NIST SP 800-82 Rev.3 Checklist using CSET Version 12.2.1.0

NIST SP 800-82 Rev.3 Checklist using CSET Version 12.2.1.0

A. About NIST and CISA

The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) collaborate to develop cybersecurity standards and guidelines. NIST is part of the U.S. Department of Commerce and is primarily responsible for creating and maintaining standards, guidelines, and best practices for information security and cyber-physical security.

CISA is responsible for playing a key role in leading the national effort to understand, manage, and mitigate the risks posed by cyberinfrastructure. CISA has a broad mission, with three primary areas of use: cybersecurity, infrastructure security, and emergency communications.

CISA is responsible for protecting the U.S. national critical infrastructure from physical and cyber threats. Its mission is to “build the nation’s capacity to defend against cyberattacks” and to work “with the federal government to provide cybersecurity tools, incident response services, and assessment capabilities to safeguard the networks that support the critical operations of partner departments and agencies.”

B. Cyber Security Evaluation Tools (CSET)

CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate Industrial Control System (ICS) and Information Technology (IT) cyber security assurance practices. Users can evaluate their own cybersecurity stance using many recognized government and industrial standards and recommendations. CSET provides organizations with a structured, repeatable, and measurable approach to assessing the cybersecurity posture of their IT and ICS environment. It helps identify strengths and weaknesses and provides strategic recommendations for continuous improvement.

The latest version of CSET (as of December 2024 – version 12.2.1.0) supports a variety of industrial-recognized cybersecurity standards and best practices, including:

  • NIST Cybersecurity Framework (CSF) version 2.0
  • NIST SP 800-82 Rev.3
  • C2M2 (Cybersecurity Capability Maturity Model), etc.

C. NIST SP 800-82 Rev.3 – The Latest Revision Update

NIST SP 800-82 Rev. 3 as the latest version of the published standard was released in September 2023. In this current revision, the title of the standard is changed to include the term “Operational Technology” to encompass a broader range of OT systems, such as Industrial Control System (ICS), building automation systems, transportation systems, and physical access control systems.

NIST SP 800-82 Rev. 3 provides guidance on how to improve the security of the OT environment while addressing its unique performance, reliability, and safety requirements. NIST SP 800-82 Rev. 3 provides an overview of OT and typical system topologies, identifies typical threats to the organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks. It also integrates into the NIST CSF framework to make it more adaptable to the other industrial standards, NIST CSF in this case, and ensures flexible deployment and mapping between NIST SP 800-82 with NIST CSF.

D. Compliance Assessment of NIST SP 800-82 Rev.3 using CSET Version 12.2.1.0

The US-DHS has released the CSET update, the latest version, version 12.2.1.0, on November 2024. It includes several updates to the previous version (12.1.2.0 which was released on December 2023). Some of the updates are mentioned under the CSET Github download portal (https://github.com/cisagov/cset/releases) as follows:

  • The NIST Cybersecurity Framework (CSF) 2.0: The NIST CSF provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The Framework does not prescribe how outcomes should be achieved. Rather, it maps to resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. Building on previous versions, CSF 2.0 contains new features that highlight the importance of governance and supply chains.
  • Cybersecurity Maturity Model Certification (CMMC) 2.0: The CMMC framework consists of the security requirements from NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations, and a subset of the requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The CMMC model measures the implementation of cybersecurity requirements at three levels.

This version includes the use of the latest NIST SP 800-82 standard, revision 3, as part of the assessment option under CSET.

The NIST SP 800-82 Rev.3 requirement by using CSET using the predetermined Security Assurance Level (SAL) has a total of 185 requirements (under the requirement mode) – there is no question mode available for auditing using this standard in CSET.

NIST SP 800-82 Rev.3 has 20 requirement categories (please see the NIST SP 800-82 Rev.3 standard in Appendix F – OT Overlay) and 185 total requirements mapped into those categories. The detailed category and the number of requirements correspond to each category as per the following table:

In CSET version 12.2.1.0, the requirement mode consists of a total of 185 checklist requirements. The amount of checklists has made auditing activities more feasible. Even though the total requirements are higher compared to IEC 62443-3-3 (around 116 requirements) and NIST CSF 2.0 (106 requirements), it is still affordable in certain cases compared to using the question mode in the previous NIST SP 800-82 Rev.2 standard (it contains up to 377 checklist requirements under CSET using requirement mode).

NIST SP 800-82 Rev.3 has more stringent requirements compared to the other common standards that are being used in OT cyber security assurance, NIST CSF and IEC 62443-3-3. It covers access control up to System and Services Acquisition. In some categories, it has more regulated requirements with the detailed checklist as displayed on the table.

Let’s start to build the mindset and develop the skills, to prepare the Critical Infrastructure Guardian, as the next ICS/OT Cyber Security Professional, to help us ensure “Nobody Gets Hurt, Nobody Gets Hacked”

For more information on how to perform maturity assessment, vulnerability assessment and penetration testing in an ICS OT environment to ensure its cybersecurity assurance, explore our ICS OT cybersecurity courses at the following link:

For any consultation and technical assistance in ICS OT cybersecurity assurance milestones, explore our services at the following link: 

For direct inquiry, please send us an email to fedco@fedco.co.id or wa.me/628891366366