On November 18th 2025, the Department of War (DoW) Chief Information Officer released the Zero Trust for Operational Technology framework. This follows the July 2025 mandate under DTM 25-003, Implementing the DoD Zero Trust Strategy, which established authoritative guidance for applying Zero Trust (ZT) for all IT systems and all control systems/Operational Technology (OT). The new requirements must be implemented in addition to all existing cybersecurity controls.
While most Zero Trust guidance historically focuses on enterprise IT, the DoW paper recognizes that operational systems work differently. OT environments support mission-critical physical processes and depend on predictable, stable communications and high availability. The ZT for OT framework adapts Zero Trust principles to these operational constraints and establishes a structured path for defense organizations to implement Zero Trust in operational environments safely and effectively.
Let’s talk about the new mandate and the activities required, and we’ll share how Corsha helps cyber physical teams meet key Zero Trust for OT requirements.
Zero Trust Activities: From Target to Advanced
Because OT environments vary widely in architecture, modernization and risk, the DoW framework introduces two levels of Zero Trust maturity in two phases. Target activities phase establishes the foundational controls required across all operational systems. Advanced activities phase outline a more mature posture where verification, policy enforcement, and response become real-time and adaptive.Together, they create a model where OT defenses are continuously validated and adjusted to meet changing operational and mission demands.
Target Phase Objectives
- Establish foundational identity, access control, monitoring, and segmentation across OT systems.
- Enforce least-privilege access for machine, service, and human.
- Detect and contain abnormal or unauthorized behaviors using OT-specific monitoring.
Advanced Phase Objectives
- Continuously verify OT communications and command pathways in real time.
- Apply adaptive policies based on operational context and observed behavior.
- Automate containment and response while maintaining safety and availability.
The Zero Trust Fan for OT
The framework organizes Zero Trust for OT into seven pillars similar to the original ZT guidance tailored for Enterprise IT systems that together define how organizations should secure, monitor, and manage operational environments. With 84 Target and 21 Advanced activities, the 105 total activities establish the structure for implementing Zero Trust across OT systems in a practical and mission-aligned way.
source: Zero Trust for Operational Technology
1. User
- Maintain a complete inventory of OT users and eliminate shared, must-run, or unmanaged accounts.
- Enforce strong authentication with MFA or approved alternatives at session start, periodic re-auth, and continuous verification where possible.
- Apply role- and attribute-based access with least privilege, dynamic approval for privileged actions, and deny-by-default enforcement.
2. Device
- Maintain an accurate inventory of all Non Person Entities (NPEs)/OT devices through manual, passive, or safe active discovery.
- Apply credentialing (PKI/X.509), configuration control, and vulnerability/patch management tailored to OT safety and reliability constraints.
- Enforce “deny-by-default” for device access, restricting unmanaged non-OT assets and limiting BYOD in OT environments.
3. Applications & Workloads
- Inventory all OT applications, code, and binaries and ensure they follow secure development practices and approved configurations.
- Enforce application control to prevent unauthorized modifications and apply ABAC (Attribute-Based Access Control) for all workloads.
- Implement OT-specific DevOps/DevSecOps pipelines, XBOM tracking, and vulnerability management processes aligned with mission risk.
4. Data
- Tag, classify, and label OT data using standardized metadata and workflow-aligned schemas that do not disrupt operations.
- Implement DLP/DRM controls to monitor, protect, and govern data across the OT boundary, initially in monitor mode, then with enforcement.
- Monitor file and database activity using machine-readable logs, analytics, and policies for sensitive OT data types (e.g., configurations, schematics).
5. Network / Environment
- Define granular access rules, policies, and data-flow patterns for OT networks based on mission, attributes, and operational behavior.
- Implement segmentation at multiple levels: planes (control/data/management), logical zones, B/C/P/S segmentation, and microsegmentation.
- Integrate SDN/programmatic pathways, enforcement points, and standardized logging to validate connections and prevent lateral movement.
6. Automation & Orchestration
- Inventory and align existing OT access control policies, DR/BCP procedures, and operational standards with Zero Trust requirements.
- Create attribute-driven access profiles that prioritize mission context and override local rules when necessary.
- Automate policy enforcement where safe, ensuring OT systems queue changes for human approval to preserve safety and reliability.
7. Visibility & Analytics
- Implement continuous monitoring across OT planes, feeding logs and telemetry into SIEM/SOAR platforms for analysis and alerting.
- Deploy UEBA and UAM for users, processes, and machines/NPEs to detect anomalous behavior while prioritizing safety and operational continuity.
- Correlate analytics from EDR/XDR, file monitoring, network flow, and tagging systems to detect lateral movement and policy violations.
How Corsha Helps
Corsha directly supports a significant portion of the Zero Trust for OT Activities and Outcomes. When mapped across the seven Zero Trust for OT pillars, Corsha aligns with a majority of the Target and Advanced requirements. As a Machine Identity Provider (mIDP) purpose-built for OT, Corsha gives every machine a verifiable identity, continuously authenticates each machine-to-machine (M2M) connection, and applies dynamic, intelligent access control to prevent unauthorized lateral movement across mission-critical operational environments. Securing M2M communications is particularly foundational in Zero Trust for OT, given how much traffic in these industrial environments is automated.
Here are some examples of the Corsha Platform in action:
- “An unidentified, unmanaged device attempts to communicate with a safety PLC; Corsha denies the request in real time based on the ZT identity and behavioral policy.”
- “A maintenance machine attempts to reach a restricted control zone; Through identity-based microsegmentation, Corsha blocks and flags the connection before any unsafe lateral movement occurs.”
- “A normally quiet HMI begins issuing unexpected write requests; Corsha identifies the deviation from patterned behavior and alerts the system owners to protect the process.”
- "Corsha retrofits identity security and access control around a legacy controller that would otherwise accept any incoming traffic blindly"
- "A new analytics workload initiates a high-frequency polling pattern; Corsha recognizes the unsafe behavior and throttles the connection."
Corsha’s mIDP brings you OT identity and access control in real-time that leads to better data quality, more accurate analysis, and stronger audit evidence - all important puzzle pieces to achieving Zero Trust for OT.
Corsha’s capabilities accelerate progress across the Target and Advanced Zero Trust phases while preserving the safety and availability requirements of defense operational systems. We enable mission owners to stop attacks in real time, automate security, and modernize their operational environments with confidence.
Closing
This DoW framework is an exciting step forward for industrial environments! Zero Trust for OT is now an operational requirement, not a future aspiration. The Zero Trust for OT framework provides a clear path for defense teams to verify, secure, and continually manage operational systems. Corsha empowers mission owners like you to make substantial progress across both the Target and Advanced phases to advance cyber protections without compromising on safety and availability.
Corsha is already ATO’d and deployed in production within the U.S. Air Force, and ready for operational environments. If you want to see how machine identity for operational systems can be applied in practice, request a demo of the Corsha Platform and learn how quickly we can help you accelerate your Zero Trust for OT journey.