On September 29, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), in collaboration with the UK’s National Cyber Security Centre (NCSC) and five international partners, announced new joint guidance: Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.
This publication builds on the Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, released just last month. While the earlier guidance established the importance of a comprehensive OT asset inventory, this new document dives into how organizations can use asset inventories and other data sources to establish a “definitive record” of OT assets.
In this guidance, a definitive record is defined as a continually updated, accurate view of the OT system. It is an evolving collection of information that reflects system changes over time, with every update recorded to maintain its accuracy and authority. The guidance suggests that by maintaining this definitive record, organizations can more effectively assess risks and apply proportionate security controls across their operational environments.
Signaling the growing importance of developing a deeper, definitive understanding of OT environments, this guidance was jointly developed by international security leaders including CISA (U.S.), FBI (U.S.), NCSC (UK), Australian Signals Directorate’s ACSC, Canadian Centre for Cyber Security (Cyber Centre), New Zealand’s NCSC-NZ, Netherlands’ NCSC-NL, and Germany’s Federal Office for Information Security (BSI).
The “Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture” guidance sets out a principles-based approach for how operational technology (OT) organizations should build, maintain, and store their understanding of OT systems. The five principles provide a foundation for creating a definitive record that supports risk-based decision-making and long-term resilience.
Together, these principles provide a framework for how OT organizations should build, maintain, and store system understanding. The approach is flexible, applying to both greenfield and brownfield deployments. Integrators and device manufacturers can also use the guidance to ensure their solutions support effective asset and configuration management.
Shared Momentum for OT Security
With this follow-up to the Foundations for OT Cybersecurity guidance, international agencies continue to align around practical, principles-based steps for strengthening OT resilience. With guidance around comprehensive asset inventories, and now to the concept of a definitive record, these publications emphasize the importance of building the foundational foundational elements of OT cybersecurity. Accurate, living models of OT systems are becoming a baseline requirement for running security programs that can adapt, scale, and deliver lasting resilience.
Access the full guidance here: Creating and Maintaining a Definitive View of Your OT Architecture
At Industrial Defender, the purpose of our platform is to give organizations a full, centralized understanding of their OT environments — detailed, comprehensive, and continually updated. The idea of a definitive record is at the heart of what we do. By maintaining this authoritative view of assets and configurations in one place, organizations can identify and prioritize risks more effectively while ensuring system integrity over time. Our centralized approach turns asset and architectural data into a living, actionable record that strengthens cybersecurity, supports compliance, and sustains operational resilience.
Read our solution brief to learn more, or request a demo today.
