Mainframe legacy systems present a significant threat to aerospace compliance in 2025. The USDA faced this reality when a 2023 National Academy of Public Administration audit specifically highlighted that their National Finance Center’s future was at risk without prompt action regarding legacy systems. Organizations across the aerospace sector face similar challenges.

Furthermore, maintaining these outdated systems diverts resources from essential aerospace compliance modernization initiatives. An aircraft fuselage may involve parts from 480 different suppliers, along with 2,000 additional suppliers of those suppliers, making regulatory adherence increasingly complex. Major aerospace manufacturers collect data on 14,000 critical features during manufacturing, while AS9100D emphasizes risk-based thinking and operational risk management.

However, the decreasing pool of mainframe specialists compounds these issues. Many experts are retiring with few new graduates entering the field, creating a critical skills gap in maintaining these systems. Legacy mainframes also hinder organizational agility, making it difficult for aerospace companies to adapt to evolving regulatory demands. Consequently, these outdated systems increase the risk of non-compliance, which can lead to substantial fines and reputational damage.

Aging Mainframes and the 2025 Aerospace Compliance Crisis

The USDA National Finance Center’s predicament serves as a stark warning for aerospace organizations in 2025. Antiquated mainframe infrastructure threatens not just operational efficiency but regulatory compliance across the industry.

USDA NFC Case: A Warning for Aerospace IT

In the above referenced audit report, the auditors explicitly stated that “NFC’s future is at risk without prompt action”. The NAPA audit identified several critical issues applicable to aerospace organizations:

·         Siloed legacy systems causing poor integration

·         Shortage of technical knowledge for mainframe systems

·         Lack of COBOL programmers and specialized expertise

·         Increased potential for errors and service disruptions

Moreover, these issues have “degraded customer service, impeded efficiency, demoralized the workforce, and created a rising risk of service impairment, disruption, or possible cyber event”. For aerospace manufacturers, similar challenges could jeopardize AS9100 certification and regulatory compliance.

FAA and AS9100D: New Compliance Pressures

AS9100 Revision D, released in 2016, dramatically altered compliance standards for aerospace organizations. Over 95% of the standard changed with this revision, creating substantial challenges for companies operating on legacy mainframes. The revision places renewed emphasis on accountability, supplier oversight, and supply chain management—areas where legacy systems typically underperform.

Additionally, the standard now requires organizations to “describe in a quality program plan (QPP) the scope and the approach for managing and implementing the quality requirements”. Legacy mainframes, with their rigid architectures and outdated coding languages, struggle to adapt to these requirements. In fact, legacy systems may lack “the transparency, accuracy, and governance capabilities needed to meet modern compliance standards”.

According to industry data, this gap leads to significant consequences including “regulatory action, fines and penalties, potential legal action, and negative publicity”. Aerospace organizations must therefore evaluate whether their mainframe systems can deliver the documentation and process controls demanded by modern compliance frameworks.

Legacy Systems as Audit Red Flags

Auditors increasingly flag legacy mainframes as compliance risks. Federal inspectors found that legacy systems at the Department of Education contained security vulnerabilities that put “sensitive information at risk, including the personal records and financial information of millions”. For aerospace manufacturers handling ITAR-controlled technical data or personally identifiable information, such vulnerabilities represent serious compliance concerns.

The Government Accountability Office (GAO) reported that federal legacy systems are “becoming increasingly obsolete” with components that were “at least 50 years old or the vendors were no longer providing support for hardware or software”. These same issues plague aerospace organizations, where unsupported systems create what auditors term “high or critical risk to the network”.

Despite the challenges, aerospace companies often delay modernization due to perceived complexity. In reality, according to industry experts, “mainframe modernization is faster, easier, and more flexible than ever before”. Through careful planning that includes milestones, necessary work descriptions, and legacy system disposition details, organizations can significantly reduce the risk of project failure.

The Shrinking Pool of Mainframe Talent in Aerospace

Aerospace organizations face a widening expertise gap in mainframe technology that threatens both operational reliability and regulatory compliance. This talent shortage represents a ticking time bomb for mission-critical aerospace systems that continue to rely on legacy infrastructure.

