The U.S. Cybersecurity and Infrastructure Security Agency (CISA), together with four federal partners, has published joint guidance directing owners and operators of operational technology (OT) to abandon implicit network trust - a move that formalizes zero-trust architecture (ZTA) as the expected security baseline for manufacturers, utilities, and other critical infrastructure operators nationwide.
Background
The publication, titled Adapting Zero Trust Principles to Operational Technology, arrives as IT/OT convergence accelerates and perimeter-based defenses prove increasingly inadequate. OT systems that were traditionally isolated or manually operated are now interconnected, digitally monitored, and remotely controlled. This convergence introduces cybersecurity risks that make perimeter-based defenses and implicit trust models insufficient for safeguarding critical physical processes.
The threat context is explicit. "CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments," said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera, adding that "zero trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems." CISA, the FBI, and the National Security Agency first warned in February 2024 that the Chinese state-sponsored group was prepositioning on U.S. IT networks to enable lateral movement to OT assets in the event of geopolitical conflict.
The new guide also addresses a documented gap in prior federal guidance. CISA's Zero Trust Maturity Model 2.0 acknowledged that it did not address challenges specific to operational technology; this publication closes that gap.
Details
CISA, along with the Department of Defense, the Department of Energy, the Federal Bureau of Investigation, and the Department of State, published the joint guide to assist organizations with OT systems - including government systems - in applying zero-trust principles. The National Institute of Standards and Technology (NIST) provided technical contributions.
The guidance takes a direct architectural stance: OT owners should design controls on the assumption that adversaries are already inside the network, validating every access request based on identity, context, and risk rather than network location. The document is structured around the six functions of NIST Cybersecurity Framework 2.0 - Govern, Identify, Protect, Detect, Respond, and Recover - and aligns with CISA's Cross-Sector Cybersecurity Performance Goals 2.0, the DoD Zero Trust Reference Architecture v2.0, NIST SP 800-82r3, and the international ISA/IEC 62443 series.
Critically, the agencies reject a wholesale transplant of IT security methods into OT environments. "The blanket application of traditional information technology (IT)-focused ZT capabilities to OT is neither reasonable nor feasible," the document stated, calling instead for continuous collaboration between OT engineers, IT architects, and cybersecurity professionals. Applying zero trust in OT introduces challenges such as limited patching windows, minimal logging capabilities, and long equipment lifecycles. The guidance recommends compensating controls - including enhanced monitoring and strict access policies - where modern security features cannot be deployed.
The threat data underscores the urgency. Nearly three-quarters of OT devices are between six and 30 years old, making them difficult or impossible to secure using traditional IT patching methods. In 2025, 60% of organizations experienced breaches that impacted both OT and IT environments, up from 49% the year prior.
The new joint guide follows a cascade of federal OT security actions from the Pentagon. The Department of Defense issued its Zero Trust for Operational Technology Activities and Outcomes guidance in November 2025, detailing 84 minimum and 21 advanced OT-specific zero-trust activities. That document establishes 105 distinct security activities organized across seven pillars: users, devices, applications and workloads, data, networks and environments, automation and orchestration, and visibility and analytics. It followed DTM 25-003, issued in July 2025, which directed DoD components to achieve minimum target-level zero trust across all unclassified and classified systems, including control systems.
For procurement, the CISA guide carries direct implications. The document states that strategic procurement is how operators escape the legacy trap, pointing buyers to the Secure by Demand guide for contracting criteria and to CISA's open-source SIEM tool, Malcolm, for OT protocol parsing. The guidance also aligns with existing U.S. government cybersecurity policies, including NIST Special Publication 800-82 for improving OT security.
Outlook
The deadlines for DoD components to achieve target- and advanced-level zero trust for operational technology are set at the end of fiscal year 2030 and fiscal year 2033, respectively - although those dates could change. The department also intends to publish an updated Zero Trust Strategy in early 2026 and develop additional guidance for both weapon systems and defense critical infrastructure. For manufacturers and utilities outside the federal supply chain, the joint CISA guide establishes a practical architectural baseline expected to inform sector-specific regulation and supply-chain contractual requirements as IT/OT convergence deepens.
