DoD Zero-Trust for OT.
Point-by-point alignment to DTM 25-003 — how Access Gate delivers Target Level Zero Trust across all 7 DoD OT pillars without replacing a single device.
The DoD Is Mandating Zero Trust Across All OT Systems
Under DTM 25-003, all DoD Components must reach Target Level Zero Trust across OT environments — including PLCs, SCADA, sensors, and legacy systems that cannot be patched or moved to the cloud.
Traditional IT Security Cannot Be Applied to OT
The DoD guidance explicitly states that standard IT tools can be 'ineffective and potentially dangerous' in OT. Agents, scanners, and cloud enclaves disrupt safety-critical operations.
Legacy Equipment Must Be Protected in Place
OT environments prioritize availability and safety above all. Security must wrap existing assets without touching wiring, controllers, PLCs, or HMIs — no updates, no agents, no downtime.
One Appliance Per Site Is the Right Architecture
TAG deploys a single appliance per site, inserting a software-defined proxy in front of each OT asset. No network redesign. No downtime. Full Target Level coverage from day one.
Built for OT Zero Trust. Not Adapted from IT.
Every DoD OT-ZT pillar assumes the underlying infrastructure will remain unchanged. Trout's proxy-based architecture was designed from the ground up for exactly this constraint.
Proxy + SDN Overlay
A software-defined overlay inserts a lightweight, identity-aware proxy in front of each OT asset. Zero changes to PLCs, HMIs, controllers, or switches.
No Agents. No Downtime.
TAG attaches logically, not physically. All access — local, remote, contractor, OEM — passes through a Zero-Trust boundary without altering OT behavior.
Battle-Tested in the DIB
Proven in real production environments with unpatchable, safety-critical systems. Used by defense contractors working toward CMMC Level 2 and NIST 800-171.
Seven Pillars. Full Coverage. One Appliance.
Users
- Full OT user account inventory via identity gateway
- Role-based and attribute-based access at the asset boundary
- MFA enforced before sessions with PLCs, HMIs, historians
- Privileged session brokering with recording and authorization rules
- Time-bound, identity-verified, audited access for OEMs and contractors
- Full OT user account inventory via identity gateway
- Role-based and attribute-based access at the asset boundary
- MFA enforced before sessions with PLCs, HMIs, historians
- Privileged session brokering with recording and authorization rules
- Time-bound, identity-verified, audited access for OEMs and contractors
Users
Download the Full DoD OT-ZT Alignment Guide.
Full point-by-point mapping of DTM 25-003 requirements to Trout Access Gate capabilities across all 7 Zero-Trust pillars. Unclassified — Public Release.
What You'll Find Inside
Executive summary of DTM 25-003. Architecture overview of Trout Access Gate. Activity-by-activity mapping for all 7 pillars: Users, Devices, Applications, Data, Networks, Automation, and Visibility.
Ready to Assess Your Site?
Request a live demo to see how the Access Gate maps to your specific OT environment and accelerates your path to Target Level Zero Trust.
Common Questions About DoD OT Zero Trust.
DoD OT-ZT pillars, each with specific activities mandated by DTM 25-003 — all covered by Trout Access Gate without disrupting operations.
DTM 25-003 is a DoD Directive-Type Memorandum issued in July 2025 that mandates all DoD Components reach Target Level Zero Trust across all unclassified and classified systems, including Operational Technology (OT) environments. It defines 7 pillars and specific activities that must be addressed.
The DoD guidance explicitly states that traditional IT security approaches can be 'ineffective and potentially dangerous' in OT environments. OT systems prioritize availability and safety — they rely on legacy industrial protocols, cannot tolerate downtime, and often cannot run agents, be patched, or be moved to cloud enclaves.
TAG uses a software-defined networking (SDN) overlay to transparently insert a lightweight, identity-aware proxy in front of each OT asset. The underlying network remains unchanged — no rewiring, no recabling, no changes to PLCs, HMIs, or switches. All access now passes through a Zero-Trust enforcement boundary.
Yes. Trout Access Gate is fully on-premise and has no cloud dependency. Its policy engine runs locally, making it suitable for air-gapped, intermittently connected, and classified environments. No data leaves the site.
Deployment typically takes hours, not weeks. Once installed, TAG immediately begins building an asset inventory and enforcing access policies. The alignment guide documents which specific DoD activities are addressed out-of-the-box and which require policy configuration.
