Brilliant at the Basics. The OT Top 10, covered.
The Department of War now asks the defense industrial base to get the fundamentals right on operational technology. Here are the ten OT basics, and how Access Gate delivers eight of them out of the box, without touching an asset.
Brilliant at the Basics is the Department of War's push to get the defense industrial base to nail cybersecurity fundamentals. Its OT Top 10 lists ten foundational controls for operational technology. Trout Software's Access Gate covers 8 of the 10 in full out of the box and contributes to the other two, all enforced inline, in front of the asset, with nothing installed on it.
From certification to fundamentals
In July 2026 the Department of War suspended CMMC Phase II, the mandatory third-party Level 2 certification, and opened a 60-day reform review. The audit mandate is paused. The security obligation is not. Phase 1 self-assessment and the NIST 800-171 controls that protect CUI still apply, and Brilliant at the Basics is where the fundamentals-first focus now points.
For operators, that is good news. The fastest way to be ready, whichever way the rules land, is to cover the basics on the equipment that is hardest to secure: legacy OT. The OT Top 10 is exactly that list.
The OT Top 10, mapped to Access Gate
Each row is a pillar of the Brilliant at the Basics OT Top 10, how Access Gate delivers it, and where to go deeper.
What Access Gate delivers without touching an asset
These core capabilities are delivered by a single agentless overlay, with no change to the PLC, HMI, or SCADA server, and no production downtime.
Identity and Access Control
MFA is enforced at the network boundary against your identity provider. Every session is tied to a named user, not a shared credential, and the OT asset never sees the identity directly.
Validated Asset Inventory
Netflow ingestion populates a dynamic inventory of every device on the network, including legacy PLCs and HMIs that no agent can reach. The inventory is the authorization baseline, not a spreadsheet.
Strict Network Segmentation
An overlay enforces per-asset boundaries on top of the existing network, aligned to IEC 62443 zones and conduits. Safety and control assets can share a VLAN yet stay isolated.
Remote Access Pathways
Vendor and contractor sessions are identity-verified, time-bound, recorded, and revocable, with no standing VPN tunnels or shared credentials left open between visits.
Continuous Monitoring
Every session is logged with user, time, asset, protocol, and payload, hash-chained and signed, then forwarded to your SIEM as audit evidence rather than raw alerts.
Access Gate secures your assets first, then exposes the simple services your teams and vendors actually want, so they run through the sanctioned path, not around it.
OT runs through you, not around you.
The OT Top 10, answered
Brilliant at the Basics is a Department of War CIO initiative that helps the defense industrial base, especially small and mid-sized suppliers, get cybersecurity fundamentals right instead of chasing complexity. It publishes an IT Top 10 and a separate OT Top 10 of foundational controls.
The OT Top 10 is the operational-technology half of Brilliant at the Basics. It lists ten foundational controls for physical operations: Identity and Access Control, Validated Asset Inventory, Strict Network Segmentation, OT-Specific Incident Response and Recovery, Manage Known Vulnerabilities, Remote Access Pathways, Continuous Monitoring, System Resiliency, Supply Chain Security, and Review Processes.
The mandatory third-party CMMC Level 2 certification (Phase II) is suspended, and a reform review is underway. The underlying obligations did not go away: Phase 1 self-assessment and the NIST 800-171 and DFARS controls that protect CUI still apply. Brilliant at the Basics is where that fundamentals-first focus is now pointed, and the OT Top 10 is the operational-technology piece.
Access Gate delivers eight of the ten pillars in full out of the box: identity and access control, asset inventory, network segmentation, vulnerability isolation, remote access, continuous monitoring, resiliency, and review reporting. It contributes to the other two, incident response and supply chain security, through detection and third-party access control.
No. Access Gate enforces at a network boundary in front of the asset. Nothing is installed on the PLC, HMI, or SCADA server, the Layer 2 topology does not change, and there is no production downtime to deploy it.
Because there are no agents to roll out and no network to re-architect, an Access Gate overlay is typically deployed in days, not the months a certification-driven program assumes. You get identity, segmentation, remote access, inventory, and audit as one appliance.
Cover the OT basics in days, not months
One agentless overlay for identity, inventory, segmentation, remote access, and audit. No agent on the asset, no rewiring, no downtime.