses this gap with scenario-based guidance: the practice guide presents cyberattack scenarios developed with industry collaborators to produce a methodology for adopting response and recovery measures that strengthen operational resilience.

3. Supply Chain Risk Management Transparency

Manufacturers must manage supply chains for technology-based inputs - such as PLCs, sensors, robotics, and data collection systems - as well as for technology products used internally. They also depend on non-technology inputs from third-party suppliers that contribute to the final product.

Building on previous versions, CSF 2.0 highlights the importance of governance and supply chains. The dedicated GV.SC (Cybersecurity Supply Chain Risk Management) category within the Govern function requires manufacturers to establish formal C-SCRM strategies, identify and tier critical technology suppliers, and include suppliers in incident response planning.

Industry Reactions: Diverging Readiness Across Segments

The standards elevation does not land uniformly. Large-scale manufacturers with existing CMMC or federal contractor compliance programs are better positioned to absorb the new governance layer. Mid-market players face a steeper climb.

Many industrial manufacturers are grappling with budget cuts and talent shortages that force difficult decisions about cybersecurity investments - only 25% spend significantly more on proactive rather than reactive security measures.

Survey data reveals that the top threats in securing OT and IIoT for industrial organizations are gaps in OT skills and resources. The new NICE Framework OT Cybersecurity Engineering role begins to address this structurally, but workforce development takes time that compliance timelines may not afford.

For critical infrastructure manufacturers, regulatory convergence adds further pressure. The U.S. enacted the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in 2022, with implementing regulations expected to require companies in designated critical infrastructure sectors to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The CSF 2.0 Manufacturing Profile's Respond and Recover functions now map directly to these statutory obligations, making alignment operationally necessary - not merely aspirational.

Closing Gaps Through Public-Private Partnership

The FY2025 approach relies heavily on collaborative infrastructure. Through coordinated research, industry collaboration, and contributions to global standards bodies, the program identifies emerging risks, develops practical cybersecurity approaches, and supports secure technology adoption across critical sectors.^[2]

The NCCoE's Manufacturing Community of Interest, the public comment mechanism for SP 1800-41, and the open draft process for IR 8183r2 all represent deliberate channels for practitioners to shape guidance before it hardens into de facto compliance baselines. Organizations that engage early gain insight into implementation expectations - and an opportunity to surface practical constraints before standards are finalized.

A Practical Implementation Roadmap

The following sequencing reflects the governance maturity model embedded across CSF 2.0, SP 1800-41, and the SP 800-82 revision process:

Phase 1 - Establish Governance Foundations (0-6 months)

• Assign formal OT security ownership aligned to the CSF 2.0 Govern function
• Conduct an OT asset inventory: only 27% of organizations maintain an up-to-date inventory of OT assets, according to 2024 Ponemon Institute and Cyolo research
• Perform gap analysis against IR 8183r2 subcategories

Phase 2 - Formalize Incident Response and C-SCRM (6-12 months)

• Develop or update a dedicated OT Incident Response Plan using SP 1800-41's five-phase architecture as the reference model
• Establish a C-SCRM policy covering technology suppliers (PLCs, firmware, industrial software)
• Enforce MFA and privileged access management on all remote vendor sessions

Phase 3 - Integrate and Test (12-24 months)

• Conduct tabletop exercises simulating ICS ransomware and destructive malware scenarios
• Integrate OT security metrics into board-level enterprise risk reporting
• Begin cryptographic dependency inventory in preparation for the post-quantum migration timeline: NIST has released a migration timeline calling for deprecation of quantum-vulnerable algorithms after 2030 and required use of quantum-resistant algorithms by 2035

The framework explicitly states that cybersecurity is no longer just an IT responsibility but a business discipline that impacts resilience and uptime as much as safety or quality. For OT leaders, cyber risk is now an operations metric, alongside downtime and safety performance.

The NIST FY2025 output does not introduce a single sweeping mandate. It does something potentially more consequential: it closes the governance gaps that have allowed OT security to remain a siloed, technically framed discipline separate from enterprise risk management. For U.S. manufacturers, the question is no longer whether OT governance will be elevated - it already has been. The question is how quickly organizations can build the structures, workflows, and board-level accountability to meet the new baseline.

Further analysis on how IT/OT convergence reshapes the security architecture underpinning these governance requirements is available in Cloud-Native MES and IT/OT Convergence Reshape Manufacturing Security Posture.

Frequently Asked Questions

Is the NIST CSF 2.0 Manufacturing Profile mandatory for U.S. manufacturers? No. IR 8183 Revision 2 is a voluntary, risk-based framework. However, alignment is increasingly expected by federal contractors, critical infrastructure regulators, and cyber insurers. Organizations operating under CMMC, CIRCIA, or sector-specific mandates may find the profile provides a practical mapping to those enforceable requirements.

What does NIST SP 1800-41 add beyond existing ICS security guidance? SP 1800-41 focuses on post-breach response and operational recovery in ICS/OT environments - an area most prior guidance left underspecified. Its five-phase architecture (detection, containment, eradication, recovery, post-incident analysis) is built around real manufacturing attack scenarios developed with industry collaborators.

How does the new 'Govern' function change OT security responsibilities? The Govern function formalizes cybersecurity accountability at the organizational level - not just the IT or OT team level. It requires manufacturers to establish policies, assign ownership, and integrate cyber risk into enterprise risk management. For OT environments, this translates to board-level visibility and executive accountability for shop-floor security posture.

What is the timeline for the post-quantum cryptography migration? NIST released a migration timeline calling for deprecation of quantum-vulnerable cryptographic algorithms after 2030 and required use of quantum-resistant algorithms by 2035. Industrial environments relying on legacy OT protocols with embedded cryptographic dependencies should begin planning migration now.

Where can manufacturers submit comments on SP 1800-41? The public comment period for NIST SP 1800-41 is open through July 8, 2026. Organizations can access the document and submit feedback through the NCCoE Manufacturing Community of Interest project page on the NIST website.