The Department of War has unveiled a sweeping overhaul of its cybersecurity framework, replacing outdated manual processes with an automated, real-time defense system designed to protect military operations across all domains.
The new Cybersecurity Risk Management Construct (CSRMC) represents what officials call a “cultural fundamental shift” in military cyber defense strategy, moving away from static checklists toward a dynamic, five-phase approach that embeds security from the earliest design stages through operational deployment and beyond.
“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Katie Arrington, performing the duties of the DoW Chief Information Officer. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges,” she added.
Why now? The limitations of legacy systems
The initiative comes as military leaders have grown increasingly frustrated with the previous Risk Management Framework (RMF), which relied heavily on manual processes and failed to account for modern operational needs. These outdated methods “left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field,” according to department documents.
Although the existing framework was intended to enhance security through continuous monitoring, it became bogged down in bureaucracy. “Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” stated a recent Request for Information, as reported by DefenseScoop.
Five phases, ten principles
The CSRMC organizes cybersecurity into five distinct phases aligned with system development and operations. It begins with security being embedded at the design phase, ensuring resilience is built into system architecture from the outset. This is followed by the build phase where secure designs are implemented as systems achieve Initial Operating Capability.
Before reaching Full Operating Capability, systems undergo comprehensive validation and stress testing during the test phase. Once deployed, automated continuous monitoring is activated in the onboard phase, providing sustained system visibility. Finally, the operations phase delivers real-time dashboards and alerting mechanisms for immediate threat detection and rapid response.
Underpinning this lifecycle are ten foundational tenets that Arrington has dubbed the “10 Commandments” of the new framework. These principles emphasize automation, critical controls, continuous monitoring, DevSecOps practices, cyber survivability in contested environments, training, enterprise service reuse, operationalization of risk visibility, reciprocity in assessment reuse, and threat-informed cybersecurity assessments.
“So, [the new] RMF, you will be seeing a letter coming out of my office in the next couple of weeks with [those] 10 Commandments,” Arrington said during the Billington CyberSecurity Summit in Washington, signaling the imminent official release of the framework.
Beyond compliance: Operational survivability
What sets this approach apart from previous iterations? The CSRMC aims to ensure not just compliance with security standards but actual cyber survivability and mission assurance across all operational domains — air, land, sea, space, and cyberspace.
“This five-phase construct ensures a hardened, verifiable, continuously monitored, and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving and emerging cyber threats,” the Department stated.
The shift represents a broader Pentagon effort to modernize its approach to cybersecurity risk management through advanced automation and continuous monitoring. By institutionalizing continuous, automated, and threat-informed cybersecurity practices, defense officials hope to accelerate capability delivery without compromising security.
For military commanders operating in increasingly contested digital battlespaces, the changes can’t come soon enough. The previous framework’s reliance on static checklists and manual processes had created bottlenecks in delivering critical capabilities to the field — a luxury modern warfare no longer affords.
As global cyber threats continue to evolve at breakneck speed, the Department of War’s new construct signals a recognition that in today’s military operations, cybersecurity isn’t just about protection — it’s about maintaining the technological superiority necessary for battlefield dominance in every domain.
