What is Saudi Arabia’s NCA OTCC-1:2022 Compliance?
Saudi Arabia’s NCA OTCC-1:2022 compliance refers to adherence to the Operational Technology Cybersecurity Controls (OTCC-1:2022) issued by the Saudi National Cybersecurity Authority (NCA). This national standard defines baseline cybersecurity controls for critical infrastructure and industrial environments in the Kingdom of Saudi Arabia, focusing on the protection of operational technology (OT) assets across energy, water, transportation, and manufacturing sectors.
Why is Saudi Arbia’s NCA OTCC-1:2022 Compliance Important?
As part of Saudi Arabia’s Vision 2030 and national cybersecurity initiatives, the NCA developed OTCC-1:2022 to establish a regulatory foundation for protecting OT systems from cyber threats. The standard is mandatory for regulated critical infrastructure entities and emphasizes technical, administrative, and procedural controls across 12 domains, including network segmentation, access control, secure remote access, and auditability.
Key access-related requirements include:
- Enforcing role- and risk-based access control for OT systems
- Implementing multi-factor authentication (MFA) and identity verification
- Preventing the use of shared or default credentials
- Logging and auditing all remote access activity
- Controlling third-party and vendor access workflows
- Ensuring session monitoring and least privilege access
How Does Xona Help with OTCC-1:2022 Compliance?
Xona helps Saudi Arbian critical infrastructure operators meet OTCC-1:2022 technical controls for secure remote access, identity assurance, and auditability. Built for OT environments, the Xona platform enforces:
- Role-based and time-based access policies
- Multi-factor authentication (MFA) and credential injection
- Protocol isolation using browser-based access to RDP, VNC, SSH, and more
- Session logging, video recording, and real-time monitoring
- Vendor access controls with identity-level accountability and session termination
- AC (Access Control)
- IA (Identification and Authentication)
- RA (Remote Access Management)
- AU (Audit and Accountability)
- SI (System Integrity)
These capabilities enable organizations in the Kingdom of Saudi Arabia to deliver compliant remote access workflows that meet the NCA’s regulatory mandate without exposing critical systems to unmanaged risk.
Frequently Asked Questions
What types of organizations are required to comply with NCA OTCC-1:2022?
OTCC-1:2022 applies to public and private sector entities in Saudi Arabia that own, operate, or manage critical national infrastructure (CNI), including organizations in energy, utilities, water, manufacturing, and transportation sectors. The regulation covers all OT/ICS environments deemed critical to national operations.
What are the key access control requirements in OTCC-1:2022?
OTCC-1:2022 mandates strict identity and access controls, including role-based access (RBAC), multi-factor authentication (MFA), time-bound access, and the elimination of default and shared credentials. It also requires that all remote access be logged, recorded, and justified by a cybersecurity risk assessment.
