Five U.S. federal agencies published a joint guidance document on April 29 directing critical infrastructure operators to apply zero trust (ZT) principles to their operational technology (OT) environments - a coordinated move that places formal regulatory weight behind a security model previously applied almost exclusively to enterprise IT networks. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, Department of Energy, FBI, and Department of State published the guide to help OT owners and operators, including government systems, navigate the transition.
Background
OT systems are increasingly interconnected, digitally monitored, and remotely operated, expanding their attack surfaces and creating opportunities for threat actors to access both IT and OT networks through improperly secured pathways. Nearly three-quarters of OT devices are between six and 30 years old, making them difficult or impossible to secure using traditional IT patching methods. In 2025, 60% of organizations experienced breaches that impacted both OT and IT environments, up from 49% the year prior.
The new document follows a series of escalating federal actions. In November 2025, the Pentagon issued its own "Zero Trust for Operational Technology Activities and Outcomes," detailing 84 minimum and 21 advanced OT-specific zero trust activities. The NIST National Cybersecurity Center of Excellence (NCCoE) separately released the final practice guide SP 1800-35, "Implementing a Zero Trust Architecture," outlining best practices drawn from work with 24 vendors to demonstrate end-to-end zero trust architectures. The multi-agency guide published this week builds on those foundations, extending ZT requirements to the shop floor and industrial control layer.
Details
The guide, titled Adapting Zero Trust Principles to Operational Technology, provides OT owners, operators, and zero trust practitioners with practical insights on overcoming unique constraints, addressing potential challenges, and prioritizing key areas for integrating zero trust into OT environments.
The document notes that applying a zero trust approach to industrial systems "requires careful consideration" because OT systems interact with the physical environment and are constrained by availability and safety requirements, as well as legacy technology with long lifespans.1Implementing a Zero Trust Architecture: SP 1800-35 | CSRC Malware families such as CrashOverride and BlackEnergy have demonstrated the ability to disrupt physical processes, while living-off-the-land techniques allow attackers to blend into normal operations - developments that have rendered perimeter-based defenses insufficient.
CISA Acting Executive Assistant Director for Cybersecurity Chris Butera stated that "zero trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems." CISA noted it has observed threat actors including Volt Typhoon targeting OT systems to compromise, escalate, and maintain persistent access within operational environments.
The document recommends specific zero trust practices, including network segmentation, identity management, secure remote access, vulnerability management, and data encryption. It warns that ideal access controls may not be achievable in OT environments due to operational needs, advising organizations to layer compensating controls to make exploitation of access-control weaknesses more difficult. On identity governance, the advisory directs organizations to keep IT and OT identity systems disconnected, fully segment Active Directory, and require multifactor authentication at the jump host level. The document also emphasizes session recording, vaulted credentials, and just-in-time access for any account capable of modifying configurations.
Organizations should begin by establishing governance structures - including shared accountability between stakeholders and use of supply-chain risk management tools such as software bills of materials - before identifying and analyzing assets and implementing processes to track changes.
Applying zero trust in OT introduces challenges such as limited patching windows, minimal logging capabilities, and long equipment lifecycles. Where modern security features cannot be deployed, compensating controls including enhanced monitoring and strict access policies are recommended.
"This guide moves owners and operators from reactive to proactive," Brett Leatherman, assistant director of the FBI's Cyber Division, said in a statement.2Zero Trust Implementation Guideline Discovery Phase
Outlook
The Department of Defense has set deadlines of fiscal year 2030 and fiscal year 2033 for target-level and advanced-level zero trust for operational technology, respectively, across its components. The department also intends to publish an updated Zero Trust Strategy in early 2026 and develop additional guidance for both weapon systems and defense critical infrastructure. For private-sector operators in manufacturing, energy, and water treatment, the joint guide carries no mandatory enforcement mechanism but is expected to inform future sector-specific regulatory requirements and audit frameworks aligned with CISA's Zero Trust Maturity Model.
