CISA’s New OT Asset Inventory Guidance: Why it Matters, What it Changes, and How to Put it to Work

by | Sep 24, 2025 | Blog

Why this guidance now?

CISA’s message is straightforward: without a trustworthy OT asset inventory and a common taxonomy to describe it, you can’t build a modern defensible architecture or manage cyber risk in plants, substations, or distributed operations. The document ties inventory management to fundamental threat realities (such as IT/OT connectivity, insecure protocols, remote access, segmentation gaps) and ties creating and using an asset inventory to the Cybersecurity Performance Goals (CPG) baseline for critical infrastructure. In other words, an inventory isn’t a “nice to have”; it’s table stakes.

  • This fits squarely within other guidance and standards which you might be using already: NIST CSF 2.0 puts asset management in the Identify Function
  • ISA/IEC 62443 makes zone-and-conduit engineering decisions depend on accurate asset knowledge
  • NIST SP 800‑82r3 treats asset awareness as the starting point of risk-based OT security.

How It’s Organized (and what’s inside)

Executive Summary & Introduction

The opening makes the case for an inventory, defines OT taxonomy (a structured way to classify assets by function and/or criticality), and positions an inventory with an accompanying taxonomy as the foundation for risk identification, vulnerability management, and incident response. The Guidance provides five benefits to including a taxonomy with the creation of an asset inventory, which is important as this step is often ignored or done in an ad hoc manner when organizations are attempting to create and document their asset inventory. The benefits of including a focus on creating and using an OT taxonomy are:

  • Improved Organization & Management
  • Enhanced Communication
  • Better Decision Making
  • Cost Savings
  • Data Analytics & Insights

Steps to Develop Asset Inventory & Taxonomy

Starting on page 8, the guidance lays out a five-step process that asset owners and operators should follow to develop an OT asset inventory and taxonomy.

  1. Define Scope & Objectives:
    Determine who is going to create and, crucially, who will benefit from, the detailed inventory and taxonomy. Defining the scope of the asset inventory project, such as what facilities, systems, or zones will be included, is also a critical activity in this step. While not called out in the guidance, it is also critical to define the fields to be collected as part of the asset inventory in order to prevent duplicative efforts from having to go back and collect additional information because it was missed in the first collection effort.
  2. Identify Assets & Collect Attributes:
    Use both physical (e.g. site visit/walkdowns) and logical (e.g. network monitoring and/or active queries) processes to collect asset inventory information.
  3. Create a Taxonomy:
    The guidance also breaks this step into five separate activities.
    • Classify Assets
      Assets may be categorized by both criticality and function. Criticality is based on the importance to safe operations or impact of failure or compromise on the organization or running process(es).
    • Categorize (Organize) Assets and Communication Pathways
      The guidance allows organizations to customize the way they categorize assets, but it uses the ISA/IEC 62443 concept of zones and conduits for the sample taxonomies included as appendices to the guidance. 
    • Organize Structure and Relationships
      The next step to developing a taxonomy is to organize and document the relationships. This includes developing detailed documentation, identifying process dependencies (e.g. processing line A depends on ingredient management process X). Another part, which we often see missed in inventory projects, is documenting the roles and responsibilities which interact with assets, including operators, engineers, vendors, and integrators.
    • Validate and Visualize
      After organizing the information, the next step is to validate and visualize the information. This includes cross-checking the collected inventory information for completeness (easier to do if you define the fields to be collected earlier in the process, as discussed in Point 1 – Define Scope & Objectives). Providing visual diagrams greatly helps people and teams within your organization utilize the asset inventory and taxonomy. 
    • Periodically Review and Update
      Gather feedback from stakeholders who make use of the taxonomy and have a formal process for ensuring the taxonomy is meeting their needs.
  4. Manage & Collect Data
    Identify additional information sources and provide a centralized data store for making the information available to stakeholders.
  5. Implement Life Cycle Management
    Use the asset inventory and taxonomy to define asset life cycle stages (e.g. acquisition, deployment, maintenance, decommissioning) and policies for managing assets across their lifecycle.

Next Steps After Asset Inventory & Taxonomy Development

The guidance provides five categories of next steps which organizations can take to make use of the taxonomy and inventory.

