DoD Zero-Trust for OT.

DTM 25-003 is a DoD Directive-Type Memorandum issued in July 2025 that mandates all DoD Components reach Target Level Zero Trust across all unclassified and classified systems, including Operational Technology (OT) environments. It defines 7 pillars and specific activities that must be addressed.

The DoD guidance explicitly states that traditional IT security approaches can be 'ineffective and potentially dangerous' in OT environments. OT systems prioritize availability and safety — they rely on legacy industrial protocols, cannot tolerate downtime, and often cannot run agents, be patched, or be moved to cloud enclaves.

TAG uses a software-defined networking (SDN) overlay to transparently insert a lightweight, identity-aware proxy in front of each OT asset. The underlying network remains unchanged — no rewiring, no recabling, no changes to PLCs, HMIs, or switches. All access now passes through a Zero-Trust enforcement boundary.

Yes. Trout Access Gate is fully on-premise and has no cloud dependency. Its policy engine runs locally, making it suitable for air-gapped, intermittently connected, and classified environments. No data leaves the site.

Deployment typically takes hours, not weeks. Once installed, TAG immediately begins building an asset inventory and enforcing access policies. The alignment guide documents which specific DoD activities are addressed out-of-the-box and which require policy configuration.

DTM 25-003 directly mandates DoD Components. However, the same NIST 800-171 controls underpin CMMC Level 2, which defense contractors must meet to handle CUI. The 7-pillar framework provides a useful architecture reference for contractors preparing for CMMC assessments on OT environments.

Target Level is the baseline required by DTM 25-003. It covers the core activities within each pillar: identity verification, device inventory, network segmentation, data classification, and continuous monitoring. Advanced Level adds deeper capabilities like dynamic policy automation and behavioral analytics. Access Gate addresses Target Level across all 7 pillars.

Access Gate performs passive asset discovery to build a real-time inventory of every device on the network, including OT assets that cannot run agents or respond to active scans. This addresses Activities 2.1 through 2.7 without touching the devices. The overlay network then enforces deny-by-default access per device.

Yes. Access Gate generates session logs, policy configurations, segmentation baselines, and access control records that map directly to DTM 25-003 activities. Assessors can review who accessed what, when, through which protocol, and whether the session was authorized. All evidence is stored on-premise.

Access Gate runs a local policy engine that automates access decisions, alert generation, and configuration enforcement. Policies are version-controlled and can be deployed across multiple sites through the management plane. No cloud orchestration or external API calls are required.

The alignment guide is UNCLASSIFIED and publicly available. Access Gate itself operates in air-gapped, classified, and SCIF environments with no cloud dependency. Specific deployment guidance for classified networks is available through direct engagement with the Trout team.