Modernizing Legacy Systems for Zero Trust Success

Submitted by on Tue, 05/12/2026 - 15:54
Tuesday, May 12, 2026
Dan Chenok
As cyber threats evolve, legacy systems pose growing risks to mission readiness. This paper explores how the Department of War can modernize mainframes and integrate Zero Trust principles to strengthen security, reduce costs, and achieve audit readiness.

Guest Blog Author: Lieutenant Colonel LaToya C. Hall, U.S. Army, Training with Industry Fellow with IBM

The strategic environment has changed significantly in the past decade. Future adversaries possess post-industrial, information-based capabilities with regional and global aims, capable of contesting the United States (U.S.) enterprise network. The U.S. will face threats who retain freedom of action in cyberspace operations (CO) resulting from a lack of adherence to treaty, law, and policy. Enemies and adversaries will employ a combination of traditional, disruptive, irregular, and catastrophic threats to deny, disrupt, and destroy U.S. communications. In response to threats, Presidential Executive Order 14028 directs the Department of War (DoW) to make bold changes and significant investments to defend vital networks, data, applications, and resources to protect and secure its computer systems (cloud-based, on-premises, or hybrid). The DoW developed the Zero Trust (ZT) Architecture that outlines its plans to address the next generation cyber risks across the Department, to protect sensitive information, and to enable DoW systems and networks to withstand cyber warfare from near-peer adversaries.[i] The DoW future network will move away from the traditional perimeter-based model of cybersecurity that assumed all elements within the network were secure and trusted while protecting against external elements. ZT assumes that nothing on the network is trusted and requires constant monitoring, authentication, and authorization of all network elements. ZT is not a single process or technology but is a complex set of systems and services that operate under varying policies and organizations. ZT moves its defenses from static to a network-based model that does not grant trust due to location or user accounts.[ii] The ZT architecture has seven pillars consisting of over 152 activities (e.g. data tagging, data analytics, identity authentication, etc.), which requires all DoW systems, devices, networks, and applications to comply.[iii]

By adhering to the requirements outlined in ZT, it would enable the DoW to address findings from the 2017 Financial audit as well as implement significant improvements to acquire a clean 2028 Financial audit. The DoW was unable to receive a clean financial audit for 2017 due to several material weaknesses and internal controls across Internal Control Over Financial Reporting (ICOFR) applications.[iv] Some findings require changes to policy and processes while other findings such as privilege access control could be resolved through technology.  In 2021, the US Government Accountability Office (GAO) identified ten critical ICOFR legacy Information Technology (IT) systems, one belonging to DoW, that required modernization. The report defined legacy IT capabilities as systems with components at least fifty years old. GAO reported the legacy systems posed a cybersecurity risk due to known security vulnerabilities as well as increase maintenance costs due to outdated code language and limited personnel with the proper skills to maintain.[v] In 2025 GAO report, three federal agencies upgraded three of the original ten legacy IT systems identified in 2021. One of the remaining seven legacy IT systems belongs to the DoW. The GAO assessed all systems based on sixteen attributes to include cybersecurity risk, age of systems, operating costs, etc. The 2025 GAO report recommended that each federal agency develop a modernization plan to upgrade the remaining critical legacy systems.[vi] In 2024, the DoW Chief Information Office (CIO) mandated and received software implementation plan for all subordinate DoW agencies that included a list of its applications, ICOFR and non-ICOFR, and a corresponding timeline for modernization and ZT compliancy of applications.

