Federal Agencies Issue New Guidance on Applying Zero Trust to Operational Technology
CISA and several federal partners have issued new joint guidance to help organizations transition operational technology (OT) environments toward a zero-trust security architecture.

CISA, alongside the Department of War, the Department of Energy, the FBI, and the Department of State, has released new joint guidance titled "Adapting Zero Trust Principles to Operational Technology." The document provides a framework for organizations to transition away from traditional, perimeter-based security models toward a zero-trust architecture specifically tailored for operational technology (OT) environments.
The core of the guidance addresses the risks introduced by IT-OT convergence. Historically, OT systems—which manage critical physical processes—were isolated or operated manually. As these systems become increasingly interconnected, digitally monitored, and remotely controlled, they are no longer shielded by air-gapping. The agencies warn that implicit trust models are now inadequate, as they fail to account for the sophisticated threats targeting modern, interconnected infrastructure CISA.
To mitigate these risks, the guidance emphasizes the necessity of continuous validation. Organizations are urged to move beyond static defenses by implementing zero-trust principles that require verification based on identity, context, and risk. This approach is designed to replace the assumption that any device or user inside the network perimeter is inherently secure, a shift that is critical for protecting the physical processes that OT systems control CISA.
The document outlines several strategic priorities for OT operators, including the establishment of comprehensive asset visibility and the proactive management of supply chain risks. Furthermore, it stresses the importance of robust identity and access management (IAM) systems. Because OT environments often rely on legacy infrastructure, the guidance provides recommendations on how to implement these modern security controls while navigating operational constraints and safety requirements CISA.
Layered security remains a cornerstone of the recommended strategy. The agencies advocate for the use of network segmentation and secure communication protocols to limit the blast radius of potential compromises. Additionally, the guidance highlights the importance of ongoing vulnerability management, ensuring that security patches and updates are integrated into the OT lifecycle without disrupting critical operations CISA.
This guidance reflects a broader shift in national cybersecurity strategy, acknowledging that the digital transformation of industrial and critical infrastructure requires a fundamental change in defensive posture. As IT and OT networks continue to merge, the ability to maintain visibility and control over every access request becomes a primary requirement for operational resilience. Organizations are encouraged to review the full document to better understand how to adapt these zero-trust principles to their specific technical environments CISA.