U.S. and international regulators are accelerating efforts to require critical manufacturing operators to unify software bill of materials (SBOM) inventories, network segmentation controls, and continuous telemetry within a single operational technology (OT) incident response framework. The push reflects mounting attack volumes, impending mandatory reporting deadlines, and new federal guidance that reframes asset visibility as a prerequisite-not a supplement-to OT security compliance.
Regulatory Background
The convergence stems from several overlapping mandates. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed in March 2022, will require covered critical infrastructure entities-including those in the Critical Manufacturing sector-to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA delayed its CIRCIA final rule from October 2025 to May 2026, citing the volume of public comments and the need to harmonize requirements with other federal cyber reporting frameworks. In parallel, CISA published updated draft guidance on SBOM minimum elements in August 2025, building on the 2021 NTIA baseline and significantly expanding required metadata to include fields for provenance, authenticity, and machine-processable formats. The public comment period on that draft closed on October 3, 2025.
On the inventory and segmentation front, CISA-in partnership with the FBI, NSA, EPA, and cybersecurity authorities in Australia, Canada, Germany, the Netherlands, and New Zealand-published OT asset inventory guidance in August 2025, providing practical taxonomy development steps and explicitly linking asset visibility to improved network segmentation and incident response readiness. The guidance identifies insufficient network segmentation as a primary attack vector enabling lateral movement from IT into OT environments.
Operational Requirements and Standards
For metal, glass, and other high-volume process manufacturers, the regulatory stack now points toward three interlocking technical requirements. SBOMs must catalog every software component embedded in control systems-from PLCs and HMIs down to firmware modules-to support rapid vulnerability identification when CISA issues an advisory. CISA's 2025 SBOM draft calls for machine-processable SBOM formats, such as SPDX and CycloneDX, to support scalable integration into broader cybersecurity and vulnerability management workflows.
Network zoning under the ISA/IEC 62443 Zones and Conduits model remains the dominant segmentation architecture for OT environments. ISA/IEC 62443 organizes assets into security zones grouped by criticality, with conduits serving as controlled communication pathways that restrict lateral movement between zones. CISA's OT asset inventory guidance explicitly references this standard as the basis for segmentation architecture decisions.
Telemetry requirements tie directly to CIRCIA's 72-hour reporting window. CISA has stated that organizations without 24/7 monitoring capability will struggle to meet the "reasonable belief" trigger that activates the reporting obligation. NIST SP 800-82 Revision 3, published in September 2023, addresses this gap by prescribing network monitoring, anomaly detection, event logging, and segmentation as integrated controls across OT environments that include IIoT and hybrid IT/OT architectures.
The threat backdrop reinforces urgency. According to a 2025 OT threat landscape analysis, CISA reported a 60% surge in ICS-targeted cyberattacks in 2024-2025, with many exploiting flat, unsegmented OT networks. A separate industry survey found that 78% of manufacturers reported experiencing a cyberattack in the prior year.
Outlook
CISA estimates more than 300,000 entities across 16 critical infrastructure sectors will be subject to CIRCIA reporting requirements once the final rule takes effect. The EU's Cyber Resilience Act, which entered into force in December 2024, adds pressure for manufacturers with European market exposure: the CRA requires comprehensive SBOMs for all products with digital elements and mandates timely vulnerability patching, with full enforcement beginning in 2026. Plant managers and process engineers should treat the current window-before CIRCIA's final rule lands-as operational lead time to align SBOM generation tooling, segmentation architecture reviews under IEC 62443, and telemetry pipelines with emerging unified audit criteria.