Legacy systems operated successfully in perimeter-based security models where organization defined trusted and untrusted parameters. However, the cyber landscape has changed significantly with the introduction of mobile phones, cloud, Bring Your Own Device (BYOD), remote connections, and artificial intelligence to the network, which creates cyber environment where adversaries have multiple means of acquiring access to a trusted parameters that could be utilized in a cyber-attack.[vii]  ZT does not trust any assets internal or external to the network and requires every asset to authenticate and authorization to acquire access to the network. Modernization of legacy systems is critical for the DoW to maintain cyber dominance and protect the network from near-peer threats by eliminating any vector for advisories to attack the DoW. The integration of legacy systems, specifically applications deployed on mainframes, into ZT architecture has presented several challenges to include the inability for legacy systems to comply with cyber security standards, data tagging formats, access controls standards, and identity and credentialling standards. As described in Goal 3, Objective 2 of the DoW Digital Modernization Strategy, “creates a secure and trusted environment where any user can access all authorized resources (including [services, information systems], and data) to have a successful mission, while also letting the DoW know who is on the network at any given time.”[viii] This objective focuses on managing access to DoW resources while balancing the responsibility to share with the need to protect. For legacy systems to meet modern cyber requirements, it requires the DoW to address the weaknesses of legacy systems, develop and execute a plan to modernize legacy systems, and leverage commercial industry’s best practices for legacy systems.

Industry /Commercial

Although mainframes have improved over time with efficiency of size and processing power, there are limitations to mainframe-based applications. Mainframes are on-premises computers with substantial amounts of memory and data processors with the ability to do several calculations in real time.[ix] Both the federal government and commercial sector leverage mainframes making an estimate of 70% of the world’s Information Technology (IT) workloads mainframe. In the commercial sector, “45 of the top 50 banks, four of the top five airlines, seven of the top 10 global retailers, and 67 of the Fortune 100 companies leverage mainframes.” [x] The commercial sector has implemented modernization of legacy systems to include the following solutions: migration to the cloud, code optimization, replace mainframe with pre-built solutions, and Application Programming Interface (API) modernization.[xi]

  • The optimal solution to modernize legacy systems is hybrid cloud solution that would migrate the critical IT infrastructure to the cloud environment while enabling some infrastructure to remain on-premises and/or in the legacy system’s environment.[xii] By moving a large portion of the legacy system infrastructure to the cloud, it will reduce maintenance costs, increase redundancy since cloud solutions are in multiple regions, and optimize the computing functionality by leveraging new technology with robust computing power.
  • Another option is code optimization which rewrites the old code to a new modern code language. This is a labor-intensive solution; however, by rewriting the code, it could decrease maintenance of the application and improve the functionality and responsiveness of the code.[xiii]
  • The next option is to evaluate existing pre-built solutions. There may be a solution available in the commercial sector that could be utilized by the DoW with some modifications. The DoW mission is unique and may not be able to use a pre-built solution from the commercial sector without significant modification, thus resulting in a customized solution.
  • The final option is API modernization that enables interoperability between new and old technologies using a “bridge” or a technology translator. This last solution allows for the mainframe to remain in its current state and allows legacy systems to integrate with new technological solutions.

DoW

The DoW may be able to leverage existing capabilities in its footprint to achieve the ZT architecture required to modernize mainframes.  At a minimum, DoW would need to address the following five actions to modernize Mainframes: authentication and authorization, Multifactor Authentication (MFA), Privileged Access Management (PAM), monitoring, and encryption.[xiv]

