In late 2025, the U.S. Department of Defense (DoD) announced a major evolution in how it manages cybersecurity risk. The new Cybersecurity Risk Management Construct (CSRMC) replaces the legacy Risk Management Framework (RMF), which the DoD had used for decades to secure systems before granting an Authority to Operate (ATO).
The CSRMC moves risk management from periodic checkpoints to a continuous, automated, and operationally responsive model that aligns more closely with real-world threats and modern development practices.
Security professionals have long recognized the limitations of RMF—its heavy reliance on static control checklists, manual documentation, and point-in-time assessments that became obsolete almost as soon as they were signed. Under RMF, systems might be assessed once every few years, even though vulnerabilities and threat techniques change constantly.
As Dave McKeown, Acting Deputy CIO for Cybersecurity at the DoD, explains, "Static checklists just don't work in a world where cutting-edge offense and cutting-edge defense work at machine speed."
CSRMC is designed to address these shortcomings by embedding risk management throughout the system lifecycle, enabling "cyber defense at operational speed."
Here's a visual from September 2025.
"Legacy cybersecurity solutions are clearly having difficulty coping with the latest cyber threats. The DoD's introduction of the CSRMC is a step in the right direction," said Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); Chairman, Cedric Leighton Associates, LLC. "Let's face it, automated, continuous responses to automated and continuously propagating cyberattacks are absolutely essential in today's AI-driven cyber threat landscape. If we are to have any possibility of successfully defending our cyber infrastructure, we need constructs like the CSRMC."
At its core, the CSRMC reimagines risk management as dynamic, continuous, and deeply integrated into development and operations. Rather than reactive, compliance-driven milestones, it enforces ongoing evaluation and mitigation of risk through automation, tooling, and continuous monitoring.
Design: Security planning and risk tolerance embedded from the outset.
Build: Secure implementation and integration of controls.
Test: Stress tests and validation before operational deployment.
Onboard: Automated continuous monitoring begins as systems go live.
Operations: Real-time monitoring, dashboards, and alerting support ongoing assurance.
This lifecycle model ensures risk is managed continuously, not just at documentation checkpoints, and promotes early vulnerability detection and remediation.
Automation for efficiency and scale
Continuous monitoring and continuous authority to operate (cATO)
DevSecOps integration across development workflows
Cyber survivability to operate in contested environments
Enterprise services and inheritance to reduce duplication of effort
Operationalization of risk data for mission assurance
These tenets represent a philosophical shift—away from compliance for its own sake, toward mission-aligned, data-driven, and automated risk governance.
"Another attractive feature of the CSRMC is its deployment in the earliest phases of the developmental lifecycle," Col. Leighton said. "Baking security into the design phase is something that has been historically neglected, much to the regret of cyber professionals who are left to clean up the mess after a data breach."
He added, "The fact that the CSRMC is present throughout the five-phase lifecycle of system development is an essential innovation in cybersecurity. Look for the CSRMC to serve as the model not only for DoD but for both the public and private sectors."
The new framework has the biggest impacts on the following:
Contractors may soon be expected to provide continuous monitoring evidence, automated telemetry, and integration with DoD security dashboards—an intersection of government risk management and private sector implementation.
The new framework provides some key challenges for cybersecurity teams:
Automate evidence collection and control validation
Provide dashboards with real-time risk posture
Integrate DevSecOps pipelines with monitoring and alerting
Support continuous authorization workflows
Not all existing GRC or SIEM platforms are ready for this scale of continuous, automated assurance—creating potential integration and capability gaps.
With the challenges also comes opportunities for the broader cybersecurity community:
The CSRMC represents a significant rethinking of how cyber risk is managed in large, high-stakes environments. By replacing RMF's periodic, checklist-driven approach with continuous, automated risk management, the DoD is aligning its cyber posture with both mission requirements and the realities of the modern threat landscape.
"I hope colleges and universities, as well as high schools, are paying attention to how DoD is implementing the CSRMC," Col. Leighton added. "The future is not static; it is instead a dynamic, rapidly evolving cyber battle space. Any cybersecurity curriculum that fails to incorporate a dynamic threat environment is basically useless in today's world."
He continued, "The CSRMC represents a shift in the cybersecurity mindset. It recognizes the dynamism of today's threats—an essential first step in securing our most critical as well as our most vulnerable networks."
For cybersecurity professionals in government, defense contracting, and enterprise security, CSRMC presages broader industry trends:
Continuous risk visibility
Automation of security controls
Integration of security earlier in the lifecycle
Dynamic authorization and assurance
These concepts are no longer "nice to have"—they are rapidly becoming foundational for secure, resilient systems across all sectors.
As organizations look to streamline compliance and accelerate secure digital transformation, CSRMC's principles may soon influence how cybersecurity risk is managed far beyond the Pentagon.