Dispel announced the general availability of Dispel Compliance, a new governance, risk, and compliance capability within the Dispel Zero Trust Engine designed to deliver continuous, automated audit readiness for operational technology (OT) and industrial control systems (ICS) environments. The solution embeds continuous NERC CIP, NIST, and NIS2 audit evidence collection directly into OT and cyber-physical systems remote access workflows, helping organizations eliminate manual compliance preparation efforts and reduce the six-figure costs often associated with audit readiness and regulatory reporting.
Audit readiness is one of the largest hidden cost centers in industrial cybersecurity. For utilities, manufacturers, and energy operators, maintaining compliance under frameworks like NERC CIP, NIST SP 800-53, IEC 62443, and EU NIS2 requires dedicated teams, manual evidence collection, and repeated screenshot-gathering every audit cycle. Average large cap industrial companies spend $700,000 to $1.2 million annually on these programs — cost that represents staff time, not tooling. That burden compounds with every new remote access tool added to the environment.
Compliance friction also stalls adoption. When an OT team wants to deploy a new zero trust remote access platform, their GRC organization requires proof the tool meets audit requirements before it goes into the factory. That evaluation has historically taken months. Dispel Compliance eliminates that burden entirely: the evidence is already built, structured, and ready to hand to an auditor on day one.
“OT organizations are spending millions of dollars proving something that should be automatic — that the tools they deploy are configured correctly and meet their audit requirements,” said Ethan Schmertzler, Co-CEO, Dispel. “Dispel Compliance makes that proof continuous and immediate. The months-long GRC evaluation period disappears. What remains is a real-time view of compliance posture across your entire OT remote access program, always ready for your auditor.”
Dispel Compliance is built on OSCAL 1.1.2 — the NIST Open Security Controls Assessment Language specification used by FedRAMP and federal audit platforms. The platform continuously evaluates its own implementation of each in-scope control against the customer’s live tenant configuration. The result is a current, timestamped inheritance claim that is ready for any audit — not assembled manually in the weeks before one.
Dispel Compliance is designed to address several major friction points across the OT and ICS compliance lifecycle. For pre-deployment governance, risk, and compliance reviews, the platform provides GRC teams with an immediate, exportable assessment of the Dispel platform’s configuration against applicable regulatory and security frameworks, replacing what has traditionally been a months-long manual evaluation process with same-day validation. For ongoing compliance maintenance, the platform delivers real-time framework scoring that identifies misconfigured controls as soon as they drift from established baselines.
It also includes a configuration impact simulator that allows administrators to preview how proposed setting changes could affect inherited control coverage before changes are implemented. To simplify audit preparation and reporting, Dispel Compliance generates timestamped evidence packages that can be exported as OSCAL Component Definitions, a format widely accepted by modern GRC platforms, while also supporting CSV and PDF executive summary formats for organizations and auditors that still rely on spreadsheet-based workflows.
One evidence pipeline covers every active framework simultaneously. Organizations reporting under both NERC CIP and NIST SP 800-53 — or NIS2 and NIST CSF — draw from the same underlying evidence without maintaining separate workflows. For the EU NIS2 Directive, where no official ENISA OSCAL catalog yet exists, Dispel publishes its own first-party catalog derived directly from Implementing Regulation 2024/2690 and cross-walked to NIST 800-53, a gap no other OT remote access vendor has addressed.
Supported frameworks at launch include NERC CIP, NIST SP 800-53 Rev 5, NIST CSF 2.0, EU NIS2, IEC 62443, and SANS ICS Critical Controls.
No OT or CPS secure remote access vendor has offered native compliance automation at this depth. The prevailing approach remains manual: operators screenshot individual settings, populate auditor-provided Excel spreadsheets, and upload documentation to third-party audit platforms. A single NERC CIP audit cycle can require thousands of screenshots, with no automated mechanism to prove configurations were continuously maintained throughout the audit period.
Because Dispel Compliance is embedded in the platform itself, every configuration state is captured automatically, every change is timestamped with full provenance, and the complete audit trail exports in a single structured package. Auditors receive verifiable OSCAL evidence, not unlinked screenshots. The capability is available across cloud and on-premises Dispel Zero Trust Engine deployments, including environments requiring on-premises OT secure remote access infrastructure under NERC CIP.
Dispel Compliance is available now within the Dispel Zero Trust Engine. Dispel will be demonstrating Dispel Compliance live at the Gartner Security & Risk Management Summit 2026.
