WASHINGTON — The Department of Defense unveiled a new five-phased framework for assessing cyber risks on its networks, dubbed the Cybersecurity Risk Management Construct, to replace its old risk management system.
“The previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements. These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field,” a statement from the department said. “The CSRMC addresses these gaps by shifting from ‘snapshot in time’ assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.”
According to the statement, the new framework involves a five-phase lifecycle aligned to system development and operations with an additional ten foundational tenets.
The five-phased lifecycle includes:
a design phase where security is embedded at the outset, ensuring resilience is built into system architectures;
a build phase where secure designs are implemented as systems achieve Initial Operating Capability;
a test phase where comprehensive validation and stress testing are performed prior to Full Operating Capability;
an onboard phase where automated continuous monitoring is activated at deployment to sustain system visibility; and
an operations phase where real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.
Among the ten core principles, the DoD listed automation to drive efficiency; continuous monitoring and authority to operate to enable real-time situational awareness; DevSecOps to support secure and agile development; cyber survivability to enable operations in contested environments; and cybersecurity assessment to integrate threat informed testing to validate security.
“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” Katie Arrington, who is performing the duties of the DoD chief information officer said. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW [Department of War] to defend against today’s adversaries while preparing for tomorrow’s challenges,” she added, using the Trump administration’s new moniker for the DoD.
Arrington has derided the old process, on several occasions vowing to blow up the old RMF, describing it as outdated and not operationally effective.
The DoD notes in its statement that by institutionalizing the new construct, it is ensuring cyber survivability and mission assurance in every domain.
But one expert isn’t so sure the new process differs much from the previous.
“Overall, I am not seeing how this process will expedite the risk management framework process or how it addresses the supply chain vulnerabilities,” Georgianna Shea, chief technologist at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation, said. “It seems more like a rearranging of current processes under a new name without substantial change.”
For example, she noted the first phase, design, could be stronger on cyber-informed engineering and adding penetration testing to identify design vulnerabilities. As it currently stands, it keeps cybersecurity as an add on to the design.
Phase two, build, doesn’t articulate quantifiable metrics yet. Instead, she noted, it should include measurable survivability parameters.
On phase five, operation, Shea raised concerns with empowering cybersecurity service providers as watch officers that can disconnect systems in real time is the potential for unintended mission disruption.
A disconnect action could remove critical capabilities at a key moment.