The Pentagon recently published new guidance explaining how organizations should apply zero trust principles to operational technology (OT) systems, a document that has been in development since last year.
The Defense Department’s (DOD) – rebranded as the War Department by the Trump administration – chief information officer posted the 28-page guidance in November.
The document outlines 105 zero trust activities and capability outcomes for OT environments – 84 considered minimum target levels and 21 for advanced levels.
“The ZT OT Activities and Outcomes are intended to be high-level requirements for system owners, making them more adaptable and dynamic in nature,” the document reads.
DOD has been working since 2022 to adopt zero trust for its IT systems, but officials have said OT needs separate standards. The new framework mirrors the department’s original zero trust strategy, maintaining the same target- and advanced-level structure.
The guidance defines OT as “programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment.”
Such environments can include facility control systems, power grids, energy management systems, transportation systems, and elements of weapon systems or defense critical infrastructure.
The guidance also notes that OT systems often rely on legacy equipment and are run by a highly specialized engineering workforce. OT environments prioritize operational availability and use diverse industrial protocols, distinct safety requirements, and custom implementations.
The document says the activities are tailored to those constraints while still reflecting zero trust principles such as data protection, strong authentication, segmentation, and monitoring.
Implementation timelines and technical trade-offs vary, particularly for low-level process controllers and OT-specific computers, servers, and switches.
To account for these differences, the guidance divides OT into an operational layer and a process control layer. The operational layer covers components that resemble enterprise IT but support different missions, such as operator workstations, switches, process control servers, data historians, firewalls, and management services. The process control layer includes field devices that operate sensors, actuators, motors, and other mechanical equipment, along with digital and analog safety instrumented systems.
“Separating OT environments into an Operational Layer as well as a Process Control Layer gives flexibility to adapt to a wide variety of OT environments without being too prescriptive by assigning componentry, devices, and users to specific architecture levels. We believe this is a flexible and adaptable approach going forward, capturing the relevant designation for applying ZT principles,” the document reads.
While Pentagon components must meet target-level zero trust for IT systems by the end of fiscal year 2027, the OT guidance sets no deadline.
DOD plans to release an updated Zero Trust Strategy in early 2026 and develop additional guidance for weapon systems and defense critical infrastructure.