The U.S. National Institute of Standards and Technology (NIST) released a draft revision of NISTIR 8323 Rev. 2, updating its foundational Positioning, Navigation, and Timing (PNT) cybersecurity profile to align with the NIST Cybersecurity Framework 2.0. The guidance is intended to help organizations manage risks affecting systems and assets that rely on PNT services, including GPS, Network Time Protocol servers, commercial timing services, and internal timing infrastructure.
According to NIST, the revised profile expands practical guidance for identifying PNT-dependent systems, protecting user equipment from adversarial interference, detecting anomalies or manipulation of timing services, and improving response and recovery capabilities during disruptions. The agency is also seeking industry feedback on emerging technology impacts, including AI-driven risks, third-party dependencies, and whether additional CSF 2.0 categories or references should be incorporated before comments close on July 6, 2026.
“CSF 2.0 can serve all organizations, regardless of sector or size, with the objective to provide accessible and actionable guidance for all users, including but not limited to critical infrastructures, private industry, and small businesses,” NIST detailed in its draft last week. “Organizations can apply the profile to align their PNT use with their broader enterprise risk management strategy. Because PNT services can be critical to modern services and operations, key updates from the previous version include the integration of the CSF Govern Function, updates to Functions, and Categories to reflect the need for executive-level risk management strategies and oversight to achieve PNT resilience.”
It added that PNT services often rely on external suppliers, such as the satellites’ signals and the third-party manufacturers of receivers and antennas. CSF 2.0 elevates cybersecurity supply chain risk management in the ‘Govern’ function. Updates to informative references have also been made throughout the document to reflect the latest guidance and risk mitigations.
The profile also provides a flexible framework for managing risks affecting PNT signals and data, regardless of whether the source stems from natural events, malicious activity, or unintended human actions. NIST said the guidance is intended to serve as a starting point that organizations can customize based on their operational requirements, allowing them to implement measures, processes, and resource priorities best suited for the reliable and efficient operation of critical infrastructure applications.
The PNT Profile is designed to support risk-informed management of PNT services, helping organizations strengthen operational resilience and reduce the impact of signal disruptions or manipulation on critical functions. It provides guidance for establishing governance mechanisms around the use of PNT services and data, identifying systems and assets that rely on PNT, assessing operational and performance requirements, and mapping sources of PNT data.
The profile also helps organizations identify known and emerging threats targeting PNT services, equipment, and data, while promoting responsible use practices to better protect dependent systems. In addition, it outlines measures to detect disruptions or manipulation of PNT services and supports timely, effective, and resilient response and recovery from PNT-related anomalies.
The PNT Profile defines the responsible use of PNT services in the context of national and economic security. Responsible use includes adopting risk-informed management practices that allow systems to remain operational or fail safely when PNT signals are unavailable or compromised. It also promotes risk-based approaches to detect degradation, alert applications when position or timing data quality is affected, and minimize impact of disruptions or manipulation of PNT services and data. In addition, the profile emphasizes deliberate planning and secure management of PNT services across organizational environments.
Designed as a flexible tool to help organizations support mission and business objectives that depend on PNT services, the profile can help organizations assess risks tied to the disruption or manipulation of PNT services and prioritize cybersecurity activities based on operational and business needs. The profile can also assist organizations in identifying where additional standards, practices, or guidance may be needed to manage risks affecting systems that rely on PNT services. NIST noted that the profile is intended to complement, rather than replace, existing sector-specific efforts already underway to promote the responsible and secure use of PNT services.
NIST also encourages development of additional guidance where more specific risk management efforts may be required. Organizations across sectors can tailor the PNT Profile by assessing which governance strategies and risk management outcomes should be prioritized for PNT data and services, identifying the processes and assets that directly or indirectly depend on PNT, and determining which systems are most vulnerable to disruption or manipulation of PNT services.
The guidance also recommends evaluating the integrity and availability thresholds needed to avoid mission impact, identifying available safeguards, understanding the operational consequences of degraded or lost assets, and establishing techniques to detect, respond to, and recover from events affecting PNT services and data.
