Zero trust operational technology represents a fundamental shift in how the Pentagon secures control systems, power grids, and weapons platforms against adversaries who assume networks are already compromised. The U.S. Department of Defense mandates full zero-trust cybersecurity framework adoption across all components by the end of fiscal year 2027, covering information systems, cloud services, operational technology, and Defense Industrial Base partners.
Key Takeaways
- DoD requires “Target Level ZT” minimum across unclassified, classified, and operational technology systems by FY2027.
- Pentagon released 105 zero trust activities for OT in November 2025, split between 84 target-level and 21 advanced-level capabilities.
- Zero trust enables faster intelligence sharing between agencies compared to siloed legacy systems, critical for mission-speed operations.
- Legacy OT systems can meet Target Level through compensating controls—network proxies, behavioral monitoring, protocol-specific checks—without full replacement.
- DoD established dedicated management offices to synchronize service-wide implementation across Army, Navy, Air Force, and coalition partners.
Why Zero Trust Matters in Digital Warfare
Traditional perimeter-based defenses assume the network boundary is secure. Zero trust eliminates that assumption entirely. Instead of trusting any device or user inside the network, zero trust applies continuous authentication, fine-grained policy enforcement, and constant verification regardless of location. The shift becomes critical when adversaries breach the perimeter—which the Pentagon assumes will happen. In contested environments, agencies need to share intelligence rapidly without waiting for manual security approvals. Legacy systems with rigid access controls slow decision-making. Zero trust, by automating verification and segmentation, enables faster information flow while maintaining security.
The DoD established the Zero Trust Portfolio Management Office in January 2022 under the CIO to orchestrate strategy implementation. That office has since coordinated three major policy pushes: the original zero-trust strategy, the July 2025 Directive-Type Memorandum 25-003 requiring minimum Target Level ZT across all system types, and the November 2025 operational technology guidance outlining 105 specific activities. The Army created its own Functional Management Office to synchronize service-wide adoption, aligning with Multi-Domain Operations in joint and coalition environments. This bureaucratic machinery signals serious intent—not a suggestion, but a mandate with teeth.
The Seven Pillars of Zero Trust Operational Technology
DoD’s framework rests on seven pillars, each targeting a different attack surface. User verification applies multifactor authentication and behavioral analytics to detect unauthorized access. Device security enforces policies only on compliant systems, with dynamic posture checks before and during access. Application and workload security requires rigorous testing, secure coding, and microsegmentation to limit lateral movement. Data protection, network segmentation, automation, and visibility round out the architecture. For operational technology specifically, the Pentagon added 105 activities divided across these pillars: 84 at Target Level (minimum mandatory) and 21 at Advanced Level (aspirational).
The challenge lies in legacy OT. Unlike IT systems, operational technology often runs decades-old industrial controllers, SCADA systems, and proprietary protocols that cannot be patched or replaced without shutting down critical infrastructure. The DoD acknowledged this reality. Rather than mandate wholesale replacement, the Pentagon issued compensating controls guidance for legacy OT environments. Network-based access proxies can verify identity without modifying the control system itself. Behavioral monitoring detects unusual activity patterns. Protocol-specific monitoring watches industrial communications for anomalies. Policy enforcement gateways operate at network boundaries. Configuration integrity checks ensure systems have not been tampered with. Network-level microsegmentation isolates critical assets. These controls allow defense agencies to meet Target Level without replacing billion-dollar infrastructure overnight.
Zero Trust vs. Defense in Depth: A Fundamental Difference
Many defense officials still think in layers—firewalls, intrusion detection, endpoint protection stacked like walls of a castle. Defense in depth assumes that if one layer fails, others catch the breach. Zero trust rejects that model. It assumes every layer has failed. Every request, every user, every device gets verified independently, regardless of whether it came from inside or outside the network perimeter. Zero trust also applies continuous verification, not just at entry. A device trusted this morning might be compromised by afternoon; zero trust re-authenticates constantly.