COBOL and Assembler Expertise Shortage

The scarcity of programming talent in aerospace’s legacy systems is reaching critical levels. A startling 89% of large businesses worry about IT staff shortages for maintaining legacy systems. Organizations report losing an average of 23% of specialized mainframe staff over a five-year period, with 63% of these positions remaining unfilled.

Particularly concerning for aerospace companies is the vanishing expertise in critical programming languages. COBOL remains prominent in 75% of mainframe environments, yet finding qualified developers has become extraordinarily difficult. Similarly, Assembler—used by 66% of large enterprises—faces a comparable talent drought. Other crucial languages in aerospace systems include:

·         CA Gen (37% of organizations)

·         CA Telon (24% of organizations)

·         PL/1 (15% of organizations)

Essentially, as one industry expert notes, “The mainframe had its heyday in the 70s, 80s and 90s… we are now 40 years on, these people are at the end of their careers and about to move into a well-earned retirement, yet for the last 30 years or more there has been no new talent coming through the funnel to replace them”.

Impact on Maintenance and Incident Response

The talent exodus creates severe operational vulnerabilities. Correspondingly, 79% of IT and business leaders cite “acquiring the right resources and skills to get work done” as their top mainframe challenge. This shortage directly impairs aerospace companies’ ability to maintain critical infrastructure and respond to incidents promptly.

Legacy systems typically require specialized knowledge in multiple areas simultaneously—database administration for systems like DB2 and IMS, systems programming for managing mainframe operating systems, and performance tuning expertise. Finding individuals with this precise combination of skills has become increasingly difficult, creating what industry analysts describe as “hyper-focusing” on recruiting modern skills while disregarding legacy talent needs.

Notably, these staffing gaps compromise aerospace organizations’ ability to scale IT systems to meet new demand or integrate legacy systems with modern technology. For aerospace manufacturers subject to strict compliance requirements, this inability to respond rapidly to technical incidents can lead straightaway to regulatory violations.

Training Gaps in Aerospace IT Teams

The education pipeline for mainframe skills has virtually collapsed. Primarily, this stems from educational institutions abandoning mainframe courses—as one expert notes, “A very small amount of schools teach courses on mainframes and COBOL”. Additionally, modern graduates show little interest in learning legacy systems, with 29% of organizations reporting staff unwillingness to learn legacy skills.

Organizations recognize this challenge, with 77% making substantial investments in internal training to close skills gaps. Nonetheless, bringing new staff up to speed on mainframe technology “takes at least one to two years”, creating a dangerous period during which aerospace companies remain vulnerable.

Why Legacy Systems Fail Modern Aerospace Regulations

Modern aerospace regulations increasingly expose the critical weaknesses of mainframe legacy systems. Despite their historical reliability, these outdated systems fail to meet today’s stringent compliance requirements, putting organizations at serious risk.

AS9100 Clause 8.1.1: Operational Risk Management Gaps

Aerospace mainframe legacy systems struggle to satisfy AS9100D Clause 8.1.1, which mandates a structured process for operational risk management. This clause explicitly requires “assignment of responsibilities for operational risk management” along with “definition of risk assessment criteria”. Legacy systems often lack the flexibility to implement these requirements across the five critical functional areas: Program Management, Sales/Contracts, Design and Development, Purchasing, and Production and Service Provision.

Furthermore, clause 8.1.1 demands organizations identify, assess, and communicate risks throughout operations. Unfortunately, rigid mainframe architectures typically prevent real-time risk assessment and communication, creating significant compliance gaps. Although legacy systems might handle basic operations, they rarely provide the dynamic risk management capabilities needed for modern aerospace certification.

ITAR Data Control Failures in Legacy Environments

International Traffic in Arms Regulations (ITAR) compliance presents another critical challenge. Legacy systems frequently lack robust data control mechanisms, creating what one expert describes as “ITAR creep” – situations where companies believe they’ve covered every angle, yet compliance issues arise unexpectedly.

Record keeping, another ITAR requirement, often falters in mainframe environments. Companies “have a tendency to focus on getting the license, but then fail to maintain their records”. Hence, aerospace organizations must demonstrate they “did what they said they would do” if regulators investigate.

