DoD Guidance on implementing Zero-Trust

by | Jun 17, 2026 | Blog

Introduction

The Department of Defense (DoD) released guidance designed to “coordinate, synchronize, and accelerate adoption” of the implementation of zero trust within Operational Technology (OT) cybersecurity frameworks. They emphasize the need for OT-specific guidance due to the unique characteristics and challenges of OT environments.

If you have been following our blogs, the need for OT-specific cybersecurity guidance should not be new. OT environments often rely on legacy systems that struggle to meet modern cybersecurity standards. At the same time, these systems must remain continuously operational, reinforcing OT’s prioritization of availability within the CIA triad, whereas traditional IT environments tend to prioritize confidentiality.

This difference is not just theoretical. In IT, taking a system offline for patching or reconfiguration is often acceptable. In OT, that same action could disrupt production, impact safety systems, or even create physical risk. Because of this, many traditional IT security practices cannot be directly applied to OT environments without modification. The DoD reinforces this distinction by stating that standard IT security approaches can be ineffective or even dangerous when applied to OT environments. This is a key point and one that is often overlooked when organizations attempt to “copy and paste” IT security strategies into OT networks.

Instead, the DoD is pushing for a tailored Zero Trust approach that respects the operational realities of OT while still improving overall security posture.

In this blog, we will break down the DoD’s approach to implementing Zero Trust in OT environments, explore the core pillars and architecture concepts they introduce, and examine why adapting cybersecurity strategies specifically for OT systems is critical to maintaining both security and operational reliability.

Zero Trust Activities and Pillars

The DoD presents a structured roadmap for implementing Zero Trust (ZT) in OT environments, consisting of 105 total activities. These include 84 “Target Activities,” which are considered minimum requirements, and 21 “Advanced Activities.” These activities are organized into seven core pillars:

  • User
  • Device
  • Application & Workload
  • Visibility & Analytics
  • Data
  • Network & Environment
  • Automation & Orchestration

Each pillar represents a key component of achieving Zero Trust in OT environments, and each has a distinct focus area.

The User pillar focuses on authentication, identity lifecycle management, and enforcing a deny-by-default approach. This means users should only have access to what they explicitly need, and nothing more. In OT environments, this can be especially challenging due to shared accounts and legacy authentication mechanisms.

The Device pillar emphasizes asset management and visibility. In many OT environments, organizations do not have a complete inventory of devices on the network. Without visibility, it is nearly impossible to enforce Zero Trust principles effectively.

The Application & Workload pillar centers on management and control. This includes ensuring that only authorized applications are allowed to run and that workloads are properly segmented and monitored.

The Data pillar focuses on governance, monitoring, and organization. This includes understanding where data resides, how it flows, and who has access to it. In OT, this may include process data, logs, and operational metrics that are critical to system functionality.

The Network & Environment pillar prioritizes segmentation and granular control. This is one of the most critical aspects of Zero Trust in OT. Proper segmentation can prevent lateral movement and limit the impact of a compromise.

The Automation & Orchestration pillar supports analysis, incident response, and policy enforcement. Given the scale and complexity of modern environments, manual processes are not sufficient. Automation helps ensure consistency and speed in responding to threats.

The Visibility & Analytics pillar focuses on logging, monitoring, and alerting. Without visibility, Zero Trust cannot function effectively. Organizations need to continuously monitor activity and analyze behavior to detect anomalies.

Taken together, these pillars provide a comprehensive framework that organizations can use to incrementally move toward a Zero Trust architecture.

OT Architecture Approach

Rather than solely relying on the traditional Purdue Model for applying Zero Trust, the DoD introduces a simplified view of an OT environment consisting of three primary layers:

  • Enterprise IT Layer
  • Operational Layer
  • Process Control Layer

These can be seen illustrated in Figure 1 which was provided by the DoD.

Figure 1: Distinction between Layers

The Enterprise IT Layer represents traditional IT systems such as business applications, email, and corporate infrastructure.

The Operational Layer includes devices and systems like those found in Enterprise IT but specifically configured for OT use cases. This may include engineering workstations, HMIs, and OT-specific servers.

The Process Control Layer consists of systems directly involved in physical processes, such as PLCs, sensors, valves, and controllers. These systems interact directly with the physical environment and are often the most sensitive components in an OT network.

Instead of focusing on multiple granular layers as defined in the Purdue Model, this approach can simplify how organizations think about security boundaries. It makes it easier to apply controls based on system function and risk, especially as systems get closer to directly impacting physical processes.

For example, stricter controls and monitoring may be applied as you move closer to the Process Control Layer, where the impact of a compromise is highest. This makes Zero Trust easier to apply in a practical, risk-based way.

Physical Security Considerations

In addition to the 105 Zero Trust activities, the DoD highlights the importance of physical security as a foundational component.

The DoD states that “Robust physical security measures directly enable the successful implementation of OT ZT Activities and Outcomes.”

This is an important reminder that cybersecurity in OT is not just about networks and systems. Physical access to devices can bypass many logical security controls, making physical security a critical component of any Zero Trust strategy. They break physical security into three categories:

1. Network Segmentation (Physical)
Physical segmentation complements logical segmentation by ensuring that unauthorized individuals cannot easily access critical systems. This includes physical separation of environments, such as:

  • Fencing and facility barriers
  • Controlled access points
  • Mantraps1

2. Continuous Monitoring & Detection
These controls provide visibility into physical activity and help detect unauthorized access attempts. This includes:

  • Surveillance systems with recorded footage
  • Intrusion Detection Systems, including:
    • Motion sensors
    • Door and window sensors
    • Glass break detectors

3. Data Security (Physical)
In many cases, sensitive data in OT environments may still exist in physical form, such as printed diagrams or removable media. Protecting these assets is just as important as securing digital data. Some of the main points they focus on are:

  • Securing sensitive documents and storage devices
  • Tracking the physical location of critical assets

These three categories are intentionally designed to mirror cybersecurity concepts and reinforce the alignment between physical and logical security in Zero Trust Architecture.

Conclusion

The DoD’s guidance highlights a critical shift in how organizations should approach cybersecurity in OT environments. Zero Trust is not just an IT concept being extended into OT. It must be adapted to account for operational requirements, legacy systems, and physical risk.

For organizations managing OT environments, this guidance provides a structured and realistic path forward. It acknowledges the challenges while still pushing for meaningful improvements in security posture.

As IT and OT continue to converge, frameworks like this will become increasingly important. The DoD’s guidance provides organizations with a practical framework for understanding how Zero Trust can be adapted specifically for OT environments through its core pillars, layered architecture approach, and emphasis on physical security. Organizations that attempt to apply traditional IT security models without adaptation risk creating gaps or introducing operational and safety risks in environments where reliability is critical.

At Enaxy, we can help organizations translate the DoD’s Zero Trust guidance into practical, real-world security improvements for OT environments. By focusing on both physical and virtual security controls, we assist organizations in strengthening segmentation, improving visibility, and building resilient architectures that align with Zero Trust principles while maintaining operational reliability. To learn more contact us at info@enaxy.com.

Reference

https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-OperationalTechnologyActivitiesOutcomes.pdf

1Mantraps are small secured spaces with interlocking doors used in sensitive areas.