Episode 39 — Use MOUs and SOWs Correctly: Scope, Responsibilities, and Deliverable Discipline

In this episode, we’re going to explore two document types that quietly control how O T security work succeeds or fails when multiple groups are involved: Memorandums of Understanding (M O U s) and Statements of Work (S O W s). For brand-new learners, these can sound like legal paperwork that lives in an office far from the plant, but in operational environments, vague agreements are a common root cause of gaps, delays, and security work that disrupts production. When scope is unclear, teams assume someone else is handling key tasks like access control, logging, or validation testing, and those assumptions can create risk pathways that remain open for years. When deliverables are unclear, work may be declared complete even though critical evidence is missing, and that creates false confidence during audits and incidents. The goal of M O U s and S O W s is to remove ambiguity by defining what will be done, who will do it, what success looks like, and what boundaries must not be crossed, especially when the work touches sensitive O T systems. By the end, you should be able to explain what an M O U is, what an S O W is, how they differ, and how using them correctly protects uptime by creating disciplined, predictable execution.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A Memorandum of Understanding is best understood as a document that expresses a shared understanding between parties about how they will work together, even when it is not a detailed contract for paid services. It is often used between internal departments, between organizations collaborating on a shared effort, or between an organization and an external partner when the relationship needs clarity but not full contractual detail. In O T contexts, an M O U can define how an operations group and a security group coordinate, how information is shared, how changes are approved, and what roles exist during incidents. It can also establish boundaries, such as what kinds of actions require safety consultation, what kinds of network access are allowed, and how emergency access is handled. The value is not that it contains every detail, but that it prevents people from inventing their own rules later. Beginners sometimes assume that if something is not a paid service it does not need formal agreement, but in complex environments internal misunderstandings can be just as damaging as vendor misunderstandings. An M O U creates a common map, so that people across engineering, operations, and security are not working from conflicting assumptions.

A Statement of Work, on the other hand, is a document that defines a specific set of work to be performed, usually with a clear scope, deliverables, schedule, and responsibilities. It is often used with vendors, integrators, or service providers, but it can also be used internally for large cross-team initiatives when clarity is needed. In O T security, an S O W might cover a segmentation project, deployment of monitoring sensors, hardening of remote access, modernization of certain systems, or the creation of recovery procedures and validation tests. The S O W is where you define what will be delivered, how it will be accepted, what testing will be performed, and what evidence must be provided. Beginners should recognize that the S O W is the place where you prevent scope creep and avoid surprise disruptions, because you can specify constraints like limited maintenance windows, required coordination with operations, and no changes to certain safety-critical configurations without explicit approvals. If the M S A defines the relationship rules, the S O W defines the mission for a specific effort, and both work together to create predictable outcomes.

A key difference between M O U s and S O W s is that M O U s are often about ongoing cooperation and decision boundaries, while S O W s are about delivering a concrete result. That difference matters because O T security needs both kinds of clarity. You might use an M O U to define how the security program and the engineering team collaborate across many projects, including how they share asset information and how they handle emergency changes. Then you might use an S O W to define a specific project, like implementing segmentation rules in a particular zone or setting up a new edge platform. The M O U prevents the relationship from becoming ad hoc, while the S O W prevents the project from becoming vague. Beginners should also understand that both documents protect uptime by making it harder for teams to act unilaterally. When the rules for coordination and the rules for deliverables are explicit, it becomes easier to schedule changes, test safely, and avoid the last-minute surprises that cause outages.

Scope is the first major area where these documents matter, because unclear scope is a classic source of failure. Scope is simply what is included and what is not included, and in O T it must be precise enough to prevent dangerous assumptions. For example, if a vendor is installing monitoring sensors, does scope include working with operations to validate that sensors do not interfere with process communications, or is the vendor only responsible for physically installing hardware? If a project involves remote access, does scope include configuring authentication and logging, or does it only include establishing connectivity? If a project involves patching, does scope include a testing plan, a rollback plan, and coordination with maintenance windows, or is patching expected to happen whenever the vendor chooses? These questions can sound detailed, but details are where outages are created. A well-written S O W makes scope visible, and a well-written M O U prevents scope assumptions between internal groups. Beginners should remember that in O T, a missed scope detail can become a hidden risk for years, because systems are long-lived and exceptions often become permanent.