Manual Workarounds and Non-Conformance Risks

Legacy systems force aerospace companies into risky manual workarounds. One major hurdle is “reliance on manual processes for activities like documentation, audits, training, and reporting”. These processes are “not only inefficient and time-consuming but also prone to human error”.

Engineers hired to perform certification testing “spend a significant amount of their time acting as a librarian”. This non-value-added work diverts resources from innovation and creates dangerous compliance gaps.

Rather than focusing on keeping systems running, aerospace organizations must recognize how legacy infrastructure threatens regulatory standing. Unless modernized, these systems will continue exposing companies to “fines, legal actions, and damage to an organization’s reputation”.

Security and Integration Risks in Outdated Aerospace Systems

Legacy aerospace systems harbor critical security vulnerabilities that directly threaten regulatory compliance. As regulatory requirements evolve, these outdated infrastructures increasingly expose organizations to substantial risks across multiple domains.

Unsupported Software and Patch Gaps

The aerospace industry faces mounting cybersecurity threats due to unpatched vulnerabilities in legacy systems. Initially minor security gaps quickly escalate into major compliance issues. In the first half of 2023, the rate of unfixed industrial control system flaws rose dramatically from 13% to approximately 34%. These systems typically lack robust security measures, including proper firewalls and encryption protocols.

For aerospace manufacturers, these gaps create dangerous exposure. Without vendor support, critical systems remain vulnerable to evolving threats. Throughout the aviation sector, “outdated technologies and fragile logistics can lead to massive disruptions”, as demonstrated by recent incidents affecting major airlines and infrastructure providers.

Vendor Lock-in and Compliance Inflexibility

Vendor dependency presents another serious compliance challenge. Legacy avionics and weapons platforms “shackle contractors to the past, unable to keep pace with technological change”. Vendors strategically leverage proprietary APIs and data formats to “muscle out competition and lock clients into their ecosystem”, creating what industry experts term “data imprisonment.”

This lock-in limits an organization’s ability to implement necessary security upgrades or adopt compliance-focused solutions. Primarily, it forces aerospace companies to maintain outdated systems that “may not be agile enough to adapt quickly to new and evolving threats”.

Integration Failures with Modern ERP and SCM Tools

Aerospace manufacturers increasingly need modern Enterprise Resource Planning (ERP) and Supply Chain Management (SCM) systems to maintain compliance. Unfortunately, legacy mainframes create significant integration barriers. These “integration woes” emerge because “legacy systems often use outdated communication protocols and might require heavy architectural adjustments”.

The consequences extend beyond mere inconvenience. Without proper integration, aerospace organizations struggle to implement “detailed, constraint-based production scheduling capabilities” necessary for compliance. As regulations tighten, these integration failures increasingly trigger audit findings and compliance violations.

Business Continuity and Disaster Recovery Gaps

Business continuity failures in aerospace mainframe systems represent a growing threat to regulatory compliance and operational stability. These failures extend beyond daily operations to create fundamental gaps in disaster recovery capabilities, triggering serious audit concerns.

Lack of Real-Time Failover in Legacy Systems

Mainframe environments often lack the robust failover mechanisms needed for mission-critical aerospace operations. The FAA’s operational risk assessment revealed that 37% of its 138 systems were deemed unsustainable. Even more concerning, 58 systems with critical operational impacts on national airspace safety and efficiency were classified as either unsustainable or potentially unsustainable. This infrastructure fragility creates substantial recovery challenges, as replacing or repairing these systems after failure can result in extended downtimes.

Hardware failure alone accounts for 31% of unplanned downtime. For aerospace organizations, this statistic translates into dangerous operational gaps, especially given that Fortune 500 companies experience approximately 1.6 hours of downtime weekly. Without immediate failover capabilities, aerospace systems face downtime costs potentially exceeding $800,000 per week in labor expenses alone.

Inability to Meet FedRAMP and NIST SP 800-53 Standards

Currently, legacy aerospace systems struggle to satisfy FedRAMP requirements based on NIST SP 800-53 standards. These frameworks mandate comprehensive continuity planning that legacy mainframes typically cannot support. Unfortunately, many organizations have “insufficient data backup and recovery planning”, with backups that aren’t properly “offline, airgapped and secured”.

