After months of vowing to “blow up” the Risk Management Framework (RMF), the Pentagon has officially rolled out a new cybersecurity model designed to “deliver real-time cyber defense at operational speed.”
The Cybersecurity Risk Management Construct (CSRMC) is the Department of Defense’s (DOD) – which the Trump administration has rebranded as the Department of War – new real-time framework that replaces the previous RMF. The CSRMC offers a faster, more adaptive approach focused on automation, continuous monitoring, and resilience.
The construct is composed of a five-phase lifecycle and 10 foundational tenets.
The five phases aligned with system development include Design, which embeds security from the outset; Build, where secure systems are implemented at initial operating capability; Test, which validates and stress-tests before full operating capability; Onboard, where continuous monitoring is activated; and Operations, which uses real-time dashboards for rapid threat detection and response.
In addition to its phased lifecycle, the CSRMC is grounded in 10 core principles, including automation for efficiency, critical controls for focused security, continuous…
