NIST updates PNT cybersecurity profile

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence published a draft update on May 6 to its foundational cybersecurity profile for positioning, navigation and timing services. The document, NIST Internal Report 8323 Revision 2, updates the profile to align with Cybersecurity Framework 2.0 and covers systems that rely on GPS, public NIST and U.S. Naval Observatory network time servers, commercial services and internal timing systems. NIST said the profile is meant to help organizations manage risks to systems, networks and assets that use those services. Public comments are due July 6, 2026. ### What exactly did NIST publish? NIST said the release is an initial public draft of IR 8323 Revision 2, titled “Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing Services.” The profile was originally built on Cybersecurity Framework 1.1 and has now been revised to match CSF 2.0, with updated references to standards, guidelines and practices. (nist.gov) May 6, 2026 is the publication date listed on the Computer Security Resource Center page for the draft. The listed authors include Suzanne Lightman, Ya-Shian Li-Baboud, Nakia Grayson and James McCarthy of NIST, along with Joseph Brule, Karri Meldorf, Doug Northrip, Arthur Scholz and Theresa Suloway of MITRE. ### Which systems does the profile cover? (nist.gov) NIST said the profile applies to organizations that use PNT services such as Global Positioning Systems, public NIST and United States Naval Observatory Network Time Protocol servers, commercial services and internal systems. The agency described the document as broadly applicable and said it can serve as a base for sector-specific guidance. (csrc.nist.gov) The NIST PNT program page says those services underpin precision timing for cellphone calls, financial transaction timestamps and transportation systems including aircraft, ships, trains and cars. The same page says disruptions can come from radio interference, space weather or intentional interference. ### What risks does the new draft highlight? (nist.gov) NIST said the revised draft is seeking targeted feedback on whether the profile addresses emerging technologies, including artificial intelligence, and whether it properly addresses third-party and data dependency risks. The agency also asked whether additional CSF 2.0 categories or subcategories should be added. (nist.gov) The draft also says organizations can use the profile to identify systems dependent on PNT, identify appropriate PNT sources, protect PNT user equipment from adversaries, detect anomalies and manipulation of PNT services, and respond to and recover from service disruptions. NIST’s PNT page says GPS transmissions can be disrupted unintentionally or intentionally, and that the 2020 executive order behind the work was aimed at making critical infrastructure more resilient to such disruptions. (nist.gov) ### How does CSF 2.0 change the discussion? NIST said the revised profile now lets organizations apply it to “govern cybersecurity risk management” in addition to identifying, protecting, detecting, responding and recovering. The draft’s request for comment calls out the new Govern function and asks whether added applicability text or references are needed. (nist.gov) One question in the draft focuses on CSF 2.0 subcategory GV.SC-06, which covers planning and due diligence before entering supplier or other third-party relationships. NIST said it wants feedback because users of PNT information do not always have a direct relationship with the sources of PNT data. Another question asks whether the profile’s treatment of protecting data in use is appropriate. (nist.gov) ### Why is NIST updating the profile now? February 12, 2020 is the date of Executive Order 13905, which directed the federal government to strengthen national resilience through responsible use of positioning, navigation and timing services. NIST’s PNT page says the order called for profiles to help organizations make risk-informed decisions and said the profile should be updated every two years or as needed. (nist.gov) January 31, 2023 was the release date for Revision 1 of the foundational PNT profile. NIST said that earlier revision added five new Cybersecurity Framework subcategories and two appendices, while the 2026 draft is the update that aligns the profile with CSF 2.0. ### What happens next? July 6, 2026 is the deadline NIST set for public comments, which the agency said should be sent to pnt-nccoe@nist.gov using the instructions on the project page. (nist.gov) NIST said the project team will use that feedback to finalize Revision 2 later in 2026. (nist.gov)