After months of vowing to “blow up” the Risk Management Framework (RMF), the Pentagon has officially rolled out a new cybersecurity model designed to “deliver real-time cyber defense at operational speed.”
The Cybersecurity Risk Management Construct (CSRMC) is the Department of Defense’s (DOD) – which the Trump administration has rebranded as the Department of War – new real-time framework that replaces the previous RMF. The CSRMC offers a faster, more adaptive approach focused on automation, continuous monitoring, and resilience.
The construct is composed of a five-phase lifecycle and 10 foundational tenets.
The five phases aligned with system development include Design, which embeds security from the outset; Build, where secure systems are implemented at initial operating capability; Test, which validates and stress-tests before full operating capability; Onboard, where continuous monitoring is activated; and Operations, which uses real-time dashboards for rapid threat detection and response.
In addition to its phased lifecycle, the CSRMC is grounded in 10 core principles, including automation for efficiency, critical controls for focused security, continuous monitoring and real-time authority to operate, DevSecOps for agile development, cyber survivability in contested environments, ongoing training, use of enterprise services to reduce duplication, operationalization for real-time risk visibility, reciprocity to reuse assessments, and threat-informed cybersecurity testing.
The rollout of the CSRMC follows months of internal planning and repeated public statements from acting DOD Chief Information Officer (CIO) Katie Arrington, who pushed to replace the previous RMF with a more agile approach suited for today’s contested environments.
“This construct represents a fundamental shift in how the Department approaches cybersecurity,” Arrington said in a statement. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the [DOD] to defend against today’s adversaries while preparing for tomorrow’s challenges.”
Since taking over as acting CIO earlier this year, Arrington has consistently signaled her intent to replace the RMF with a more agile, responsive approach – one that maintains rigorous security standards without slowing innovation or operational readiness.
Introduced in 2022 under then-CIO John Sherman, the previous RMF was built to align with federal cybersecurity laws and standards, including the Federal Information Security Modernization Act and NIST Special Publication 800-53. While it aimed to govern risk across the lifecycle of defense IT systems – from development through sustainment – it soon became synonymous with bureaucracy and slow delivery timelines.
According to officials, the previous RMF was too reliant on static checklists and manual processes, which overlooked operational needs and delayed secure capabilities.
The new CSRMC replaces one-time assessments with “dynamic, automated, and continuous risk management to better defend against advanced threats” at the speed and scale of modern warfare.
“This construct represents a cultural fundamental shift,” Arrington said. “It’s about defending today while engineering resilience for the future.”