Full Report
Dispel announced the general availability of Dispel Compliance, a new governance, risk, and compliance capability within the Dispel... The post Dispel Compliance launches to automate OT audit readiness and reduce industrial compliance costs appeared first on Industrial Cyber.
Analysis Summary
# Industry News: Dispel Automates OT Compliance to Settle "Hidden" Operational Costs
## Summary
Dispel has announced the general availability of **Dispel Compliance**, a first-of-its-kind governance, risk, and compliance (GRC) capability integrated directly into its Zero Trust Engine. The tool automates the collection of audit evidence for industrial environments, targeting the massive manual overhead costs associated with regulations like NERC CIP, NIST, and NIS2.
## Key Details
- **Date:** May 28, 2026 (Projected/Announced)
- **Companies Involved:** Dispel
- **Category:** Product Launch / GRC Innovation
## The Story
In the industrial sector (OT/ICS), "audit readiness" is notoriously manual, often involving thousands of screenshots and spreadsheet entries to prove that remote access configurations meet regulatory standards. Dispel Compliance aims to disrupt this by embedding continuous audit evidence collection into the remote access workflow itself.
Built on the **OSCAL 1.1.2** (Open Security Controls Assessment Language) specification, the platform maintains a real-time view of compliance posture. It allows organizations to move away from "point-in-time" audits toward continuous monitoring. Key features include a configuration impact simulator—allowing admins to see how a setting change would impact their compliance score before they apply it—and automated "inheritance claims" that justify security controls to auditors instantly.
## Business Impact
### For the Companies Involved (Dispel)
- **Accelerated Sales Cycles:** By removing the months-long GRC review typical of OT deployments, Dispel can convert leads to active deployments much faster.
- **Improved Retention:** Deep integration into the compliance workflow makes the platform "sticky" within the enterprise architecture.
### For Competitors
- **Increased Pressure:** Competing OT remote access vendors now face a market where "secure access" is no longer enough; they must now prove "auditable access" with minimal friction.
- **Differentiation Gap:** This sets a new benchmark for automation that purely connectivity-focused competitors will struggle to match without significant R&D.
### For Customers
- **Massive Cost Savings:** Large-cap industrial firms currently spend between $700,000 and $1.2 million annually on manual compliance labor; this tool aims to drastically reduce that "hidden cost."
- **Reduced Deployment Risk:** The impact simulator allows OT teams to verify that they won't break compliance status during maintenance or upgrades.
### For the Market
- **Standardization:** By leveraging OSCAL 1.1.2, Dispel is pushing the industrial market toward standardized, machine-readable compliance documentation, facilitating better interoperability with enterprise GRC platforms.
## Technical Implications
The use of **OSCAL (Open Security Controls Assessment Language)** is a significant technical milestone. It allows security posture to be communicated in a machine-readable format that federal audit platforms (like FedRAMP) and modern GRC tools can ingest. Furthermore, Dispel’s decision to publish its own first-party catalog for **NIS2** (cross-walked to NIST 800-53) addresses a critical documentation gap in European regulations.
## Strategic Analysis
- **Market Positioning:** Dispel is pivoting from being a "security tool" to a "business efficiency and risk management platform."
- **Competitive Advantage:** Real-time compliance scoring and the ability to handle multiple frameworks (NERC CIP, NIST, NIS2) from a single evidence pipeline.
- **Challenges:** Adoption depends on auditor willingness to accept automated OSCAL outputs over traditional manual "screenshots" in more conservative regulatory regions.
## Industry Reactions
- **Analyst Opinions:** Analysts at the Gartner Security & Risk Summit (where this was launched) note that merging OT security with GRC is a necessary step to handling the increasing volume of global industrial regulations.
- **Expert Commentary:** Co-CEO Ethan Schmertzler emphasizes that the goal is to make proof of compliance "automatic," shifting the burden from people to the tools themselves.
## Future Outlook
- **Predictive Compliance:** Expect more vendors to incorporate "simulated impact" tools to prevent configuration drift.
- **What to Watch for:** Watch for whether other OT security leaders (e.g., Dragos, Claroty, Nozomi) move to acquire GRC-specialized firms or build similar "compliance-as-code" features.
## For Security Professionals
Practitioners should view this as a move toward **Industrial DevSecOps**. For CISO and GRC leads, this reduces the "compliance tax" on OT projects. For OT engineers, this means fewer interruptions from auditors asking for configuration proof, allowing them to focus on uptime and reliability rather than administrative documentation.