A few years ago, I sat down with former federal CIO Tony Scott and a group of security leaders for a video discussion on mainframes. The conversation started where most of these go with the assumption that mainframes are legacy tech, a relic of the past.  

But as we dug into the role of mainframes in government security, it became clear that mainframes aren’t legacy if they’re still powering mission-critical operations.

That insight stuck with me.

In the federal space, mainframes still run vital workloads, from benefits processing to intelligence support to logistics operations. They’re not old news. They’re the backbone of some of the most important systems our government relies on.

If we’re serious about Zero Trust — and let’s be honest, federal mandates make it non-negotiable — then protecting mainframes can’t be optional. They must be part of the Zero Trust equation.

Mainframes are still everywhere (whether you realize it or not)

Mainframes may not be flashy, but they’re foundational to government cybersecurity.  

In federal agencies, they continue to run essential workloads that simply can’t be migrated without significant cost, risk, and disruption. They're at the heart of critical agency services.

Unfortunately, many Zero Trust strategies completely overlook them.

But when federal guidance like CISA’s Zero Trust Maturity Model and Binding Operational Directives (BODs) require visibility and control over every endpoint and workload, ignoring mainframes isn't an option.

Mainframes are under the microscope

Federal mandates are turning up the pressure. From Executive Order 14028 to BODs like 23-01, agencies are now expected to implement endpoint detection and response (EDR) across all computing environments.

But the problem is that most mainstream EDR tools don’t support mainframes.

Auditors, however, don’t care about tool limitations. If a workload isn’t protected and monitored, it’s non-compliant.  

We’ve heard from multiple agencies struggling to pass internal validations because their mainframes lack EDR coverage. The response from auditors? “Not our problem.”

Federal cybersecurity leaders are stuck trying to find compensating controls for mainframes that meet federal compliance standards and deliver Zero Trust-level security. And they’re doing it without many options on the table.

Mainframes aren’t going anywhere. And they need Zero Trust.

It's time to stop treating mainframes like temporary tech. The idea that “we’ll migrate eventually” doesn’t fly when agencies are looking at timelines of five, 10, or even 20 years to modernize.

The mission can’t wait, and Zero Trust can’t either.

We need to shift our mindset. Mainframes aren’t exceptions in your Zero Trust strategy. They’re critical systems that deserve the same level of protection, visibility, and segmentation as any modern cloud workload or container.

That means identifying compensating controls that:

• Provide visibility into mainframe traffic and workloads
• Segment access to reduce lateral movement risk
• Show compliance with federal Zero Trust directives

If it’s still doing the job, it’s still the job

In the commercial world, the saying goes: “It’s not legacy if it’s making you money.” In government, I’d tweak it slightly to “It’s not legacy if it’s still fulfilling the mission.”

Mainframes are mission-critical.

If we ignore them in our Zero Trust strategies, we’re building security strategies with blind spots, and that’s exactly what Zero Trust was designed to eliminate.

We need to stop overlooking the systems that have been quietly holding the line for decades. Protecting the past is just as important as securing the future. In federal cybersecurity, they’re often one and the same.