Detailed DoD Zero Trust Guidance for Operational Technology

The U.S. Department of Defense (DoD, referred to as DoW in some summaries) released its “Zero Trust for Operational Technology Activities and Outcomes” guidance on November 18, 2025, through the Chief Information Officer (CIO) and Zero Trust Portfolio Management Office (PfMO). This document builds on the broader DoD Zero Trust Strategy and Directive-Type Memorandum (DTM) 25-003 (“Implementing the DoD Zero Trust Strategy”), issued in July 2025, which mandates at least Target Level Zero Trust (ZT) implementation across all classified and unclassified systems, including Operational Technology (OT). The guidance adapts traditional ZT principles—originally from NIST SP 800-207—to OT environments, such as industrial control systems (ICS), supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), and other systems that interact with physical processes (e.g., manufacturing, power grids, building automation, but excluding internal weapon systems components). It emphasizes transitioning from perimeter-based security to continuous verification, assuming breach, and prioritizing OT’s unique needs: availability, safety, reliability, and resilience over pure confidentiality or integrity.

OT-specific adaptations include handling legacy equipment (e.g., devices without modern security features), diverse industrial protocols (e.g., DNP3, Modbus), specialized workforces, and the Purdue Enterprise Reference Architecture (simplified here to two layers: Process Control Layer [Levels 0-2: sensors, PLCs] and Operational Layer [Levels 3-5: SCADA, HMIs, enterprise IT]). The focus is on DoD-owned OT up to demarcation points, addressing insider threats in isolated systems and integrating with physical security (e.g., fencing as a “firewall” analog). Implementation complements existing policies like DoD Instruction (DoDI) 8500 series, DoD Control Systems Security Requirements Guide (SRG), and NIST SP 800-82 Rev. 3.

Key Principles

ZT for OT adheres to core NIST principles but with OT tailoring:

• Never Trust, Always Verify: Continuous authentication and authorization for every access request, based on identity, context (e.g., location, time), device health, and risk.
• Assume Breach: Design for containment through micro-segmentation and monitoring to limit lateral movement.
• Least Privilege: Grant minimal, just-in-time access; deny by default.
• Explicit Verification: Use multi-factor authentication (MFA), behavior analytics, and policy enforcement. OT adjustments prioritize non-disruptive controls (e.g., “monitor-only” modes during testing), safety over speed, and procedural mitigations for unsupported legacy devices. Activities must be evaluated by OT experts, with documentation for inapplicable ones.

Pillars

The guidance organizes ZT around seven pillars, adapted from the DoD Zero Trust Reference Architecture (ZTRA) 2.0:

• User: Identity management, authentication, and behavior monitoring for human and privileged accounts.
• Device: Inventory, credentialing, and protection for non-person entities (NPEs) like sensors and controllers.
• Applications and Workload: Secure development, vulnerability management, and access control for OT software.
• Data: Tagging, protection, and loss prevention for OT data flows (e.g., real-time process data).
• Network: Segmentation and programmable pathways to secure OT connectivity.
• Automation and Orchestration: Policy automation, APIs, and security orchestration, automation, and response (SOAR) for OT.
• Visibility and Analytics: Logging, baselines, and threat intelligence tailored to OT monitoring.

Activities and Outcomes

The core of the guidance is 105 high-level activities and outcomes (84 Target Level, 21 Advanced Level), sequenced with predecessors/successors for phased implementation. Target Level establishes baseline protections to prevent lateral movement and enable basic ZT; Advanced Level adds adaptive, dynamic responses. All prioritize OT safety and assume maintenance of process controls. Activities are flexible (technical or procedural) and grouped by pillars below (IDs like 1.1.1.OT indicate pillar, section.subsection, OT-specific).

