Pentagon Quietly Issues First Zero Trust Blueprint for Operational Technology and Industrial Control Systems

The U.S. Department of Defense has drawn a new red line around the systems that keep its bases, runways, and weapons-adjacent facilities running. A new implementation guide from the Pentagon’s Chief Information Office quietly establishes the first detailed zero trust blueprint for operational technology and industrial control systems, extending a once-IT-centric strategy deep into the physical backbone of military operations.

From IT to OT: Zero Trust Crosses the Air Gap

The new operational technology zero trust guidance is not a high-level vision document. It is an engineering playbook. The Pentagon defines 105 specific zero trust activities and capability outcomes for OT environments. Of those, 84 are classified as minimum “target level” controls, with 21 labeled “advanced” for more mature deployments.

Those activities are mapped across seven familiar zero trust pillars: users, devices, applications and workloads, data, networks and environments, automation and orchestration, and visibility and analytics. But the focus is squarely on programmable systems that move electrons, fuel, water, and aircraft, not just packets and files.

That means industrial control systems, building automation, runway lighting, power and water plants, elevators, and infrastructure that sits adjacent to weapons and mission systems. Where earlier Pentagon zero trust efforts concentrated on email, cloud, and endpoints, this guidance targets the programmable logic controllers (PLCs), SCADA-like environments, and long-lived proprietary systems that cannot simply be patched overnight or ripped and replaced.

Why OT Needed Its Own Zero Trust Rulebook

Traditional zero trust doctrine inside the Pentagon grew out of the 2022 DoD Zero Trust Strategy and the subsequent Directive-Type Memorandum 25-003, which created the Zero Trust Portfolio Management Office and set the department on a path to reach “target level” zero trust for IT systems by the end of fiscal 2027. Those efforts assumed comparatively modern hardware, standardized protocols, and faster refresh cycles.

Operational technology breaks those assumptions. OT assets often run for decades. They rely on vendor-specific protocols, limited computing resources, and safety constraints that make downtime or aggressive scanning unacceptable. Many are bolted onto legacy networks that were never designed for fine-grained identity, segmentation, or continuous monitoring.

The new Pentagon OT guidance explicitly acknowledges these constraints. It does not attempt to clone IT security controls onto plant floors. Instead, it reframes zero trust in OT terms: tightly managed credentials for human and machine operators, disciplined asset management, environment-aware threat detection, and behavioral analytics tuned to industrial processes rather than office workflows.

Critically, the document treats safety and mission continuity as co-equal to confidentiality. The goal is not just to keep adversaries out, but to prevent them from causing physical effects, while avoiding self-inflicted outages from overzealous controls.

105 Activities, Seven Pillars, One Architecture

At the heart of the guidance is a capability matrix designed to be both prescriptive and adaptable. The 84 “target level” activities outline what every DoD OT environment should ultimately achieve. The 21 “advanced” activities are meant for higher-risk or more mature environments that can push further.

Examples span the seven pillars:

• Users: Strong identity, credential, and access management for operators, maintainers, and vendors, with role-based access and least-privilege enforced at the system and function level.
• Devices: Authoritative OT asset inventories, hardware attestation where feasible, and health monitoring for controllers, sensors, and gateways.
• Applications and workloads: Segregation of engineering workstations, management consoles, and HMI systems; secure software update mechanisms; and explicit authorization for control logic changes.
• Data: Classification and protection of telemetry, configuration data, and operational recipes; safeguards for data in motion between plants and enterprise systems.
• Networks and environments: Micro-segmentation around critical processes, secured remote access for vendors and maintainers, and tightly controlled cross-domain connections between OT and IT.
• Automation and orchestration: Policy-driven enforcement for routine tasks such as access provisioning, configuration baselining, and response to known threat patterns.
• Visibility and analytics: Continuous monitoring of process and network behavior, anomaly detection tuned to industrial baselines, and attribution capabilities to tie events back to specific identities and devices.

The design principle is “local first, enterprise later.” The guidance envisions OT zero trust capabilities being deployed initially at the plant or base level. Over time, these local capabilities can be integrated with enterprise IT tools and data lakes, creating a unified security architecture without forcing fragile OT systems into unsuitable IT platforms on day one.

