CISA Zero Trust OT Alignment. Mapped to the April 2026 Joint Guidance.
On April 29, 2026, CISA, the Department of War, DOE, FBI, and Department of State published the most detailed federal guidance to date on Zero Trust for OT. This page maps each of the 8 key findings to the specific Access Gate capability that addresses it, with page references back to the source document.
Why This Document Matters.
The April 29, 2026 guidance is recommendation, not regulation. It does not impose a compliance deadline. It is the highest-authority federal publication to date on Zero Trust for OT specifically, and it informs the controls auditors and assessors will look for under CMMC Level 2, NIS2, the new DoD ZTRA, and emerging state-level OT cybersecurity rules. Operators that align with this guidance now position themselves favorably under every framework that references it.
Read our blog analysis of the guidanceThe 8 Findings, Mapped.
Each row below quotes or paraphrases a key CISA finding (with the source page reference), then maps it to the specific Access Gate capability that addresses it. Each capability is something Access Gate produces as evidence on demand.
Source: Adapting Zero Trust Principles to Operational Technology (CISA, April 29, 2026)
Agents require extensive compatibility testing and may impact system warranties. Passive agentless monitoring alone misses abuses in remote-access sessions until malicious commands are sent. Use agentless where agents are impractical, combined with active network-layer enforcement.
Access Gate is agentless on the protected asset and provides active enforcement at the network boundary. Every session terminates at the appliance for authentication, authorization, and full session recording before traffic reaches the device. A flagged session is blocked at the appliance, not just logged downstream.
Microsegmentation enables targeted security rules including data-tag access and separating control systems from safety systems. Segmentation must enforce without disrupting operations.
Overlay-based microsegmentation enforces per-asset, per-protocol, per-session policy on top of the existing physical network. The Layer 2 topology does not change. A safety PLC and a control PLC can sit on the same VLAN and switch with isolated reachability and full session attribution.
CISA strongly recommends a jump host for adding user authentication to legacy networks, with session recording, anomaly detection, time-based access constraints, MFA, and JIT access.
Access Gate functions as the canonical jump-host pattern for OT. MFA is enforced at the proxy boundary against your IdP. Sessions are time-bound, scoped per user per asset per protocol, recorded with full payload, and revocable on demand. Vendor and contractor access is JIT by default.
Many legacy OT systems rely on proprietary, insecure protocols that can neither be actively scanned nor undergo routine penetration testing without risking critical uptime. Compensating controls are required.
Passive asset discovery builds and maintains the inventory without active scanning. Network-layer enforcement is the compensating control: assets that cannot be scanned, patched, or modernized are protected by per-session identity binding at the boundary.
Many OT systems predate modern ICAM capabilities and often require compensating controls above the device level. Segmentation as a compensating control is explicitly endorsed.
ICAM is enforced at the network boundary on behalf of the asset. The user authenticates against your IdP with MFA. The appliance terminates the session, applies policy, then opens a new connection to the asset using whatever credential the asset supports. The compensating control sits between the user and the asset.
Integrity and authentication are more critical than confidentiality in OT. Wrapping legacy protocols in TLS-enabled gateways is recommended where native secure protocol support is unavailable.
Modbus, DNP3, OPC UA, EtherNet/IP, and other industrial protocols are wrapped in FIPS-validated TLS at the proxy boundary and forwarded natively to the asset. The asset itself does not need to support TLS. Authentication happens at the gateway, integrity is preserved end-to-end via the TLS tunnel.
Active threat actors use living-off-the-land techniques in IT then move laterally into OT. The guidance names Volt Typhoon specifically. Network segmentation alone is insufficient.
Every IT-to-OT session terminates at the appliance. The connecting user authenticates with MFA against your IdP. The session is bound to a named user, not a service account or shared credential. Full payload is recorded when configured. Denied by default unless an explicit policy permits. See the dedicated Volt Typhoon defense page for the full attack-chain mapping.
CISA explicitly warns: avoid procuring components or systems that assume security through air-gapping or segmented architecture alone, as modern threats can exploit the false sense of isolation these models provide.
Access Gate enforces inside the gap. Even fully air-gapped environments need authenticated, authorized, and logged access for vendor laptops, USB devices, and maintenance jump hosts that cross the gap. Access Gate runs entirely on-premise with no cloud dependency, so it operates inside the gap without violating it.
Walk Your Environment Through the Matrix.
Request a working session. We will go finding by finding and identify which already align in your environment, which need new policy, and which need additional infrastructure. End state: a CISA-aligned coverage map you can show to auditors.
Request a Working Session