Change Your Roadmap

Those three things are exactly what a structured CFC maturity assessment measures. And they're exactly what most organizations discover they've overestimated.

According to the Fortinet 2025 State of Operational Technology and Cybersecurity report, 81% of organizations self-assess their OT security maturity at Level 3 or 4 on a five-level scale. IEC 62443 defines Level 3 as processes that are practiced, repeatable and supported by evidence of consistent execution. Level 4 requires metrics demonstrating continuous improvement.

Independent data tells a different story. The SANS 2025 State of ICS/OT Security survey found that only about 12.6% of organizations have full visibility across the ICS Cyber Kill Chain. At the SCADA and HMI layer, where most OT attacks must operate to cause physical effects, just 10% report full visibility. Nearly one in three organizations still has no dedicated OT incident response plan.

Compliance confirms that policies exist. A structured maturity assessment confirms whether the program behind those policies actually works. Compliance scores are often a primary driver of the maturity gap -- we'll examine that dynamic specifically when we address the compliance trap in Article 8.

The CFC baseline assessment is designed to close the gap between reported and actual maturity. Executive sponsorship established the mandate. The accountability map identified who owns what. The maturity assessment is what comes next: establishing where the program actually stands before any further investment is made.

The assessment covers four domains, each measured against IEC 62443 and NIST SP 800-82 Rev. 3 benchmarks. They represent the foundational capabilities every OT security program requires before investing in advanced detection or response technology.

The vCISO series covers why an honest external baseline matters from a leadership perspective -- what it changes about investment priorities and strategy decisions. This article covers the operational mechanics: what the CFC assessment actually does, what each domain reveals, and how findings drive roadmap sequencing.

The assessment starts here because everything else depends on it. CISA's OT asset inventory guidance, published in August 2025, emphasizes that unmanaged and undocumented assets represent one of the most common and consequential gaps in critical infrastructure defenses. CISA published that guidance specifically because maintaining accurate inventories remains unsolved across critical infrastructure sectors.

OT asset discovery requires different methodology than IT discovery. Industrial environments use proprietary protocols -- Modbus, DNP3, EtherNet/IP and IEC 61850 -- that standard IT scanning tools cannot identify. Active scanning can disrupt operational devices, as NIST 800-82r3 explicitly warns. Field engineers frequently hold knowledge that documentation doesn't capture: the contractor's test device never removed from the network, the firmware updated during a maintenance window but never recorded.

The CFC assessment combines passive network monitoring, project file analysis, physical walkdowns of unmonitored segments and reconciliation with existing documentation. Common findings include assets in wrong segments, undocumented connections and firmware inconsistent with records. Those undocumented assets and connections are exactly the gaps the Shadow Current series describes -- the channels attack paths flow through when nobody is watching. The CFC assessment maps where they exist before an adversary finds them first.

With an accurate asset picture established, the assessment evaluates whether the organization can see what those assets are doing. While 49% of organizations report having OT-specific detection capabilities, only about 12.6% have visibility across the full ICS Cyber Kill Chain. Visibility at the supervisory layer is even thinner, just 10%.

Fortinet's research adds a counterintuitive finding: since 2022, the percentage of organizations claiming 100% OT visibility has been steadily declining as programs improve and actual gaps become visible. That declining confidence is a sign of maturity, not weakness. The most confident organizations are often the ones that haven't looked closely enough.

The CFC visibility review evaluates monitoring coverage across Purdue Model levels one through three, zone and conduit mapping accuracy, wireless coverage gaps and whether a defined baseline of normal operations exists to detect against.

The governance domain evaluates whether the organizational structure supporting OT security is sound enough to actually act on what the assessment finds. According to PwC's 2026 Global Digital Trust Insights report, 39% of organizations lack clear governance and defined responsibility for OT cybersecurity. Another 40% report gaps in understanding the scope of their OT cyber risk.

The CFC governance review doesn't simply evaluate whether policies exist. It evaluates whether they're practiced, whether accountable people have the authority to act on findings, and whether compliance documentation reflects operational reality rather than audit-cycle reality. The accountability map built earlier in the engagement provides the baseline; the governance assessment validates whether it reflects how decisions actually get made.

The 2025 SANS survey found 57% of organizations have a dedicated OT incident response plan, a minor increase over prior years, but still leaving 43% without one. These are largely organizations that self-assess at Level 3 or 4.

The CFC IR evaluation examines whether the plan is OT-specific, whether it covers the boundary decisions a real incident requires, whether engineering teams hold response authority, and whether it has been tested against OT-specific scenarios -- not just a generic tabletop. Recovery capability is assessed separately: backup validation, tested restoration procedures and recovery time objectives defined by system criticality.

The cost consequences of weak recovery maturity are measurable. OT system recovery is three to four times more costly and time-consuming than IT recovery, according to Rockwell Automation. The average ICS/OT ransomware incident cost $4.73 million in 2025, per RunSafe Security. The five-day vs. 42-day containment split that opened this article traces directly to this domain.

The assessment produces a risk-scored gap map across all four domains. Prioritization is driven by risk score, asset criticality, operational impact and exploitability -- not by compliance calendar or audit deadline. Organizations that sequence investment by regulatory urgency frequently build advanced detection capabilities on top of open foundational gaps. Those capabilities don't hold.

The deliverable from the CFC assessment is not a maturity score or a compliance certification. It is a prioritized improvement roadmap that reflects where the program actually is, not where internal stakeholders estimated it to be. And this baseline isn't a one-time exercise -- the continuous validation loop covered in Article 12 requires repeating this assessment on a defined cadence, using the original baseline as the benchmark for measuring how far the program has come.

An honest baseline isn't an indictment. It is the starting point that makes every subsequent investment decision accurate rather than optimistic.

The Red Team series covers the adversarial counterpart to this structured assessment: testing whether the capabilities the CFC identifies as present actually hold under realistic attack conditions. But before adversarial validation, the program needs something else -- an accurate picture of who it is defending against.

An honest baseline shows where the program stands. OT-specific threat intelligence shows what it's standing against. Most organizations are missing both. In our next article, we'll examine what threat intelligence looks like when it's actually built for OT environments -- and how it feeds into the CFC operational model.