Trusted CI Operational Technology Procurement Vendor Matrix

Operational Technology (OT), when installed on an organization's network, becomes part of the overall cyber attack surface for an organization. When procuring this OT, it is important for the purchasing organization to understand how it will integrate with the existing network and security controls as well as understand what new risks it might introduce. This document provides a prioritized list of questions for organizations to send to manufacturers and suppliers to try to get as much of this information as possible. 

Audience: Organizational leadership, procurement department, IT, cybersecurity

How to use this document: On the "Matrix" sheet of this spreadsheet document there is a list of questions for equipment vendors related to operational technology (OT). Read through the questions and familiarize yourself with them. During the procurement phase of any operational technology, you can send these questions to the OT manufacturer. It is expected that the manufacturer may take some time to get back all the information to you, so it wouldn't be unusual to have to wait a month. Make sure you plan for that in your procurement schedule. Once you receive answers from the manufacturer, it is strongly recommended that you share that information with your Cybersecurity and/or IT operations staff for a technical review and input. If you find the manufacturer's answers to be inadequate for your security needs, it is helpful to the community if you can provide the manufacturer that feedback so that they have a better understanding of the security needs of their customers. 

Companion document to the Guide to Using the Trusted CI OT Procurement Matrix. 

The Guide can be found at: 

https://zenodo.org/doi/10.5281/zenodo.13743313