CybersecurityVulnerability Management

CISA's Zero Trust Guidance Falls Short on Cost, Implementation Details

Analyst 207||Source: GovInfoSecurity
Government agency interior with industrial control system and technology infrastructure.

"This is a great guide that takes the right direction, but it dodges the hardest question, which is who pays for it?"

CISA and four partner agencies released new guidance that adapts zero trust principles to operational technology (OT). Cybersecurity executives and consultants broadly praised the document's technical thinking while faulting it as high-level, unfunded, and insufficiently prescriptive about timelines, priorities and automation. The debate lands on three practical fronts: financing and procurement, the pace of implementation for long-lived OT equipment, and the operational requirement for continuous monitoring and machine-speed enforcement.

CISA, the departments of Defense, Energy and State, and the FBI publish guidance

CISA published the guidance Wednesday alongside the departments of Defense, Energy and State as well as the FBI. In a statement, CISA acting executive assistant director for cybersecurity Chris Butera said, "CISA urges OT owners, operators, and integrators to use this resource to make informed decisions that reduce exposure and strengthen resilience-without."

The document leans on the zero trust proposition that perimeters will not hold and that systems must be protected through continuous monitoring, network segmentation and limited user access. As Kate DiEmidio, vice president of public policy and government affairs for Dragos, put it, "resilience comes not from assuming adversaries can be kept out, but from designing systems that can detect intrusions, continue to operate safely, contain disruptions and recover quickly."

Tatyana Bolton: the funding shortfall and the "cyber poverty line"

Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, praised the guidance's direction while warning it "dodges the hardest question, which is who pays for it?" Bolton said the technical thinking is sound but added that "the vast majority of critical infrastructure owners and operators like water utilities, rural [electricity] co-ops, or small ports simply can't afford to implement." She warned that "Unless the federal government is 'actually going to resource owners and operators to make [Zero Trust] a reality, this [CISA guidance] risks being a very well-written document that sits on a shelf."

Sean Tufts: clarity on timeline and prioritization

Field CTO at Claroty Sean Tufts described the guidance as useful for defining the problem: "It really does a good job of defining the problem, and lays out rational steps you can take. It's very helpful for that." His central critique was operational: coordinating and prioritizing a set of changes that could take a decade, given typical OT equipment refresh cycles. "I'd love to see a timeline they would propose, and guidance about what you'd prioritize first, because that whole list is something that is absolutely what we need to get done on a decade level," he said.

Patrick Miller and Alison King: procurement, automation, and continuous enforcement

Patrick Miller, CEO of Ampyx Cyber, highlighted a change in emphasis inside the guidance: "Procurement is a security control, not an accounting function." He added, "Every purchase order is a security decision," and called that recognition "The most important shift in this document." Miller also warned that "You can't patch your way out of legacy."

Alison King, vice president of government affairs at Forescout, urged that the guidance should double down on the operational controls that reduce immediate risk. With artificial intelligence large language models accelerating the discovery and chaining of vulnerabilities, she said "These zero trust principles are essential," and singled out enforcement and monitoring: "Which are the most essential? It is going to be the continuous [monitoring and] enforcement piece. This is going to systematically reduce your most serious risks." King also argued that OT operators must overcome an aversion to security automation because "You cannot be fast enough, you cannot move at machine speed. These are the new fundamentals," while preserving "more robust governance structures" to keep human judgment in the loop.

What this means for water utilities, rural electricity co‑ops, and small ports

  • Water utilities: Many are cited as examples of operators below the "cyber poverty line" who face threats that exceed their resources; without federal resourcing, guidance may remain unimplemented.
  • Rural electricity co-ops: Long equipment lifecycles mean co-ops could be unable to prioritize or fund decade-scale changes without clearer timelines and funding mechanisms.
  • Small ports: Like other small operators, ports may find procurement-led security controls and automation necessary but unaffordable absent outside assistance.

Not all reactions were purely critical: experts acknowledged the guidance's accurate framing of zero trust and its emphasis on procurement as a security lever. Still, Dale Peterson, CEO of Digital Bond, concluded that the document "is not bad or wrong, it's just not that helpful. It's overly broad, … It's high level, and this information is well known by anyone looking." The central unresolved question raised by multiple sources is concrete and practical: will federal agencies pair guidance with timelines, prioritization and the resourcing necessary to translate principles into protection for smaller, resource-constrained OT owners and operators?

Original story

CisaEmerging ThreatsNational SecurityOperational TechnologySupply ChainZero TrustGuidanceImplementationOT
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207