This architectural difference matters for mission speed. Legacy defense-in-depth systems often require manual security reviews before agencies share classified intelligence. Zero trust automates that process through policy enforcement and segmentation. A user from Agency A accessing data in Agency B’s system gets verified once, then policy rules determine what data they can see. The system moves faster because humans are removed from the approval loop.
What Comes Next: Strategy Updates and Weapon Systems Guidance
The DoD plans to release an updated Zero Trust Strategy in early 2026, followed by further guidance for weapon systems and defense critical infrastructure. That timeline suggests the Pentagon recognizes it has only begun. The FY2027 deadline applies to information systems and operational technology in existing infrastructure. Weapon systems—the F-35, hypersonic missiles, autonomous vehicles—present a different problem. They are often designed with security assumptions from years past. Retrofitting zero trust into weapons platforms requires different compensating controls, different architectures, different testing. The Pentagon has not yet issued that guidance, signaling it remains unsolved.
Cultural adoption may prove harder than technical implementation. The DoD’s stated objectives include building a cybersecurity-minded workforce that embraces zero trust, increasing collaboration and productivity, and deepening cybersecurity commitment across ranks. That requires training, hiring, and a shift in how security professionals think. Zero trust is not a product you buy; it is an operating model you build. Agencies accustomed to trusting internal networks must learn to trust nothing and verify everything. That mindset shift, across thousands of personnel in dozens of agencies, will take years.
Can Legacy Systems Really Meet the Target?
The compensating controls framework suggests yes, but with caveats. A legacy SCADA system managing a power grid cannot run modern identity verification software. But a network proxy sitting in front of that SCADA system can intercept requests, verify the user’s identity through multifactor authentication, and only forward legitimate traffic. Behavioral monitoring watches for attack signatures. Configuration integrity checks ensure the SCADA system has not been modified. Together, these controls provide zero-trust-like protection without replacing the legacy system.
However, compensating controls are not equivalent to native zero trust. They add latency. They require careful tuning to avoid false positives that disrupt operations. They depend on network-level enforcement, which is less granular than application-level controls. For new systems, the Pentagon should mandate native zero trust. For legacy systems, compensating controls buy time. But that time is finite. As control systems age out and replacements arrive, those replacements must be zero-trust-native from day one.
Is the DoD’s FY2027 deadline realistic?
The Pentagon set FY2027 for information systems and cloud services. Operational technology lacks a firm deadline, suggesting the DoD recognizes the complexity. For IT systems, FY2027 is achievable if agencies prioritize ruthlessly and vendors deliver. For OT, especially critical infrastructure, the deadline is more aspirational. Some agencies will hit Target Level by 2027. Others will miss. The real test comes after the deadline—whether the Pentagon enforces the mandate or extends it quietly, as often happens with defense directives.
How does zero trust operational technology differ from standard zero trust?
Standard zero trust assumes you can patch systems, update software, and deploy agents on every device. Operational technology often cannot be patched without shutting down critical services. OT systems run specialized protocols, proprietary software, and hardware that predates modern security practices. Zero trust OT therefore relies more heavily on network-level controls, behavioral monitoring, and compensating controls rather than endpoint-based verification. The core principle—assume breach, verify everything—remains the same, but the implementation looks different.
What is the Pentagon’s timeline for weapon systems zero trust guidance?
The DoD plans to release updated Zero Trust Strategy guidance in early 2026, with further direction for weapon systems and defense critical infrastructure to follow. No specific deadline has been announced for weapons platforms. This suggests the Pentagon is still determining how to apply zero trust to systems designed with different security assumptions, including legacy platforms already in service and new platforms still in development.
The Pentagon’s push for zero trust operational technology is not about perfection—it is about speed and resilience. In digital warfare, the side that detects and responds to breaches faster wins. Legacy security models, with their manual approvals and siloed systems, cannot match adversary speed. Zero trust, by automating verification and enabling rapid information sharing, gives defenders a fighting chance. The FY2027 deadline is aggressive. Some agencies will struggle. But the direction is clear: trust nothing, verify everything, and move faster than the enemy.
Edited by the All Things Geek team.
Source: TechRadar