  1. Cybersecurity and Risk Management
    The asset inventory allows you to identify known vulnerabilities, tie those into active threat actor behaviors, and prioritize threat mitigation efforts efficiently.
  2. Maintenance and Reliability
    The asset inventory and taxonomy can be used to help analyze maintenance plans, prioritize vulnerability mitigations, and ensure a cost-effective spare parts program.
  3. Performance Monitoring and Reporting
    The taxonomy can be used to identify ways to automate and maintain the asset inventory and taxonomy over time.
  4. Training and Awareness
    Use training and awareness programs to get buy-in from stakeholders and to ensure the asset inventory stays up-to-date and accurate.
  5. Continuous Improvement
    The asset inventory and taxonomy should be maintained and improved over time, which is only possible if formal policies and processes are implemented. In Enaxy’s experience, this needs to include feedback from operators and engineers to ensure that the information is both helpful and not too onerous for them to help to maintain the inventory.

Asset Inventory Fields (Appendix A)

Table 1 (pp. 15–18) identifies fields that could be part of the asset inventory and prioritizes them based on the importance of including the field in the asset inventory. The 14 high-priority fields, the fastest route to value, are:

  1. Active/supported communication protocols
  2. Asset criticality
  3. Asset number
  4. Asset role/type
  5. Hostname
  6. Ip address
  7. Logging
  8. Mac address
  9. Manufacturer
  10. Model
  11. Operating system
  12. Physical location/address
  13. Ports/services
  14. User accounts

Each field includes the “why it matters” rationale (e.g., manufacturer/model/OS for vuln intel; ports/services for attack surface). The appendix also references CISA’s Malcolm and Common Security Advisory Framework (CSAF) artifacts for deeper attribute context. 

Sector Examples (Appendices B–D).

CISA includes conceptual (not authoritative) taxonomy examples for the following sectors:

  • Appendix B: Oil & Gas 
  • Appendix C: Electricity
  • Appendix D: Water & Wastewater

What’s Particularly Good

The new asset inventory and taxonomy guidance includes several important and helpful ideas.

  1. Actionable, Sequenced Methodology
    The five-step workflow (scope → identify → taxonomy → data management → life cycle) is concise and implementable, with embedded reminders to validate/visualize and update periodically. That’s exactly the operational discipline many programs miss.
  2. Prioritized data model
    Appendix A’s High/Medium/Low signal lets teams start with 14 “must‑have” fields, and then expand. This helps under-resourced organizations sequence and prioritize the work.
  3. Standards-aligned Architecture
    The explicit use of other standards, such as ISA/IEC 62443 zones and conduits, to organize the taxonomy ties inventory to real engineering decisions and processes, which may already be in use at your organization.
  4. Sector-specific Conceptual Taxonomies
    The Oil & Gas, Electricity, and Water/Wastewater appendices provide teams with good examples to begin classifying assets by function and criticality, even before a full site walkdown.
  5. Post‑inventory guidance that reduces time‑to‑value
    Binding the inventory and taxonomy to specific “next steps” pushes this beyond “cataloguing” into risk‑reduction.

Where It Could Be Stronger (Constructive Gaps)

  1. Metrics and Maturity
    The guide does not define metrics for inventory quality (e.g., coverage %, stale rate, attribute completeness) or a maturity ladder. Identifying those metrics can help to improve over time.
  2. Normative Mappings
    While it references other standards and frameworks, there’s no explicit mapping from the activities and outputs to the other frameworks. Many asset owners would benefit from documentation such as, “For this CSF outcome/62443 requirement, ensure these fields/diagrams exist.”
  3. Templates and Data Models
    Appendix A is excellent, and it nods to data models, but the publication of a downloadable canonical schema (relationships, cardinality, versioning) would be helpful. A sample CSV/JSON plus a RACI and change‑control template would accelerate adoption, especially for small utilities.
  4. A Quibble on Asset Inventory Field Prioritization
    Firmware/OS versions are listed as Medium priority in Appendix A, yet these attributes often drive vulnerability mitigation prioritization and compensating control selection for legacy devices. On internet-exposed or remotely accessible assets, consider treating these as High in your program.
  5. Sector Compliance Specifics
    The electricity appendix is useful, but readers would benefit from pointers to NERC CIP inventory nuances; similarly, Water/Wastewater operators could use clearer ties to sector‑specific expectations. The guide’s deliberate neutrality is sensible, but a short “see also” compliance mapping would help larger operators.