The challenge intensifies as organizations attempt to integrate modern security controls with outdated systems. Indeed, aerospace companies face what experts describe as “undefined or badly-communicated roles and responsibilities across incident response, business continuity and crisis management”.

Aerospace Audit Failure Risk from Downtime

The January 2023 FAA system outage that resulted in nationwide flight cancelations exemplifies the audit risks aerospace organizations face. This NOTAM system failure highlighted how “critical business continuity planning is for the aviation industry”.

Ultimately, aerospace organizations must recognize that business continuity planning “does not sufficiently address the challenges and specifics that ransomware and intentional destructive IT attacks bring with them”, creating substantial audit vulnerabilities.

Conclusion

The Imperative for Aerospace Mainframe Modernization

Legacy mainframe systems stand as ticking time bombs for aerospace organizations heading into 2025. Throughout this analysis, evidence clearly demonstrates how these outdated systems undermine regulatory compliance across multiple dimensions. Aging infrastructure creates vulnerabilities that extend far beyond mere operational inefficiencies—they directly threaten an organization’s ability to maintain crucial certifications and meet evolving standards.

The USDA National Finance Center case serves as a stark warning. Similar to their situation, aerospace companies face critical shortages of specialized talent needed to maintain legacy systems. COBOL and Assembler experts continue to retire while educational institutions have essentially abandoned teaching these technologies. This knowledge gap consequently leaves organizations vulnerable during system failures and unable to respond effectively to compliance demands.

Additionally, these outdated systems fail to satisfy modern aerospace regulations in several critical ways. AS9100D requirements for operational risk management, ITAR data control protocols, and essential integration with ERP and SCM tools all expose significant compliance gaps. Legacy systems likewise create dangerous security vulnerabilities through unpatched software and vendor lock-in situations that prevent necessary upgrades.

Perhaps most concerning, business continuity and disaster recovery capabilities fall woefully short of regulatory expectations. The January 2023 FAA system outage clearly illustrated how quickly these failures can cascade into industry-wide disruptions. Without real-time failover capabilities and proper alignment with standards like FedRAMP and NIST SP 800-53, aerospace organizations face substantial audit risks.

Undoubtedly, aerospace organizations must recognize that regulatory compliance no longer represents an optional consideration—it forms the foundation of continued operations. Legacy mainframes that once powered the industry now threaten its future. Companies that proactively address these challenges through targeted modernization efforts will therefore gain significant competitive advantages. Others that delay must face increasingly severe consequences: costly regulatory actions, certification failures, and potentially catastrophic operational disruptions.

Protect Your Certifications—Modernize Before the Audit. Partner with CyberMedics to assess your legacy systems and implement a compliance-focused modernization plan aligned with AS9100 and ITAR standards.

FAQs

Q1. What are the main risks of using legacy mainframe systems in aerospace? 

Legacy mainframe systems pose significant risks to aerospace compliance, including security vulnerabilities, integration difficulties with modern tools, and challenges in meeting current regulatory standards like AS9100D and ITAR requirements.

Q2. How does the shortage of mainframe talent affect aerospace organizations? 

The shrinking pool of experts in COBOL and Assembler programming creates maintenance and incident response challenges for aerospace companies, potentially leading to operational vulnerabilities and compliance issues.

Q3. Why do legacy systems struggle to meet modern aerospace regulations? 

Legacy systems often lack the flexibility and capabilities required by current regulations, such as real-time risk assessment, robust data control mechanisms, and efficient documentation processes mandated by standards like AS9100D.

Q4. What are the business continuity risks associated with legacy aerospace systems? 

Legacy systems frequently lack robust failover mechanisms and proper disaster recovery capabilities, which can lead to extended downtimes and potential violations of regulatory standards like FedRAMP and NIST SP 800-53.

Q5. How can aerospace companies address the challenges posed by legacy mainframe systems? 

Aerospace organizations should consider implementing comprehensive modernization plans that include updating infrastructure, bridging talent gaps, enhancing integration capabilities, and improving business continuity measures to ensure regulatory compliance and operational efficiency.