2025 Mainframe Compliance Countdown: Preparing for New Regulations

In 2025, the regulatory spotlight on data privacy has never been more intense—and mainframes have now become the center of focus.

As organizations continue to modernize their security and privacy infrastructure, there’s a growing realization that legacy environments, particularly mainframes, must meet the same rigorous standards as cloud and distributed systems. For enterprise and public sector IT leaders, the path ahead requires immediate, strategic action to align with a wave of new federal and state mandates—many with near-term deadlines and significant penalties for non-compliance.

The Regulatory Landscape: What’s Changing in 2025

Several major federal rules are reshaping data security obligations this year, each with implications for mainframe environments:

DOJ Final Rule (Effective April 8, 2025)

This landmark regulation prohibits bulk transfers of sensitive U.S. personal and government-related data to foreign adversaries. It compels U.S. entities to implement data classification and export controls, including on legacy systems like mainframes. By October 6, 2025, organizations must have enforcement-ready audit and reporting programs in place—or risk civil or criminal penalties.

FISMA 2025 Updates

The Federal Information Security Modernization Act now mandates continuous cybersecurity planning, risk-based classification, and data inventories for all federal systems and contractors, including those running on IBM Z or similar platforms.

CJIS Security Policy (v5.9.4)

Any mainframe system processing criminal justice data must enforce encryption, access auditing, and classification controls consistent with FBI CJIS standards.

Proposed HIPAA Security Rule Changes

Expected to be finalized this year, these upgrades require multifactor authentication (MFA), encryption, data flow mapping, and vendor oversight for systems handling ePHI—many of which still rely on mainframes in healthcare and government.