Skip to content

Pentagon Mandates Zero Trust Security Framework for Operational Technology Environments

Posted by: GuidePoint Security

< 1 min read

January 12, 2026 – Published on Nexus

The Department of War (DoW) has issued comprehensive guidance requiring all organizational units to implement zero-trust security principles across operational technology (OT) systems, marking a fundamental shift in how the military secures critical infrastructure from power grids to manufacturing control systems.

Released late November, the Zero Trust for Operational Technology Activities and Outcomes document establishes 105 distinct security activities—84 designated as mandatory “target level” requirements and 21 as “advanced level” objectives—organized across seven pillars: users, devices, applications and workloads, data, networks and environments, automation and orchestration, and visibility and analytics.

Andrew Clopton, senior OT security engineer at GuidePoint Security, noted that the traditional Purdue Model established six hierarchical layers with strict boundaries between IT and OT networks, creating multiple security checkpoints that limited operational agility.

“The DoW’s new simplified model flattens this into just two distinct layers: operational and process control. Removing intermediate boundaries enables more direct communication and leverages identity-based controls and micro-segmentation, rather than physical network separation, to maintain security,” he says.

Clopton explains that those organizations that previously designed their OT environments on the Purdue model, the transition to the DoW’s new guidance presents three critical requirements:

  • Reimagining network boundaries beyond physical separation toward identity-based controls that verify every access request, regardless of origin.
  • Implementing micro-segmentation at the network, application, and device levels. In practice, this creates multiple layers of verification that prevent lateral movement and contain threats, even if one layer is compromised.
  • Adopting a zero-trust network architecture (ZTNA) with “deny by default” policies that enforce contextual access decisions. ZTNA replaces implicit trust based on network location with a system that verifies every access attempt based on who is requesting it, what device they’re using, and current conditions.

Read More HERE.

Categories: OT Security Services
Tags:OTOT Securityzero trust

GuidePoint Security

What is IT/OT Convergence?
Learn the basics of IT/OT convergence, why it matters, the key challenges, and security considerations
View Page

Related Articles

View All

  • OT Security Services
What is IT/OT Convergence?
Read More 4 min read
  • Cybersecurity
Operational Technology Security Architecture Review
Read More < 1 min read
Operational Technology (OT) Security Services
Read More 3 min read