Pillar	Target Level Activities (Examples)	Advanced Level Activities (Examples)
User (~20 activities)	Inventory users/accounts (1.1.1.OT); Implement authorization/MFA/PAM (1.2.1-1.4.2.OT); Life-cycle management (1.5.1-1.5.2.OT); UEBA/UAM (1.6.1.OT); Deny by default (1.7.1.OT); Periodic authentication (1.8.1-1.8.2.OT); Enterprise credentialing (1.9.1-1.9.2.OT).	Flexible/interoperable credentialing (1.3.2-1.3.3.OT); Continuous authentication (1.8.3.OT); Full OT asset authentication (1.9.3.OT).
Device (~25 activities)	Inventory/credential NPEs (2.1.1-2.1.4.OT); Connection policy (2.2.1.OT); Configuration monitoring/AV (2.3.1-2.3.3.OT); Deny by default/BYOD management (2.4.1-2.4.3.OT); Vulnerability/patch management (2.5.1-2.5.2.OT); UEDM/configuration (2.6.1-2.6.2.OT); EDR/XDR (2.7.1-2.7.2.OT).	Automated NPE discovery (2.1.4.OT); Enhanced security stacks (2.3.3.OT).
Applications and Workload (~15 activities)	Inventory/control apps (3.1.1-3.1.2.OT); DevOps/CI/CD/IaC (3.2.1-3.2.2.OT); Vulnerability management (3.3.1-3.3.3.OT); Access control/ABAC (3.4.1-3.4.4.OT).	Standardized security/XBOM (3.2.3.OT).
Data (~25 activities)	Tagging governance/patterns (4.1.1-4.2.2.OT); Tagging tools (4.3.1-4.3.2.OT); DLP/DRM monitoring (4.4.1-4.4.6.OT); DRM/DLP implementation/response (4.5.1-4.5.4.OT); DLP deployment/ops (4.6.1-4.6.2.OT); DAAS access (4.7.1.OT).	Refined DRM/response (4.5.2-4.5.4.OT).
Network (~10 activities)	Granular rules (5.1.1-5.1.2.OT); APIs/pathways/mapping (5.2.1-5.2.3.OT); Segmentation (5.3.1-5.3.2.OT); Micro-segmentation/data protection (5.4.1-5.4.3.OT).	Builds on target; no explicit advanced.
Automation and Orchestration (~15 activities)	Policy inventory/profiles (6.1.1-6.1.4.OT); Process automation (6.2.1-6.2.2.OT); Response automation/IaC (6.5.1-6.5.3.OT); API patterns/compliance (6.6.1-6.6.4.OT); Incident response (6.7.1-6.7.2.OT).	Tool interoperability (6.2.2.OT); ML tagging (6.3.1.OT/6.4.1.OT); IaC in OT (6.5.3.OT).
Visibility and Analytics (~15 activities)	Scaling/log analysis (7.1.1-7.1.3.OT); Isolation/alerting/baselines (7.2.1-7.2.6.OT); Analytics tools (7.3.1-7.3.2.OT); Profiling (7.4.1.OT); CTI program (7.5.1-7.5.2.OT).	Advanced alerting/UEBA (7.2.4.OT); Expanded CTI (7.5.2.OT).

Implementation Guidance

• Phased Approach: Start with Target Level (feasible with design/testing); advance as threats evolve. Use tools like SIEM, SOAR, EDR/XDR, SDN/SDP, and OT-specific (e.g., UEDM, PAM). Align with DoD Cybersecurity Reference Architecture (CSRA) 5.0 and IEC 62443.
• Testing and Integration: Conduct in simulated/testbed environments; integrate with enterprise IT for interoperability (e.g., shared credentialing). Coordinate cybersecurity and physical security; leverage DevSecOps for OT.
• Documentation: Justify inapplicable activities; maintain existing cybersecurity programs.
• Enablers: Policy, training, personnel, and facilities (e.g., OT DevOps capability factories).

Challenges

• OT Constraints: Legacy devices limit controls; diverse protocols hinder standardization; availability/safety conflicts with “fail-closed” policies.
• Workforce and Operations: Specialized OT skills differ from IT; managing non-OT/BYOD devices; scaling analytics in remote/isolated systems.
• Interoperability: Conflicts with existing policies resolved by CIO; handling non-response tasks in automation.

Timelines

• Target Level: Required across systems per DTM 25-003 (effective July 17, 2025; expires July 17, 2026). Components must achieve minimum ZT by FY2030.
• Advanced Level: Long-term evolution, no strict deadline; align with DoD ZT Roadmap and Execution Plan.

Appendices

• Acronyms Glossary: Defines terms like ABAC (Attribute-Based Access Control), CTI (Cyber Threat Intelligence), DLP (Data Loss Prevention), IaC (Infrastructure as Code), UEBA (User and Entity Behavior Analytics).
• Zero Trust Fan Chart for OT: Visualizes activities across pillars.
• IT vs. OT Distinctions: Differentiates enterprise IT (IP-focused, Levels 4-5) from OT (field devices, Levels 0-3), with non-OT as temporary access.

This guidance positions DoD to counter advanced persistent threats in OT, with a focus on critical infrastructure security in sectors like metals and mining. For the full document, refer to the official DoD CIO portal.