NIST SP 800-82 Rev 3

United States

10 domains

48 controls

NIST SP 800-82 Revision 3 Guide to Operational Technology (OT) Security.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (10)

Architecture

5 controls

Controls in the Architecture domain of NIST SP 800-82 Rev 3 — 5 controls
Code	Title	Description
OT-ARCH-1	Network Segmentation by Zones and Conduits	Segment OT networks into logical zones and conduits aligned with the Purdue model and IEC 62443, restricting traffic bet...
OT-ARCH-2	Industrial Demilitarised Zone (IDMZ)	Implement an Industrial DMZ between the enterprise (IT) and control (OT) networks to terminate and inspect traffic, prev...
OT-ARCH-3	Defense in Depth	Apply multiple, layered, and complementary security controls across OT architecture so that failure of any single contro...
OT-ARCH-4	Safety Instrumented System Isolation	Isolate Safety Instrumented Systems (SIS) from the Basic Process Control System (BPCS) and other networks using physical...
OT-ARCH-5	Wireless Network Architecture	Design OT wireless networks with strong authentication, encryption, segmentation from wired OT, interference mitigation,...

Host Security

6 controls

Controls in the Host Security domain of NIST SP 800-82 Rev 3 — 6 controls
Code	Title	Description
OT-HOST-1	OT Endpoint Hardening	Harden OT endpoints (HMIs, engineering workstations, servers) by disabling unnecessary services, removing default accoun...
OT-HOST-2	Application Allowlisting	Use application allowlisting on stable OT endpoints to prevent execution of unauthorised software, particularly where si...
OT-HOST-3	Anti-Malware for OT	Deploy anti-malware solutions validated by the OT vendor where supported, configure scans to avoid impacting real-time o...
OT-HOST-4	Patch Management for OT	Establish an OT patch management process that tests patches in a representative environment, schedules deployment during...
OT-HOST-5	Removable Media Controls	Control the use of removable media in OT environments through policy, scanning kiosks, port restrictions, and documented...
OT-HOST-6	Configuration Change Management	Manage changes to OT configurations, software, and firmware through documented approval, testing, version control, and r...

Identity & Access

6 controls

Controls in the Identity & Access domain of NIST SP 800-82 Rev 3 — 6 controls
Code	Title	Description
OT-IAM-1	OT Account Management	Establish account lifecycle controls for OT users, vendors, and service accounts including approval, provisioning, perio...
OT-IAM-2	Authentication and Credential Management	Apply strong authentication mechanisms appropriate to the criticality of the OT function, manage credentials securely, a...
OT-IAM-3	Least Privilege and Role Separation	Grant OT users the minimum privileges needed and separate engineering, operator, and administrative roles to limit unaut...
OT-IAM-4	Physical Authentication for Field Devices	Use physical controls such as key switches, locked cabinets, and tamper-evident seals when logical authentication on fie...
OT-RA-1	Secure Remote Access	Provide remote access to OT only via authenticated, encrypted, and brokered pathways such as jump hosts with multi-facto...
OT-RA-2	Vendor Remote Access Controls	Manage vendor remote access through individually identified accounts, contractual obligations, just-in-time enablement,...

Incident Response

5 controls

Controls in the Incident Response domain of NIST SP 800-82 Rev 3 — 5 controls
Code	Title	Description
OT-IR-1	OT Incident Response Plan	Develop and maintain an incident response plan that addresses OT-specific scenarios, integrates with safety and emergenc...
OT-IR-2	OT Incident Detection and Triage	Detect potential OT incidents through monitoring, operator reports, and safety alarms, and triage with criteria that acc...
OT-IR-3	OT Incident Containment and Eradication	Contain OT incidents using pre-authorised actions (network isolation, switching to manual control, safe state procedures...
OT-IR-4	Forensics in OT Environments	Capture forensic evidence from OT systems in a manner that preserves operational continuity, using non-disruptive techni...
OT-IR-5	Incident Exercises and Tabletops	Conduct regular tabletop and functional exercises covering OT incident scenarios, involving operations, safety, security...

Monitoring

4 controls

Controls in the Monitoring domain of NIST SP 800-82 Rev 3 — 4 controls
Code	Title	Description
OT-MON-1	OT Security Monitoring and Logging	Collect, retain, and review security-relevant events from OT devices, network gear, and supporting infrastructure, with...
OT-MON-2	Asset Inventory and Visibility	Maintain an accurate, current inventory of OT assets including firmware versions, network locations, owners, and critica...
OT-MON-3	Anomaly and Behavioural Detection	Use anomaly-based detection that learns normal OT traffic and process behaviour to identify unusual commands, new device...
OT-MON-4	Vulnerability Management for OT	Identify, assess, and remediate vulnerabilities in OT assets using passive tooling, vendor advisories, and risk-based pr...