No Hard Deadline – and Why That Matters

There is a notable asymmetry in the Pentagon’s zero trust timelines. For traditional IT systems, the department has mandated that components reach target zero trust levels by the end of fiscal 2027. That deadline has been repeatedly emphasized by zero trust leaders and codified in policy documents.

The OT blueprint takes a different tack. The implementation guide for operational technology avoids setting a hard completion date. Instead, it frames OT zero trust as a long-term engineering and modernization effort, one that must be synchronized with physical plant upgrades, safety certifications, and industrial lifecycle planning.

Retrofitting industrial systems is not a sprint. It involves segmenting networks that were never logically separated, inserting secure gateways, updating firmware that may not have been touched in a decade, and negotiating with vendors for features that were not part of original contracts. The Pentagon’s choice to omit a fixed OT deadline acknowledges that these changes cannot simply be willed into existence by policy memos.

However, the lack of a deadline does not signal a lack of urgency. The guidance positions OT zero trust as an integral part of the broader zero trust strategy update the department plans to publish, bringing IT, OT, weapons systems, and defense critical infrastructure under a more unified and modernized framework.

Air Force Bases as Frontline Cyber-Physical Targets

Nowhere is the shift in mindset more visible than in the U.S. Air Force. According to reporting on how the services are responding, senior Air Force leaders are already planning to apply the OT-specific model to industrial control systems on Air Force bases. The message is clear: base utilities and infrastructure are no longer considered back-office support. They are treated as frontline cyber-physical targets.

That reframing has operational consequences. Runway lighting, fuel farms, power distribution, water treatment, and access control systems are now viewed through the lens of contested operations. An adversary who can disrupt these systems at scale can ground sorties, delay deployments, and create cascading effects across theaters without ever touching a traditional weapons system.

The Air Force perspective underscores another core principle of the new blueprint: you cannot simply copy IT controls into OT environments. The service highlights that many of the mechanisms used to secure email servers and cloud workloads will break or destabilize PLCs and SCADA-like systems. The OT guidance is meant to give commanders and engineers a realistic set of tools that respect those constraints while still driving toward measurable zero trust outcomes.

From Local Plants to Enterprise Defense

The guidance also sketches a path for converging OT and IT security over time. It envisions OT capabilities such as credentialing, asset management, threat detection, actor attribution, and behavioral analytics being deployed as local capabilities in base or plant environments first. Once those foundations are in place, they can be federated into enterprise tools and data platforms.

This phased model is crucial. It lets installations modernize at the pace of their industrial systems while still aligning with department-wide standards. It also sets the stage for more advanced use cases: correlating anomalies across multiple bases, sharing OT threat intelligence between components, and using enterprise identity systems to enforce least-privilege down to the controller level.

For industry and integrators, the signal is equally strong. Future contracts that touch base infrastructure, industrial controls, or mission-adjacent facilities will be expected to align with these 105 activities and seven pillars. Zero trust for OT is no longer an abstract aspiration; it is a checklist.

What Comes Next: Strategy 2.0 and Weapon Systems

The OT guidance does not stand alone. The Pentagon has already telegraphed plans for an updated Zero Trust Strategy that will effectively serve as a version 2.0 of its 2022 blueprint. That update is expected to fold in lessons learned from IT deployments and formally integrate OT, weapons systems, and defense critical infrastructure into a more cohesive framework.

In parallel, the department intends to publish additional guidance focused specifically on weapon systems and critical infrastructure, extending zero trust concepts into environments where availability and safety stakes are even higher. The OT document is a bridge between the enterprise IT world and these mission systems, translating zero trust from the data center to the flight line and beyond.

For security leaders, engineers, and vendors tracking this shift, the signal is unmistakable: zero trust is now the organizing principle not just for networks and applications, but for the cyber-physical fabric of U.S. defense operations. If you work in or around this space and want deeper technical breakdowns, case studies, and policy tracking, consider joining the WireUnwired Research community on WhatsApp or LinkedIn to compare notes with peers who are implementing these controls on the ground.

The quiet release of this OT blueprint will not stay quiet for long. As base commanders, plant managers, and program offices digest its 105 activities, it will start to reshape budgets, modernization roadmaps, and even how the Pentagon thinks about resilience in a world where every switch, pump, and sensor is a potential attack surface.