NIST NCCoE releases SP 1800-41 draft on ICS/OT incident response
The first NIST guidance aimed squarely at manufacturing OT response and recovery signals a shift from preventive controls toward operational resilience, with CMMC implications still unresolved.
TL;DR
The NIST National Cybersecurity Center of Excellence (NCCoE) published an initial public draft of SP 1800-41, covering incident response and recovery for industrial control system (ICS) and operational technology (OT) environments in the manufacturing sector. Comments are due July 8, 2026. Defense industrial base suppliers and manufacturing contractors running ICS/OT systems should track this: if SP 1800-41 gets folded into CMMC or federal procurement mandates (still an open question) it will add operational resilience requirements on top of the existing NIST SP 800-171 preventive control baseline.
NIST's NCCoE developed SP 1800-41 alongside 11 industry collaborators, producing reference architectures, documented response and recovery scenarios, and demonstrated implementation approaches for manufacturing ICS/OT environments. The draft covers understanding incident impact on factory operations, building a response and recovery plan, and minimizing downtime during restoration, all framed for the OT context, where recovery timelines and safety constraints differ materially from IT networks.
Why this is different from what already exists
NIST SP 800-171 and the CMMC framework it underpins are prevention-oriented: they govern how contractors protect controlled unclassified information (CUI) and secure their systems against intrusion. SP 1800-41 is the first NIST Special Publication in the 1800 series (the NCCoE's practice-guide series) focused specifically on what manufacturing organizations do after an ICS/OT attack lands. That distinction matters operationally: an engineer responding to a compromised programmable logic controller faces a different problem than an IT administrator responding to a compromised workstation, and until now NIST guidance addressed the latter more concretely than the former.
The open procurement question
Whether SP 1800-41, once finalized, becomes a compliance requirement for defense contractors is unresolved. CMMC Level 2 and Level 3 assessments map to NIST SP 800-171 and SP 800-172 respectively; SP 1800-41 sits in a different publication series and carries no regulatory weight on its own. The FAR and DFARS councils would need to act (or DoD's CMMC Program Office would need to reference it) before it carries contract consequences. That has happened with prior NCCoE publications on a case-by-case basis, and given the policy emphasis on defense supply chain resilience, the pathway is plausible rather than certain.
Manufacturing contractors and defense industrial base primes operating ICS/OT environments should treat the comment period as the practical action item now. Submitting comments by July 8, 2026 is how practitioner constraints (recovery time objectives, safety interlock considerations, air-gap realities) get into the final document before any procurement reference becomes possible.
Published ·Updated ·Deep Fathom