In late 2025, the U.S. Department of Defense (DoD) announced a major evolution in how it manages cybersecurity risk. The new Cybersecurity Risk Management Construct (CSRMC) replaces the legacy Risk Management Framework (RMF), which the DoD had used for decades to secure systems before granting an Authority to Operate (ATO).
The CSRMC moves risk management from periodic checkpoints to a continuous, automated, and operationally responsive model that aligns more closely with real-world threats and modern development practices.
Security professionals have long recognized the limitations of RMF—its heavy reliance on static control checklists, manual documentation, and point-in-time assessments that became obsolete almost as soon as they were signed. Under RMF, systems might be assessed once every few years, even though vulnerabilities and threat techniques change constantly.
As Dave McKeown, Acting Deputy CIO for Cybersecurity at the DoD, explains, "Static checklists just don't work in a world where cutting-edge offense and cutting-edge defense work at machine speed."
CSRMC is designed to address these shortcomings by embedding risk management throughout the system lifecycle, enabling "cyber defense at operational speed."
Here's a visual from September 2025.
"Legacy cybersecurity solutions are clearly having difficulty coping with the latest cyber threats. The DoD's introduction of the CSRMC is a step in the right direction," said Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); Chairman, Cedric Leighton Associates, LLC. "Let's face it, automated, continuous responses to automated and continuously propagating cyberattacks are absolutely essential in today's AI-driven cyber threat landscape. If we are to have any possibility of successfully defending our cyber infrastructure, we need constructs like the CSRMC."
What CSRMC is, and how it works
At its core, the CSRMC reimagines risk management as dynamic, continuous, and deeply integrated into development and operations. Rather than reactive, compliance-driven milestones, it enforces ongoing evaluation and mitigation of risk through automation, tooling, and continuous monitoring.
1. Five-phase lifecycle: CSRMC organizes risk management across five phases aligned with the system development and operational lifecycle:
-
Design: Security planning and risk tolerance embedded from the outset.
-
Build: Secure implementation and integration of controls.
-
Test: Stress tests and validation before operational deployment.
-
Onboard: Automated continuous monitoring begins as systems go live.
-
Operations: Real-time monitoring, dashboards, and alerting support ongoing assurance.
This lifecycle model ensures risk is managed continuously, not just at documentation checkpoints, and promotes early vulnerability detection and remediation.
2. Ten strategic tenets: CSRMC is grounded in ten core principles (tenets), which include:
-
Automation for efficiency and scale
-
Continuous monitoring and continuous authority to operate (cATO)
-
DevSecOps integration across development workflows
-
Cyber survivability to operate in contested environments
-
Enterprise services and inheritance to reduce duplication of effort
-
Operationalization of risk data for mission assurance
These tenets represent a philosophical shift—away from compliance for its own sake, toward mission-aligned, data-driven, and automated risk governance.
"Another attractive feature of the CSRMC is its deployment in the earliest phases of the developmental lifecycle," Col. Leighton said. "Baking security into the design phase is something that has been historically neglected, much to the regret of cyber professionals who are left to clean up the mess after a data breach."
He added, "The fact that the CSRMC is present throughout the five-phase lifecycle of system development is an essential innovation in cybersecurity. Look for the CSRMC to serve as the model not only for DoD but for both the public and private sectors."
The new framework has the biggest impacts on the following:
1. DoD and military systems: CSRMC's initial scope is the DoD ecosystem—systems connected to the DoD Information Network (DoDIN) and other mission-critical infrastructure. This framework governs how systems are developed, tested, deployed, and monitored across the department.
2. Contractors and supply chain partners: While CSRMC itself does not directly replace other programs like Cybersecurity Maturity Model Certification (CMMC), its operational emphasis may influence contract expectations and reporting requirements for defense contractors, especially those who supply software, systems, and operational technology to the DoD.
Contractors may soon be expected to provide continuous monitoring evidence, automated telemetry, and integration with DoD security dashboards—an intersection of government risk management and private sector implementation.
The new framework provides some key challenges for cybersecurity teams:
1. Cultural and organizational change: CSRMC is not just a new checklist—it's a cultural shift. Continuous monitoring, dynamic risk scoring, and real-time security telemetry require organizations to break out of siloed compliance practices and adopt risk management as a lived, operational discipline.
2. Tooling and automation gaps: To deliver on CSRMC's promise, security teams will need tools that:
-
Automate evidence collection and control validation
-
Provide dashboards with real-time risk posture
-
Integrate DevSecOps pipelines with monitoring and alerting
-
Support continuous authorization workflows
Not all existing GRC or SIEM platforms are ready for this scale of continuous, automated assurance—creating potential integration and capability gaps.
3. Skills and workforce readiness: Continuous risk management at the scale CSRMC envisions requires cybersecurity professionals to be skilled in automation, real-time threat intelligence, telemetry interpretation, and secure software development practices—a demand that may exceed current staffing and skill levels.
With the challenges also comes opportunities for the broader cybersecurity community:
1. Driving a continuous security mindset: CSRMC models continuous authority to operate (CATO) rather than episodic authorization—a mindset many commercial sectors can emulate. This can improve resilience against fast-moving threats like zero-day vulnerabilities and supply-chain compromises.
2. Advances in DevSecOps and security toolchains: By integrating security into every phase of development—design through operations—CSRMC accelerates the adoption of DevSecOps practices, automated testing, and security as code. Teams that adopt these methods can reduce risk while also shortening release cycles.
3. Real-time risk visibility: Real-time dashboards and automation can help organizations see risk continuously, not just after periodic assessments. This provides a foundation for proactive mitigation long before compliance reports are due.
The CSRMC represents a significant rethinking of how cyber risk is managed in large, high-stakes environments. By replacing RMF's periodic, checklist-driven approach with continuous, automated risk management, the DoD is aligning its cyber posture with both mission requirements and the realities of the modern threat landscape.
"I hope colleges and universities, as well as high schools, are paying attention to how DoD is implementing the CSRMC," Col. Leighton added. "The future is not static; it is instead a dynamic, rapidly evolving cyber battle space. Any cybersecurity curriculum that fails to incorporate a dynamic threat environment is basically useless in today's world."
He continued, "The CSRMC represents a shift in the cybersecurity mindset. It recognizes the dynamism of today's threats—an essential first step in securing our most critical as well as our most vulnerable networks."
For cybersecurity professionals in government, defense contracting, and enterprise security, CSRMC presages broader industry trends:
-
Continuous risk visibility
-
Automation of security controls
-
Integration of security earlier in the lifecycle
-
Dynamic authorization and assurance
These concepts are no longer "nice to have"—they are rapidly becoming foundational for secure, resilient systems across all sectors.
As organizations look to streamline compliance and accelerate secure digital transformation, CSRMC's principles may soon influence how cybersecurity risk is managed far beyond the Pentagon.