Network Security

5 controls

Controls in the Network Security domain of NIST SP 800-82 Rev 3 — 5 controls
Code	Title	Description
OT-NET-1	OT Firewall Configuration	Configure firewalls between OT zones with explicit deny-by-default policies, granular allowlists for required protocols,...
OT-NET-2	Industrial Protocol Filtering and Inspection	Use deep packet inspection or protocol-aware filtering for industrial protocols (Modbus, DNP3, OPC, EtherNet/IP, PROFINE...
OT-NET-3	Network Intrusion Detection for OT	Deploy passive network IDS tuned for OT protocols and baselined to normal operating traffic, with alerts routed to monit...
OT-NET-4	Boundary Protection and Egress Controls	Restrict and monitor outbound connections from OT to the internet and enterprise networks, denying direct outbound traff...
OT-NET-5	OT Network Time Synchronisation	Provide authoritative, hardened time sources for OT devices to ensure consistent timestamps for event correlation, seque...

Physical Security

3 controls

Controls in the Physical Security domain of NIST SP 800-82 Rev 3 — 3 controls
Code	Title	Description
OT-PHYS-1	Physical Access Control to OT Assets	Restrict physical access to OT areas, control rooms, network closets, and field cabinets using authenticated entry contr...
OT-PHYS-2	Environmental Controls	Maintain environmental controls (temperature, humidity, power, fire suppression) appropriate to OT equipment and monitor...
OT-PHYS-3	Tamper Detection and Response	Detect and respond to tampering of OT devices, cabinets, and network equipment through seals, sensors, alarms, and inspe...

Recovery

3 controls

Controls in the Recovery domain of NIST SP 800-82 Rev 3 — 3 controls
Code	Title	Description
OT-REC-1	OT Backup and Restoration	Maintain offline, integrity-checked backups of OT configurations, PLC logic, HMI projects, and historian data, with test...
OT-REC-2	Contingency Planning	Develop contingency plans for OT covering loss of view, loss of control, and degraded operations, including manual proce...
OT-REC-3	Spare Parts and Cold Standby	Maintain spare PLCs, switches, servers, and media required for rapid replacement of failed or compromised OT components,...

Risk Management

8 controls

Controls in the Risk Management domain of NIST SP 800-82 Rev 3 — 8 controls
Code	Title	Description
OT-GOV-1	OT Security Program Governance	Establish a documented OT security program with executive sponsorship, defined roles, and integration with the enterpris...
OT-GOV-2	OT Risk Management Framework Alignment	Apply the NIST SP 800-37 Risk Management Framework to OT systems, tailoring categorisation, control selection, assessmen...
OT-GOV-3	Safety and Security Integration	Integrate cybersecurity risk management with functional safety processes so that security controls do not impair safety...
OT-RM-1	OT Risk Assessment Methodology	Adopt a risk assessment methodology that considers likelihood, vulnerability, and consequence including safety, environm...
OT-RM-2	Supply Chain Risk Management	Manage supply chain risks for OT including vendor security assessment, secure procurement language, software bill of mat...
OT-RM-3	Awareness and Training for OT	Provide role-based security awareness and training for OT personnel, including operators, engineers, maintenance staff,...
OT-RM-4	Documentation and Information Protection	Protect sensitive OT documentation including network diagrams, system configurations, and incident details from unauthor...
OT-RM-5	Continuous Monitoring of Controls	Operate a continuous monitoring program for OT controls that tracks effectiveness, identifies drift, and informs ongoing...

Specific Sectors

3 controls

Controls in the Specific Sectors domain of NIST SP 800-82 Rev 3 — 3 controls
Code	Title	Description
OT-SECTOR-1	Sector-Specific Overlay Application	Apply sector-specific overlays and regulations (electricity, water, oil and gas, manufacturing, building automation) on...
OT-SECTOR-2	Building Automation System Security	Apply OT security principles to building automation systems (HVAC, lighting, access control, elevators) that share many...
OT-SECTOR-3	Distributed and Geographically Dispersed OT	Address security for geographically distributed OT (substations, pump stations, wellheads, remote terminal units) where...

Frequently Asked Questions

What is NIST SP 800-82 Rev 3?

NIST SP 800-82 Rev 3 is a compliance framework from United States with 10 domains and 48 controls. NIST SP 800-82 Revision 3 Guide to Operational Technology (OT) Security. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-82 Rev 3 have?

NIST SP 800-82 Rev 3 has 48 controls organised across 10 domains. The largest domains are Risk Management (8 controls), Host Security (6 controls), Identity & Access (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-82 Rev 3 map to?

NIST SP 800-82 Rev 3 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-82 Rev 3 compliance?

Start your NIST SP 800-82 Rev 3 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-82 Rev 3 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 48 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required