A Roadmap for Implementing This Guidance

The following is a sample timeline for implementing this guidance to drive risk reduction within your organization.

Days 0–30: Lay the Groundwork

Begin laying the groundwork for improving your asset inventory program.

  • Name an accountable owner and set governance 
  • Ensure executive leadership involvement and support
  • Define “asset” and scope (site(s), process(es), stakeholders)
  • Pick your classification approach now
    • Criticality first (fastest risk payoff)
    • Function (may already be defined) 
    • Hybrid – Tailor it to your organization – anything is better than not doing something
  • Decide your “High‑priority” fields and document a naming convention for assets/ and locations

Days 31–60 — Take the First Step

Begin your asset inventory improvement initiative by building the inventory and taxonomy. Depending on the maturity level of your security program, this may be done at a pilot site or with an initial team to make it more manageable than attempting to achieve 100% coverage across all sites or processes.

  • Identify assets with a walkdown + passive discovery + engineering docs. Use active scans only if you have experience and expertise in using them without impacting the safe and reliable operations of the network.
  • Populate the High priority fields for all Level 3/2 devices first (control, supervisory), then expand outward. Use manufacturer/model to link KEV/CVE exposure.
  • If it doesn’t exist yet, sketch zones and conduits from what you’ve learned. A whiteboard-level map is enough initially. 

Centralize the data. Even a simple CMDB/asset tool is fine if it stores the fields and relationships you need.

Days 61–90 — Make it Work for You

Take the steps to make the information and data you’ve collected useful to stakeholders across your organization.

  • Run your first “KEV sweep.” Cross‑reference your inventory against CISA’s Known Exploited Vulnerabilities (KEV) list and stage mitigations for the most critical zones and assets, especially those which can be reached via remote access.
  • Tie to your framework of record. Examples include:
    • If you use NIST CSF, create/update your Current Profile for ID.AM and related outcomes; set your Target Profile and track progress via CSF tiers.
    • If you use ISA/IEC 62443, translate the taxonomy into zones/conduits and start assigning security levels/requirements.
    • If you use CISA CPGs, record the inventory as evidence against Identify‑focused goals and continue working through the CPG checklist.
    • If you follow SP 800‑82, align your inventory and taxonomy with the OT overlay control selection and your risk register.

Beyond 90 days — Institutionalize

Ensure that the effort you’ve put into this project continues to pay dividends.

  • Implement lifecycle management & change control. Require inventory updates for every commissioning/decommissioning event and use periodic audits to ensure accuracy.
  • Performance & training. Identify owners for each data set, monitor coverage/freshness of the data, and train operators/technicians on taxonomy and data maintenance.
  • Include secure‑by‑design procurement and/or cybersecurity aware commissioning, deployment, and operations. Include inventory/taxonomy deliverables in contracts (naming, attributes, SBOM/advisory feeds). 

Bottom line

CISA’s Foundations for OT Cybersecurity: Asset Inventory Guidance is likely the clearest and most implementation-oriented public document (excluding vendor-specific guidance/documentation) on building an OT inventory that actually drives risk reduction. It gives you a step-by-step path, a prioritized field list, sector examples, and a post-inventory playbook tied to KEV, MITRE ICS ATT&CK, and operationalizing other requirements/frameworks. Add a few pieces such as metrics, framework mappings, ideas for gaining executive and operational team buy-in, and some templates, and you have everything needed to operationalize asset intelligence at scale.

Ready to Take Action?

At Enaxy, we help industrial organizations move beyond static inventories and into operationalized asset intelligence. Whether you’re starting from scratch or enhancing an existing system, we tailor solutions that integrate seamlessly with your workflows and security goals.

Let’s turn asset data into actionable insights.
Contact us at info@enaxy.com to explore how we can help you leverage CISA’s guidance and elevate your OT cybersecurity maturity.