Pentagon zero trust guidance for IoT and OT coming in September

As the Department of Defense races to shore up its cyber defenses with zero-trust security architectures by 2027, it will issue key guidance for how industry partners should enlist the security framework for Internet of Things and operational technology systems by the end of the fiscal year.

Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office in the DOD, said Wednesday that the department is developing those guidance documents as expansions and variations of the 91 baseline “target-level” zero-trust activities it has already released for industry models to meet.

The new IoT and OT guidance are expected sometime in September, Resnick said at the GDIT Emerge: Edge Forward event, produced by FedScoop.

DOD uses what it refers to as “fan charts,” Resnick said, to lay out the various security controls vendors must build into their zero-trust solutions to meet the baseline for military services and defense agencies. In total, there are 152 controls — 91 at the target level and 61 at the advanced level, which “offer the highest level of protection,” the department said in guidance from 2024.

Resnick said that the fan chart for operational technology is “different” than that of the 91 activities needed to meet target-level compliance, though “there’s a lot of overlap.”

“The number of activities to hit target-level OT is different,” he explained.

For securing IoT systems with zero trust, Resnick said it’s essentially the same 91 target-level activities, plus two additional controls.

Explaining why it was necessary to build out additional overlays for OT and IoT systems, he said the way you respond to an incident is quite different, especially for operational technology.

With OT, Resnick said, “You want to have it fail open, or you want to have it fail in a way that doesn’t disturb or cause more mischief or harm than you want.”

Once those pieces of guidance arrive in September, just one more such directive remains for the DOD to issue: zero-trust overlays for weapons systems, said Resnick.

With the 2027 deadline looming, Resnick said he feels like “we’re in good shape,” especially after his office was spared in recent DOGE cuts, he said.

He explained that the department continues to experience successful pilots with industry that meet target or advanced levels of zero trust. And with more of those solutions taking shape, it’s getting closer to the point where DOD organizations will be able to “just buy it, implement it, install it, and pretty much get there before the end of [2027],” Resnick said.

The hard part will then be installing the solutions, he explained.

“We’re talking professional services and a whole army of people that are probably going to be required,” Resnick said. “We’re talking about full swap-outs and new infrastructures. This is not a small problem … I certainly hope that industry is thinking like that.”