Six months for paperwork and six hours for an exploit. That was the reality under the old Risk Management Framework (RMF).
The Department of War, the new name for the Department of Defense after a September 5, 2025 directive, knew this had to change. On September 24, 2025, it introduced the Cybersecurity Risk Management Construct (CSRMC), a framework designed for speed, automation, and continuous defense.
Read the official Department of War release here.
CSRMC replaces RMF, which had governed military cybersecurity since 2014 and was updated in 2022 under DoDI 8510.01. RMF brought discipline, but it also slowed down progress. By the time a system was authorized, the threat picture had already shifted.
CSRMC is designed to close that gap. It makes risk management dynamic and continuous, aligning defenses with the speed of modern threats across air, land, sea, space, and cyberspace.
Katie Arrington, acting CIO, described it as:
A cultural fundamental shift in how the Department approaches cybersecurity.
The Problem With RMF
To understand why CSRMC matters, you first have to look at what came before it. RMF was meant to improve consistency and…
