The Department of War’s (DoW) new cybersecurity risk management construct (CSRMC) is designed to improve the process of obtaining an authority to operate (ATO) technologies that empower our warfighters by verifying that they meet strict cybersecurity standards. It’s a major update to the risk management framework (RMF) processes that had made obtaining an ATO a burdensome and time-consuming effort. It marks a pivotal shift in how cyber risk is managed, transitioning from static, manual, checklist-driven assessments to a more dynamic, automated, and continuous approach.
The CSRMC re-focuses the RMF on security and mission effectiveness rather than on compliance. This is as much a cultural change as it is a process or technology one. Many security officers and assessors had become conditioned to execute RMF steps as a procedural exercise, often without considering the actual security value those steps provide. The CSRMC formalizes the transition from static compliance to dynamic, risk-informed decision-making.
In this paper, we describe the impact of the CSRMC on the development, release, and continuous operation of technologies at the DoW. It includes…
