On April 29, 2026, the Cybersecurity and Infrastructure Security Agency published "Adapting Zero Trust Principles to Operational Technology" jointly with the Department of War, the Department of Energy, the Federal Bureau of Investigation, and the Department of State. The 28-page document landed without the rollout choreography that typically accompanies a major Pentagon strategy. There was no signing ceremony, no press briefing from the Zero Trust Portfolio Management Office, no companion video from the DoD Chief Information Officer. By the end of May, the trade press had absorbed it as a technical reference and moved on. That muted reception understates what the document actually changes for the defense industrial base.
The Pentagon's own Zero Trust Strategy 2.0, expected in early 2026, was always going to extend zero-trust requirements from IT networks into operational technology, weapon systems, and defense critical infrastructure. The DoD CIO's November 2025 guidance had already laid out 105 OT capability outcomes, with 84 considered minimum target levels and 21 reserved for advanced implementation. What the April 29 interagency guide does is different in kind. It establishes that the same zero-trust expectations apply to OT environments across the federal critical-infrastructure ecosystem — from a Department of Energy substation to a fuel pier serving Navy ships to a contractor-operated industrial control system fabricating munitions. The federal government now speaks with one voice on OT zero trust, and that voice reaches every supplier whose equipment, software, or services touch a covered environment.
What Changed in the Compliance Posture
The interagency guide is structured around the NIST Cybersecurity Framework 2.0's six functions — Govern, Identify, Protect, Detect, Respond, Recover — and it identifies three pillars that organize the OT-specific work: asset visibility, identity and access management, and supply chain risk management. None of those pillars are conceptually new. What is new is that all five signatory agencies now reference the same playbook when they evaluate the cybersecurity posture of a contractor, a critical-infrastructure operator, or a foreign partner. A defense supplier that builds programmable logic controllers, supervisory control software, ruggedized network appliances, or embedded firmware for OT environments will see the same expectations show up in DoW contract clauses, in DOE site security reviews, in FBI joint cyber advisories, and in State Department export-control conversations.
That convergence matters because the OT zero-trust problem has historically been a coordination failure as much as a technology failure. A contractor delivering a control system to a Navy base might be told by the program office to follow one set of cyber requirements, by the base utilities engineer to follow another, and by the host installation's security team to follow a third. The interagency document does not eliminate those local variations, but it forces them to converge on a shared baseline. The practical effect is that contractors who built their OT cybersecurity programs around a single agency's interpretation now have to broaden their reference architecture, and contractors who deferred OT zero-trust investments altogether now face a compliance landscape where deferral is no longer a viable posture.
Why the Three Pillars Are the Hard Part
Asset visibility is the pillar where most defense suppliers underestimate the work. OT environments routinely include equipment that has been in service for fifteen to thirty years, running proprietary protocols, on networks that were never instrumented for asset discovery. The interagency guide is explicit that visibility cannot be achieved through periodic manual inventories. It requires continuous, passive discovery that does not interfere with control-system uptime, paired with an asset inventory that captures firmware versions, communication patterns, and supply-chain provenance. For most defense OT vendors, the engineering effort to retrofit visibility into legacy product lines is significant, and the licensing models on most enterprise OT discovery tools were not designed for the air-gapped, tactically-deployed environments where defense OT actually operates.
Identity and access management in OT is even harder. The guide explicitly acknowledges that traditional IT zero-trust patterns — continuous reauthentication, cloud-based identity services, fine-grained policy enforcement at every connection — do not translate cleanly to environments where a single operator may need to take a manual control action in under two seconds, and where the identity provider may not be reachable due to a degraded network. The expected pattern is layered: device identity rooted in hardware, operator identity managed through hardened local credential stores synchronized when possible, and policy enforcement that fails to a safe-and-known state rather than to a denied state. Defense suppliers building tactical edge compute, deployable command nodes, or contested-environment C2 infrastructure should already be building toward this pattern. Suppliers who are not will find their existing product architectures difficult to certify.
Supply chain risk management is the pillar where the interagency framing has the most teeth. The guide assumes that OT components arrive at the federal customer with provenance documentation, software bills of materials, and verifiable firmware integrity. Contractors who have treated SBOMs as an aspirational deliverable rather than a contract requirement should expect that posture to fail audits beginning in the fiscal 2027 contracting cycle. The DoD CIO and the DoE Office of Cybersecurity, Energy Security, and Emergency Response have both signaled that supply chain attestations on OT components will be enforced through contract terms, not through voluntary disclosure programs.
The Window for Contractors
The CMMC program continues its phased rollout — Phase 1 self-assessments are in effect now, Phase 2 begins requiring C3PAO certification on November 10, 2026 — and the DoD's Zero Trust Strategy 2.0 will formalize weapon-system and OT cybersecurity expectations once it is published. The interagency OT guide does not wait for either of those instruments. It is operative now, it is referenced now in agency advisories, and it shapes the cybersecurity questions defense customers are asking now during program reviews and sustainment planning. Contractors who build edge compute, autonomous systems, command and control infrastructure, or any product that integrates with operational technology should treat the April 29 guide as the baseline against which their architecture will be evaluated. The companies that read it as a recommendation will spend fiscal 2027 absorbing rework costs. The companies that read it as a contract specification will be the ones their customers want to keep building with.
