Zero Trust for CISOs: Practical Steps to Meet Federal Mandates

October is Cybersecurity Awareness Month, and while awareness is a great start, it’s action that moves the needle.

For federal agencies, cybersecurity isn’t simply a best practice: it’s a mandate. Given directives from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA), Zero Trust has evolved from a buzzword into a strategic imperative.

But mandates alone don’t protect missions. The critical challenge for federal CISOs lies in translating policy into practical steps that secure operations without slowing them down.

The Federal Zero Trust Mandate: Where We Stand Today

Zero Trust isn’t new to federal agencies, but the urgency is. With OMB M-22-09, the federal government laid out a clear roadmap: by FY27, agencies must adopt Zero Trust principles across identity, devices, networks, applications, and data. It’s a multi-year journey, but the milestones are real — and the clock is ticking.

CISA has added momentum with Binding Operational Directives (BODs) that focus on tangible, high-impact areas:

• Enforcing multi-factor authentication (MFA) for all users.
• Implementing centralized logging for visibility and accountability.
• Strengthening supply chain risk management.

For CISOs, this isn’t just about checking compliance boxes. It’s about building trust with leadership, auditors, and the public. The challenge? Many agencies are working with complex, hybrid environments that include systems not originally designed for Zero Trust.

That’s where the expertise of trusted partners like Rocket Software and MFGS, Inc. helps agencies operationalize Zero Trust strategies across complex environments. Rocket’s tools help agencies bridge the gap between legacy infrastructure and modern security requirements by enabling MFA, centralized logging, and visibility without disrupting mission-critical operations.

Zero Trust and CISA: Where They Align

Federal CISOs are navigating a landscape where compliance and mission resilience must go hand in hand. CISA’s directives don’t just outline what needs to be done — they provide a framework for how agencies can work toward a mature Zero Trust architecture. The five foundational pillars of CISA’s Zero Trust maturity model (Identity, Devices and Networks, Data, Applications, and Automation) are more than technical categories; they represent the operational domains where security must be continuously enforced.

For agencies working to implement these principles across hybrid and legacy environments, alignment between policy and technology is critical. That’s why partnerships matter. MFGS, Inc. is a long-time trusted partner to U.S. federal agencies and works closely with Rocket Software to help bridge the gap between Zero Trust strategy and execution — especially in environments where modernization must coexist with mission-critical legacy systems.

Here’s how CISA’s guidance maps directly to the five Zero Trust pillars — and how Rocket’s capabilities support federal agencies in each area:

1. Identity: CISA’s push for multi-factor authentication (MFA) is foundational. Agencies are prioritizing secure access for privileged users and integration with existing identity providers to meet BOD 23-01 requirements.
2. Devices and Networks: Continuous vulnerability scanning, patching, and endpoint visibility are key. Agencies are working to extend these capabilities across distributed and legacy environments with tools like Rocket Mainframe Security. Additionally, ZTrust for Networks from Vanguard offers a Zero Trust network segmentation solution tailored for mainframe environments, helping agencies enforce granular access controls and reduce lateral movement risks across hybrid infrastructure.
3. Data: Centralized logging and protection of sensitive federal data is critical. Agencies are investing in tools that support data classification, encryption, and secure audit trails, like Rocket DataEdge, enabling a real-time foundation that is a launchpad for AI. In addition, Rocket Rapid Data Recovery helps agencies enable data restoration from a user-defined point in time – often just before a failure – using immutable snapshots. This minimizes downtime and helps maintain continuity in mission-critical environments.
4. Applications: Secure access to legacy applications is essential for Zero Trust. Solutions like Rocket^® z/Assure Vulnerability Analysis Program, Rocket API, and Rocket Secure Host Access help provide secure, policy-driven access to legacy applications and integrate with modern identity systems – enabling Zero Trust access controls without disrupting mission-critical systems.
5. Automation: Real-time metrics, dashboards, and reporting are vital for tracking progress against CISA’s Zero Trust Maturity Model. Agencies are increasingly integrating observability platforms to support continuous improvement and accountability. Rocket Software products are designed to support these efforts—enabling continuous improvement, operational visibility, and accountability across Zero Trust initiatives.

This alignment empowers federal agencies to take practical steps toward Zero Trust implementation — not just to meet mandates, but to build a more resilient and secure operational foundation.

Practical Steps for Zero Trust Implementation that CISOs Can Take Now

Zero Trust doesn’t have to be overwhelming. Federal CISOs can take meaningful steps today to advance their agency’s security posture — even within complex, hybrid environments. Here are five practical actions to consider:

• Identity First: Prioritize multi-factor authentication (MFA) for all users. This is one of the most effective ways to reduce identity-based threats and aligns directly with CISA’s guidance.
• Vulnerability Scanning: Automate vulnerability assessments and patch management across modern and legacy systems to reduce exposure windows and improve response times.
• Asset Visibility: Maintain a comprehensive inventory of all devices connecting to agency networks. Visibility is foundational to Zero Trust and critical for detecting anomalies.
• Data Protection: Classify and encrypt sensitive data, and ensure centralized logging is in place to support incident response and audit readiness.
• Benchmark Progress: Use CISA’s Zero Trust Maturity Model to assess current capabilities and identify gaps. Peer benchmarking can help agencies prioritize investments and demonstrate progress.

Beyond Compliance: Zero Trust as a Mission Enabler

Zero Trust isn’t just about checking boxes — it’s about mission continuity. Agencies that embrace Zero Trust are better equipped to:

• Protect against unauthorized access.
• Prevent operational downtime.
• Protect classified and citizen data.
• Maintain public trust.

While compliance drives initial adoption, the real value of Zero Trust lies in strengthening resilience across the enterprise, including modernizing legacy systems, securing remote access, and ensuring continuity during operational disruptions.

Call to Action

This Cybersecurity Awareness Month, we challenge federal CISOs to choose one high-impact Zero Trust initiative and make measurable progress in 30 days. Whether it’s rolling out MFA, improving asset visibility, or enhancing data protection — every step counts.

Let’s foster peer benchmarking and cross-agency collaboration to accelerate progress. Rocket Software and MFGS, Inc. are here to support agencies in navigating the journey.

About MFGS, Inc.

MFGS, Inc. is the trusted advisor to the U.S. Government, its partners, and system integrators for achieving optimal efficiency throughout an agency’s enterprise software architecture. We bring a comprehensive portfolio of enterprise-grade software capabilities and a deep understanding of how DOD agencies operate to support your entire software development lifecycle, enabling you to securely plan, build, deliver, and run agency missions.

About Rocket Software

Rocket Software is a global technology leader in modernization and a partner of choice that empowers the world's leading businesses and government agencies on their modernization journeys, spanning core systems to the cloud. Trusted by over 12,500 customers and 750 partners, and with more than 3,200 global employees, Rocket Software enables organizations to maximize their data, applications, and infrastructure to deliver critical services that power our modern world. Rocket Software is a privately held U.S. corporation headquartered in the Boston area with centers of excellence strategically located throughout North America, Europe, Asia, and Australia. Rocket Software is a portfolio company of Bain Capital Private Equity.

Written by John Crossno, Product Management Director, zSystems at Rocket Software