CISA and federal partners extended Zero Trust guidance into operational technology.

A new joint guide addresses the constraints that make OT environments different from IT when applying Zero Trust principles - relevant to any program scoping Zero Trust or RMF work that touches industrial or facility systems.

What changed

CISA, together with partner agencies including the Department of War, Department of Energy, the FBI, and the Department of State, published a joint guide, "Adapting Zero Trust Principles to Operational Technology," giving OT owners, operators, and Zero Trust practitioners practical guidance for applying Zero Trust principles inside OT environments.

The guide addresses constraints that don't apply the same way in conventional IT Zero Trust work - legacy protocols, availability requirements, and safety-critical systems - and gives programs a way to prioritize where Zero Trust controls fit inside an OT environment without disrupting operations.

Source: CISA (opens in a new tab) · April 2026

Why federal buyers should care

  • Agencies and DoD components running OT - industrial control systems, facility systems, tactical or edge systems - now have an authoritative federal reference to cite in Zero Trust requirements, RMF documentation, and evaluation criteria, rather than adapting IT-focused guidance on their own.
  • Programs that scoped Zero Trust modernization as an IT-only initiative may need to revisit architecture decisions for any OT systems in scope, since availability and safety constraints change how controls like microsegmentation and continuous monitoring get implemented.
  • Contracting officers and security leaders evaluating vendor Zero Trust proposals for OT-adjacent requirements can use the guide as a baseline for what a credible OT Zero Trust approach should address.

How StorSoft can help

StorSoft supports Zero Trust Architecture, RMF documentation, ATO packages, continuous monitoring, and vulnerability management, with cyber talent mapped to DoD 8140 DCWF work roles.

For programs with OT or mission-technology components inside their security scope, a cybersecurity intake conversation can help align Zero Trust and RMF requirements to an executable technical approach and route the requirement through an active contract vehicle (GSA MAS, SeaPort NxG, or MDA SHIELD).