Glossary

Saudi Arabia’s NCA OTCC-1:2022 Compliance

What is Saudi Arabia’s NCA OTCC-1:2022 Compliance?

Saudi Arabia’s NCA OTCC-1:2022 compliance refers to adherence to the Operational Technology Cybersecurity Controls (OTCC-1:2022) issued by the Saudi National Cybersecurity Authority (NCA). This national standard defines baseline cybersecurity controls for critical infrastructure and industrial environments in the Kingdom of Saudi Arabia, focusing on the protection of operational technology (OT) assets across energy, water, transportation, and manufacturing sectors.

Why is Saudi Arabia’s NCA OTCC-1:2022 Compliance Important?

As part of Saudi Arabia’s Vision 2030 and national cybersecurity initiatives, the NCA developed OTCC-1:2022 to establish a regulatory foundation for protecting OT systems from cyber threats. The standard is mandatory for regulated critical infrastructure entities and emphasizes technical, administrative, and procedural controls across 12 domains, including network segmentation, access control, secure remote access, and auditability.

Key access-related requirements include:

  • Enforcing role- and risk-based access control for OT systems
  • Implementing multi-factor authentication (MFA) and identity verification
  • Preventing the use of shared or default credentials
  • Logging and auditing all remote access activity
  • Controlling third-party and vendor access workflows
  • Ensuring session monitoring and least privilege access

Failure to comply with OTCC-1:2022 can result in regulatory penalties and increased exposure to cyber risk, particularly in industries with high national impact.

How Does Xona Help with OTCC-1:2022 Compliance?

Xona helps Saudi Arbian critical infrastructure operators meet OTCC-1:2022 technical controls for secure remote access, identity assurance, and auditability. Built for OT environments, the Xona platform enforces:

  • Role-based and time-based access policies
  • Multi-factor authentication (MFA) and credential injection
  • Protocol isolation using browser-based access to RDP, VNC, SSH, and more
  • Session logging, video recording, and real-time monitoring
  • Vendor access controls with identity-level accountability and session termination

Xona directly aligns with OTCC-1:2022 Control Domains including:

  • AC (Access Control)
  • IA (Identification and Authentication)
  • RA (Remote Access Management)
  • AU (Audit and Accountability)
  • SI (System Integrity)

These capabilities enable organizations in the Kingdom of Saudi Arabia to deliver compliant remote access workflows that meet the NCA’s regulatory mandate without exposing critical systems to unmanaged risk.

Frequently Asked Questions

What types of organizations are required to comply with NCA OTCC-1:2022?

OTCC-1:2022 applies to public and private sector entities in Saudi Arabia that own, operate, or manage critical national infrastructure (CNI), including organizations in energy, utilities, water, manufacturing, and transportation sectors. The regulation covers all OT/ICS environments deemed critical to national operations.

What are the key access control requirements in OTCC-1:2022?

OTCC-1:2022 mandates strict identity and access controls, including role-based access (RBAC), multi-factor authentication (MFA), time-bound access, and the elimination of default and shared credentials. It also requires that all remote access be logged, recorded, and justified by a cybersecurity risk assessment.

How does Xona help meet OTCC-1:2022 access control and remote session requirements?

Xona enforces OTCC-aligned access policies using protocol isolation, browser-based sessions, and credential injection to prevent password exposure. It supports MFA, session monitoring, time restrictions, and role enforcement, enabling secure, risk-assessed remote access that aligns with OTCC controls.

How does Xona support audit and accountability controls in OT environments?

Xona logs all session activity and provides full video session recordings, satisfying OTCC-1:2022 requirements for audit trail integrity and remote session oversight. Logs are immutable and exportable for compliance audits, aligning with cybersecurity event management mandates.

Does Xona support secure third-party access as required by OTCC-1:2022?

Yes. Xona enables vendors and contractors to access OT systems through defined, monitored sessions without VPNs or direct connectivity. This meets OTCC-1:2022 third-party cybersecurity mandates, including identity verification, SDLC assurance, and vendor session supervision.

Originally published December 04, 2025