Responsibilities are the second major area, and they overlap with the RACI concept you learned earlier. In an M O U, responsibilities might define who owns the asset registry, who approves connectivity between zones, who manages access reviews, and who coordinates incident communications. In an S O W, responsibilities become even more concrete, such as who performs configuration changes, who supplies hardware, who tests changes, who documents results, and who trains staff. The danger in O T is the gap between responsibility and accountability, where one party does the work but no one owns the outcome, or one party owns the outcome but is not included in decisions. A strong agreement clarifies both, and it also clarifies interfaces between teams. For example, an S O W can specify that the vendor performs implementation, but the organization performs final approval after operational testing, and that certain stakeholders must be consulted before changes occur. Beginners should see that responsibility clarity is not about blame; it is about preventing work from being incomplete and preventing uncoordinated actions that disrupt production. When responsibilities are clear, teams can coordinate without constant negotiation.

Deliverable discipline is the third major area, and it is where many security projects either succeed or quietly fail. A deliverable is something tangible that can be reviewed and accepted, like a configured system, a validated set of network rules, a set of documented procedures, or a set of evidence artifacts. In O T security, deliverables must include not only the technical change but also the supporting proof that the change is safe and maintainable. That might include documentation of configurations, logs showing that authentication and access controls work, diagrams of updated data flows, and a record of tests performed during a maintenance window. Without deliverable discipline, a project might be considered complete when the system is installed, even though no one verified that it behaves correctly in the real process environment. That is dangerous because it can create hidden failure modes that appear later during peak production. Deliverable discipline also supports audits and incident response because it creates evidence that holds up, showing what was changed, why it was changed, and how it was validated. Beginners should learn that the difference between a successful security project and a fragile one is often whether deliverables included validation and documentation, not just installation.

Change control is another area where MOUs and SOWs protect uptime by defining how changes are introduced. In O T, changes must often be planned around maintenance windows, coordinated with production schedules, and tested in ways that do not create unsafe conditions. An M O U can define general change governance, such as what kinds of changes require review, what emergency changes are allowed, and how changes are documented afterward. An S O W can define project-specific change requirements, such as requiring a change plan, a test plan, a rollback plan, and a communications plan before any work begins. It can also define constraints, such as no changes to certain safety-related configurations without safety approval, and it can require that operations be present during critical cutovers. Beginners should recognize that these requirements are not bureaucracy; they are safeguards against unintended consequences. When change control is defined in advance, the project team can plan safely, and operations can trust that the work will not be done in surprise bursts that disrupt production.

Another common failure is scope creep, where a project gradually expands beyond what was planned, often because people discover new issues while working. In security projects, scope creep can be tempting because teams want to fix everything they see, but in O T, unplanned changes can create disruption and risk. A well-written S O W anticipates this by defining how additional work is handled, such as requiring formal approval for changes to scope, schedule, or cost, and requiring safety and operational review for changes that could affect production. An M O U can also help by defining how issues discovered during projects are fed back into the broader roadmap and risk registry, so they are not ignored but also not handled impulsively. Beginners should learn that discipline does not mean ignoring new problems; it means managing them in a structured way. Structure protects uptime because it prevents a project from turning into an uncontrolled series of changes, which is how many outages are created.

Finally, MOUs and SOWs matter because they create shared expectations that remain stable when personnel changes. In long-lived O T environments, people retire, roles shift, vendors change technicians, and priorities evolve. If agreements exist only in conversations, knowledge is lost and teams repeat mistakes. A written M O U preserves how teams coordinate and what boundaries exist, and a written S O W preserves what a project delivered and what was promised. This stability supports resilience because it prevents the environment from drifting into informal practices that no one can defend. It also supports accountability, because when something goes wrong, teams can quickly determine what was supposed to exist and where the gap is. Beginners should see these documents as tools for continuity. They help the organization maintain disciplined security practices even as the human landscape changes, which is critical for long-term risk reduction.

As we wrap up, using M O U s and S O W s correctly in O T security is about turning cooperation and projects into disciplined, predictable execution that protects uptime. An M O U establishes the rules of collaboration, including decision boundaries, information sharing, and general responsibilities across internal groups or partners. An S O W defines a specific set of work with clear scope, responsibilities, deliverables, validation requirements, and change control constraints. Both documents prevent the ambiguity that leads to orphaned tasks, uncoordinated changes, and fragile deployments that fail under production pressure. Scope clarity prevents hidden assumptions, responsibility clarity ensures work is owned and coordinated, and deliverable discipline ensures projects include the validation and evidence needed for safe operation and credible security. If you can explain how these documents reduce risk by making expectations explicit before crises and before cutovers, you will understand why disciplined agreements are not a distraction from O T security, but a foundation for security work that operations can accept and sustain.

Episode 39 — Use MOUs and SOWs Correctly: Scope, Responsibilities, and Deliverable Discipline
Broadcast by