The PNT Profile offers high-level cybersecurity risk mitigation strategies for PNT users, which can be tailored to an organization’s PNT-specific business and regulatory needs.
The PNT Profile can help organizations incorporate cybersecurity and can also be used to provide a baseline of PNT cybersecurity outcomes and activities for organizations within a sector or sub-sector. A sector or sub-sector Profile can be further tailored or augmented to address a unique set of PNT cybersecurity requirements, business objectives, or threats.
The NIST profile can also be tailored by individual sectors or sub-sectors to address specific PNT cybersecurity requirements, business objectives, or threat environments. NIST said the PNT Profile is intended to operate within the broader context of an organization’s cybersecurity program, which should ideally be supported by organizational risk management policies and procedures.
While the guidance is most effective when implemented alongside an established cybersecurity program, NIST noted that organizations can still adopt the PNT Profile even if a formal cybersecurity program is not yet in place.
The NIST document summarizes relevant Functions, Categories, and Subcategories applicable to PNT services. The references included throughout the profile provide examples of cybersecurity guidance, PNT-specific recommendations, and implementation methods, though NIST noted the list is illustrative rather than comprehensive and may not apply equally across all sectors. The profile focuses only on the CSF 2.0 Subcategories most relevant to PNT use cases and is intended to support a comprehensive, risk-based approach to the responsible use of PNT services.
Organizations are encouraged to tailor and expand the recommended controls and guidance based on their operational requirements, business objectives, and risk environment.
The Govern Function defines how an organization establishes, communicates, and monitors its cybersecurity risk management strategy, expectations, and policies. It provides the foundation for applying the other functions within the profile by aligning cybersecurity outcomes with mission objectives and stakeholder expectations. NIST described the Govern Function as central to the effective implementation of the PNT Profile.
Its objectives include defining organizational context, aligning cybersecurity activities with broader risk management strategies, establishing clear roles and responsibilities, and securing the cybersecurity supply chain. Within the NIST Cybersecurity Framework 2.0, the Govern Function includes six Categories, though the PNT Profile focuses specifically on the four categories most relevant to the responsible use and protection of PNT data and services.
The Identify Function guides organizations to understand their PNT dependencies and the cybersecurity risks associated with them. This understanding allows organizations to prioritize security efforts in line with their risk management strategy and mission requirements established under the Govern Function.
The function focuses on identifying operational environments and assets that rely on PNT data, mapping the sources and infrastructure that provide PNT information, and assessing vulnerabilities, threats, and potential operational impacts if those threats are realized.
The Protect Function focuses on developing, implementing, and validating measures that help prevent the loss of functionality caused by disruption or manipulation of PNT services. It also supports preparedness activities that enable effective response and recovery from cybersecurity incidents, while the execution of mitigation measures is addressed under the Respond and Recover Functions.
The function emphasizes protecting systems that generate, transmit, and rely on PNT data to maintain required levels of integrity, availability, and confidentiality. It also promotes secure deployment and use of PNT services through cybersecurity best practices, including understanding baseline characteristics and tolerances of PNT sources and data, allocating sufficient resources, managing the systems development life cycle, and enforcing training, authorization, and access controls. In the event of a disruption, the guidance aims to help organizations maintain operational continuity through verified response and recovery plans aligned with business and operational requirements.
The Detect Function addresses the development and deployment of appropriate activities to find and analyze possible cybersecurity attacks. The Detect Function is informed by the Identify Function and is enabled by the Protect Function under the policies and risk strategy determined by the Govern Function.
The Respond Function focuses on actions taken after a cybersecurity incident is detected, supporting an organization’s ability to contain the effects of disruptions or manipulation affecting PNT services or data. It covers incident management, analysis, mitigation, reporting, and communication activities. The function is triggered by outputs from the Detect Function and relies on the preparedness measures established under the Protect Function to enable organizations to execute predefined response plans effectively during an event.
In February 2023, the NIST released a voluntary PNT Profile created by using the NIST Cybersecurity Framework, which can be used as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT services. The PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, or unintentional.
