DTM 25-003 is a Department of Defense Directive-Type Memorandum that operationalizes the DoD Zero Trust Strategy across the defense industrial base. It extends the zero-trust implementation targets published for DoD components in the 2022 DoD Zero Trust Strategy to contractors who handle CUI or connect to DoD networks.
What DTM 25-003 requires
The memorandum establishes contractor obligations aligned to the seven pillars of the DoD Zero Trust Reference Architecture: User, Device, Application and Workload, Data, Network and Environment, Automation and Orchestration, and Visibility and Analytics. Each pillar has target-level and advanced-level capabilities with phased timelines.
For contractors, the practical requirements concentrate in three areas:
- Identity enforcement per session. Every access decision must be made at the time of request using identity, device posture, and contextual signals — not at network-admission time.
- Encrypted and logged data flows. Transport must be encrypted end-to-end where technically feasible, with session-level audit that ties each access to an authenticated user.
- Continuous verification. Authorization is re-evaluated during the session, not granted statically at session start.
Relationship to CMMC
DTM 25-003 and CMMC Level 2 address overlapping control objectives but through different lenses. CMMC codifies 110 NIST SP 800-171 Rev 2 requirements with a C3PAO assessment gate. DTM 25-003 adds architectural expectations — zero-trust principles, session-level enforcement, continuous verification — that shape how those requirements are implemented.
A contractor meeting the letter of CMMC with a VPN-based remote access model may still fall short of DTM 25-003's session-level verification expectations. Conversely, a zero-trust architecture that satisfies DTM 25-003 will typically exceed CMMC's access-control minimums.
What this means for OT
OT environments create specific tension with DTM 25-003. Legacy controllers cannot produce device posture signals, cannot participate in continuous verification, and cannot terminate encrypted sessions. The memorandum's architectural targets assume the enforcement point sits in front of the asset, not on it. This is why network-layer identity gateways and micro-DMZ designs show up frequently in OT zero-trust implementations.
Related terms
Access Gate connection
Access Gate provides session-level identity enforcement, encrypted transport, and continuous authorization for OT environments — mapping directly to DTM 25-003's pillar objectives. See DoD Zero Trust OT Alignment.
