Key Takeaways
- NIST released a draft revision of NISTIR 8323 Rev. 2 that updates its Positioning, Navigation, and Timing (PNT) cybersecurity profile to align with the NIST Cybersecurity Framework (CSF) 2.0.
- The revised profile expands practical guidance on identifying PNT‑dependent systems, protecting user equipment, detecting timing anomalies, and improving response and recovery capabilities.
- It integrates the CSF 2.0 Govern function, emphasizing executive‑level risk‑management strategies and supply‑chain risk management for PNT services.
- Organizations are encouraged to tailor the profile to their operational requirements, business objectives, and sector‑specific threat environments.
- The guidance serves as a flexible, risk‑based starting point that can complement existing sector‑specific PNT security efforts, even if a formal cybersecurity program is not yet in place.
- Comments on the draft are invited until July 6, 2026, with particular interest in AI‑driven risks, third‑party dependencies, and potential additional CSF 2.0 categories.
Overview of the NIST PNT Profile Update
The National Institute of Standards and Technology (NIST) has published a draft revision of NISTIR 8323 Rev. 2, updating its foundational Positioning, Navigation, and Timing (PNT) cybersecurity profile. This update aligns the profile with the newly released NIST Cybersecurity Framework 2.0 (CSF 2.0) and seeks to provide organizations with actionable guidance for managing risks to any system or asset that relies on PNT services—such as GPS, Network Time Protocol servers, commercial timing offerings, or internal timing infrastructure. The draft is open for public comment until July 6, 2026, inviting feedback on emerging technology impacts, AI‑related risks, third‑party dependencies, and whether additional CSF 2.0 categories or references should be incorporated.
Alignment with NIST Cybersecurity Framework 2.0
NIST emphasizes that CSF 2.0 is designed to be accessible and actionable for organizations of any sector or size, including critical infrastructure owners, private industry, and small businesses. By integrating the PNT profile with CSF 2.0, organizations can align their PNT use with broader enterprise risk‑management strategies. Key updates from the prior version include the formal inclusion of the CSF Govern function, revisions to functions and categories to reflect executive‑level oversight, and updated informative references that reflect the latest cybersecurity guidance and risk mitigations. This alignment ensures that PNT resilience is treated as a core component of an organization’s overall cybersecurity posture.
Scope and Applicability of the Guidance
The revised PNT profile provides a flexible framework for managing risks affecting PNT signals and data, regardless of whether the source of risk stems from natural events, malicious activity, or unintended human actions. It is intended as a starting point that organizations can customize based on their specific operational requirements, allowing them to prioritize measures, processes, and resource allocations that best support the reliable and efficient operation of critical infrastructure applications. The profile does not replace sector‑specific efforts but rather complements them, offering a baseline that can be expanded or adapted as needed.
Govern Function Enhancements
Within CSF 2.0, the Govern function establishes how an organization defines, communicates, and monitors its cybersecurity risk‑management strategy, expectations, and policies. The PNT profile highlights this function as central to effective implementation, noting its objectives: defining organizational context, aligning cybersecurity activities with broader risk‑management strategies, establishing clear roles and responsibilities, and securing the cybersecurity supply chain. Although the Govern function includes six categories in CSF 2.0, the PNT profile focuses on the four most relevant to the responsible use and protection of PNT data and services, thereby ensuring that governance directly supports PNT resilience objectives.
Identify Function: Mapping PNT Dependencies
The Identify function guides organizations to understand their PNT dependencies and the associated cybersecurity risks. This understanding enables prioritization of security efforts in line with the risk‑management strategy and mission requirements set under Govern. Activities include identifying operational environments and assets that rely on PNT data, mapping the sources and infrastructure that provide PNT information, and assessing vulnerabilities, threats, and potential operational impacts if those threats are realized. By establishing a clear inventory of PNT‑dependent systems, organizations lay the groundwork for targeted protection, detection, and response measures.
Protect Function: Securing PNT‑Dependent Systems
The Protect function focuses on developing, implementing, and validating measures that prevent loss of functionality caused by disruption or manipulation of PNT services. It also supports preparedness activities that enable effective response and recovery. Emphasis is placed on protecting systems that generate, transmit, and rely on PNT data to maintain required levels of integrity, availability, and confidentiality. Recommended practices include understanding baseline characteristics and tolerances of PNT sources, allocating sufficient resources, managing the systems development life cycle, and enforcing training, authorization, and access controls. In the event of a disruption, verified response and recovery plans aligned with business and operational goals help maintain operational continuity.
Detect Function: Spotting Anomalies and Manipulation
The Detect function addresses the development and deployment of activities to find and analyze possible cybersecurity attacks affecting PNT services. Informed by the Identify function and enabled by the Protect function under policies set by Govern, Detect involves monitoring for anomalies, signal degradation, or manipulation of timing data. Organizations are encouraged to establish baselines for normal PNT behavior, deploy sensors or monitoring tools that can flag deviations, and integrate detection capabilities with incident‑response workflows. Timely detection is critical to limiting the impact of PNT‑related incidents and enabling swift containment.
Respond and Recover Functions: Incident Handling
The Respond function covers actions taken after a cybersecurity incident is detected, supporting containment, analysis, mitigation, reporting, and communication. It is triggered by outputs from the Detect function and relies on preparedness measures established under Protect to execute predefined response plans effectively. The Recover function, while not detailed extensively in the excerpt, complements Respond by focusing on restoring normal operations, implementing improvements based on lessons learned, and ensuring that systems return to a secure state. Together, these functions aim to minimize downtime, preserve data integrity, and maintain trust in PNT‑dependent services during and after an incident.
Tailoring the Profile to Sector‑Specific Needs
NIST stresses that the PNT profile is designed to be adaptable. Organizations across sectors can tailor it by assessing which governance strategies and risk‑management outcomes should be prioritized for PNT data and services, identifying the processes and assets that directly or indirectly depend on PNT, and determining which systems are most vulnerable to disruption or manipulation. The guidance also recommends evaluating integrity and availability thresholds needed to avoid mission impact, identifying available safeguards, understanding operational consequences of degraded or lost assets, and establishing techniques to detect, respond to, and recover from PNT‑affecting events. This customization ensures that the profile remains relevant whether applied to transportation, finance, telecommunications, energy, or any other PNT‑reliant industry.
Implementation Considerations and Complementarity
While the PNT profile is most effective when implemented alongside an established cybersecurity program, NIST notes that organizations can still adopt the profile even if a formal program is not yet in place. The document summarizes relevant CSF 2.0 functions, categories, and subcategories applicable to PNT services, providing illustrative references to cybersecurity guidance, PNT‑specific recommendations, and implementation methods. However, the list is not exhaustive and may not apply equally across all sectors. Organizations are encouraged to expand and tailor the recommended controls based on their operational requirements, business objectives, and risk environment, using the profile as a baseline that can be augmented with sector‑specific standards or additional guidance as needed. This approach supports a comprehensive, risk‑based strategy for the responsible and secure use of PNT services.