What’s next for the DoW’s New Cybersecurity Risk Management Construct?

In September 2025, the Department of War (DoW) announced a new Cybersecurity Risk Management Construct (CSRMC), a five-phase framework designed to deliver real-time defense across the DoW’s networks. This construct embeds security from design through operations, creating a continuously monitored, hardened environment that ensures US warfighters maintain technological superiority. 

CSRMC represents a cultural shift in DoW cybersecurity. It’s intended to be faster and less burdensome than the old 7-step Risk Management Framework (RMF). As DoW systems shift to CSRMC, defense programs and suppliers will need to adapt to this more dynamic, continuous cybersecurity approach in real time.

What Is DoW’s Cybersecurity Risk Management Construct?

The CSRMC is a holistic cybersecurity framework centered on a system’s lifecycle. It consists of five phases (Design, Build, Test, Onboard, Operations) supported by 10 foundational tenets. In announcing CSRMC, the DoW described it as a groundbreaking framework to deliver cyber defense at operational speed. 

CSRMC embeds security into every phase of development and deployment. It emphasizes automation, continuous monitoring and other innovations to ensure commanders maintain a constant authorization-to-operate (ATO) posture and an accurate understanding of mission risk.

Why DoW Replaced the RMF

Legacy RMF became a bottleneck for modern defense. It relied on static checklists and manual paperwork, creating one-time snapshot authorizations that quickly became outdated. This often left systems vulnerable to sophisticated adversaries and slowed secure capability delivery. 

In contrast, CSRMC shifts to an automated, continuous model. It replaces periodic approvals with ongoing, real-time risk management, enabling cyber defense at the speed of relevance required for modern warfare.

The 5 Phases of the Cybersecurity Risk Management Construct

The framework’s phases extend across design, build, test, onboard, and operations.

Design

The DoW mandates that security be embedded at the outset, ensuring resilience is incorporated into system architecture. Architects identify threats and security controls early so the system’s blueprint remains inherently robust.

Build

In this phase, systems move toward Initial Operating Capability (IOC). CSRMC requires that secure designs be implemented as each system becomes functional. Agile, DevSecOps-aligned processes ensure that security checkpoints are integrated into every development sprint.

Test

This phase focuses on validation before Full Operating Capability (FOC). Comprehensive validation and stress testing are performed prior to declaring FOC. This includes threat-informed testing and red-team exercises to ensure that security controls work as intended under realistic conditions.

Onboard

Once a system is deployed, the Onboard phase activates automated defenses. Continuous monitoring tools kick in at deployment, sustaining system visibility from day one. This automated monitoring feeds real-time data to security operations, enabling immediate detection of anomalies or vulnerabilities.

Operations

Here, the system runs in its normal environment under active defense. Real-time dashboards and alerting mechanisms provide immediate threat detection and enable rapid response. Security teams track risk levels continuously. If a critical threat appears, operators can quarantine or remediate systems on the fly—an authority explicitly built into CSRMC’s operations.

The 10 Foundational Tenets of CSRMC

As defined by the DoW, the 10 foundation tenets of CSRMC are:

• Automation, driving efficiency, and scale
• Critical controls, identifying and tracking the controls that matter most
• Continuous monitoring and ATO, enabling real-time situational awareness for a constant ATO posture
• DevSecOps, supporting secure, agile development, and deployment
• Cyber survivability, enabling operations in contested environments continuously
• Training, upskilling personnel to meet evolving challenges effectively
• Enterprise services and inheritance, reducing duplication and compliance burdens
• Operationalization, ensuring near-real-time visibility into risk posture
• Reciprocity, reusing valid assessments across systems seamlessly
• Cybersecurity assessments, integrating threat-informed testing to validate security

What CSRMC Means for DoW Programs and the Defense Industrial Base

CSRMC is aimed at DoW systems, but its impact will extend its programs and industry. While CSRMC does not immediately impose new contractor mandates, its principles will be woven into future acquisitions. 

Prime contractors and suppliers should prepare for program requirements and contracts that reflect CSRMC’s emphasis on automation and continuous visibility. Consequently, companies may be asked to provide live monitoring data or other automated evidence of compliance.

What’s Next for the CSRMC?

In the coming months, the DoW will fully finalize implementation guidance and begin transitioning legacy programs to CSRMC. Agencies will update policy and train teams to use new compliance tools. The emphasis on DevSecOps and automation means organizations must modernize how they build and protect systems. 

This transition creates opportunities for specialized vendors. SealingTech’s agile, comprehensive solutions have long delivered tailored threat-hunting and DevSecOps support to its DoW customers.

SealingTech has already begun the migration from the Risk Management Framework to the Cyber Security Risk Management Construct. By aligning current processes and capabilities with the requirements of the new construct, SealingTech is seamlessly mapping our posture to meet the needs identified in the CSRMC’s strategic tenets. We achieve this alignment through continued integration and expertise of automated tools and resources, providing solutions for authentication, continuous monitoring, and incident response, and innovating in risk compliance reporting across partner networks and air-gapped environments. 

For example, through our solution Operator X™, the first AI Hunt Kit assistant optimized for cyber defense, we’re meeting the CSRMC’s continuous monitoring and reporting capabilities in any offline environment.

Contact SealingTech to discuss how we can help your organization align with CSRMC’s requirements.