  • Perimeter based security enables hackers to gain access to a mainframe system through stolen credentials. ZT architecture requires constant monitoring of user identities and systems as well as constant accessing the authorization of users and systems to resources on the network.[xv] For identity authentication and authorization, DoW mainframes should leverage an Identity, Credentialing and Access Management (ICAM) solution. There are five active and authorized DoW ICAMs to include DISA’s DoW ICAM, Army ICAM, Navy ICAM, Air Force ICAM, and NSA ICAM. The NSA ICAM is top secret network classification only while DoD, Army, Navy, and Air Force are Non-Secure Internet Protocol Router Network (NIPRnet). DISA’s DoW ICAM is the only ICAM fully operational on Secret Internet Protocol Router Network (SIPRnet).
  • The DoW ICAMs support Security Assertion Markup Language (SAML), Open Authentication (O Auth), OpenID Connect (OIDC), and Web services Federation (WS-Fed). Mainframe applications can onboard to an ICAM by utilizing an emulator. The emulator is a virtual desktop that would provide a translation proxy for legacy mainframe to migrate to a modernized commercial system using one of the four connection standards.
  • To increase the security and reduce the possibility of stolen or compromised credentials, the DoW will need to deploy a MFA.[xvi] Defense Manpower Data Center (DMDC) has deployed a MFA capability for all DoW applications to utilize. DMDC selected a technology that utilizes commercial sector’s best practices from the commercial Identity and Access Management (IAM) community and includes the authentication of extended DoD users without Common Access Cards (CAC) to include but not limited to veterans, students, spouses, External Certification Authority (ECA) commercial certificates, etc.
  • For privileged users with elevated privilege access to systems, the DoW should deploy a PAM that would mitigate risks by enabling granular access control over privilege administrators. PAM tools must meet ZT standards that includes privileged account discovery, credentialing management, credential vaulting, and session management, monitoring, and recording.[xvii] Based on the ZT PAM standards, a 2023 MITRE study recommended three PAM solutions to include CyberArk, Delinea, and BeyondTrust. [xviii]
  • The ZT architecture requires that all elements on the network enable visibility into network traffic and data. Mainframes do not enable this functionality, which limits tools to monitor or detect anomalies and malicious actors in its system.[xix] Most DoW organizations have a SEIM tool deployed in respective network architecture while other DoW agencies, such as DISA offers network monitoring as a service. Another option would be to leverage as a service either US Cyber Command or one of the military departments Cyber Commands big data analytic platforms for continuous monitoring. These platforms use Artificial Intelligence (AI) to detect anomalies, user activity, and network traffic. The application would simply point its logs and traffic to one of the “as a service” organization’s capability to receive continuous monitoring.
  • The last action requires encryption on all endpoints to include laptops, phones, mobile devices, and any other item connected to the network. An Endpoint Detection Response (EDR) tool protects and provides security in real time for endpoint systems. Some DoW agencies have already deployed an EDR capability in its network. Further, DISA provides EDR as a service for all DoW agencies.

Conclusion / Recommendations

In summary, DoW agencies can take immediate actions to become ZT compliant with commercial and government off-the-shelf (COTS/GOTS) capabilities within its footprint. Commercial solutions such as code optimization may take longer. Recommend DoW utilize technology within its footprint to modernize legacy systems in the short term to achieve audit compliance while working in parallel modernizing legacy systems using commercial options for its final state. DoW can prioritize ICOFR legacy systems to achieve a clean financial audit then expand the modernization of legacy systems to all DoW technologies.

 

[i] DoD Zero Trust Strategy

[ii]  Zero Trust NIST SP 800-270, https://csrc.nist.gov/publications/detail/sp/800-207/final

[iii] DoD Zero Trust Strategy pg23

[iv] GAO-19-294R, Financial Audit: Fiscal Years 2018 and 2017 Consolidated Financial Statements of the U.S. Government

[v] GAO 21-524 Agencies Need to Develop and Implement Modernization Plans for Critical Legacy Systems

[vi] GAO 25-107795 Agencies Need to Plan for Modernizing Critical Decades-Old Legacy Systems

[vii] d https://www.ijcttjournal.org/2025/Volume-73/Issue-6/IJCTT-V73I6P107.pdf

[viii] DOD Digital Modernization Strategy 2019 pg. 30

[ix] IBM What Is a Mainframe? | IBM

[x] IBM what is a mainframe

[xi] What is mainframe modernization? | IBM

[xii] What is Hybrid Cloud? | IBM

[xiii] What is mainframe modernization? | IBM

[xiv] Why Zero Trust for Mainframes Is a Financial Institution Imperative - The New Stack

[xv] Why Zero Trust for Mainframes Is a Financial Institution Imperative - The New Stack

[xvi] Mainframe Security in the Ransomware Age

[xvii] Mainframe Security in the Ransomware Age

[xviii] MITRE Privileged Access Management Product Evaluation AUG 2023

[xix] https://www.ijcttjournal.org/2025/Volume-73/Issue-6/IJCTT-V73I6P107.pdf