Federal agencies are accelerating the adoption of zero-trust architectures, including operational technology-specific Zero-Trust Network Access (OT-ZTNA), with significant implications for cybersecurity compliance across critical infrastructure sectors.
Policy directives such as Executive Order 14028 and guidance from the Office of Management and Budget (OMB) have emphasized continuous verification, least-privilege access, and adaptive controls across identity, endpoint, and data layers. These measures reflect rising federal expectations for OT security and address the limitations of legacy systems to effectively segment converged IT/OT environments. The Cybersecurity and Infrastructure Security Agency (CISA) has allocated funding for federal zero-trust modernization, facilitated workshops, and organized cross-agency communities to aid implementation.
Background
Since Executive Order 14028 established zero-trust as a federal security mandate, agencies have worked to integrate this model within complex OT environments. OMB aligned strategies with the CISA Zero Trust Maturity Model, while CISA hosted "cyber-stat" workshops to support unified telemetry and prevent fragmented deployments. Agencies formed communities of practice to share approaches for securing identity, endpoint, and data layers.
Traditional segmentation methods, such as VLANs and access control lists (ACLs), remain insufficient for flat or legacy OT networks. The industry has responded with hardware-based and agentless solutions. Vendor partnerships now deliver micro-segmentation through smart network cards (data processing units or DPUs) and unified network overlays, offering ZTNA at the IT/OT convergence. Solutions that avoid deploying agents on legacy assets are increasingly adopted.
Details
CISA has directed funding to support identity proofing and encrypted DNS across federal systems. However, a recent audit found that fewer than one in five agencies fully meet the benchmarks in CISA's Zero Trust Maturity Model.
Developers have responded with new solutions. Claroty unveiled a unified platform that integrates with existing agency infrastructure to enhance threat response and risk management within OT. The National Security Agency (NSA) released its initial Zero Trust Implementation Guidelines-addressing the primer and discovery phases-to inform the path toward maturity.
The private sector is advancing zero-trust as well. Forescout and Netskope released a joint platform applying zero-trust controls to both north-south and east-west traffic, including unmanaged OT and Internet of Things (IoT) devices, meeting the need for real-time device posture awareness. Illumio and NVIDIA launched OT micro-segmentation on NVIDIA BlueField DPUs, enforcing zero-trust policies without relying on endpoint agents.
Outlook
As agencies advance zero-trust implementation, OT-aware ZTNA solutions-especially agentless and overlay-based approaches-are likely to gain procurement preference. Ongoing challenges include asset discovery, effective segmentation, and incident response in hybrid IT/OT environments. Future efforts are expected to extend guidelines from the discovery to enforcement phases and to integrate visibility tools compatible with legacy industrial assets.
