Department of Defense Launches CSRMC: A New Cybersecurity Risk Management Construct

Executive Summary

• The Department of Defense (DoD), also referred to as the Department of War (DoW), has announced the Cybersecurity Risk Management Construct (CSRMC), which replaces the legacy Risk Management Framework (RMF).
• CSRMC is designed to secure DoD’s own systems, particularly those connected to the DoD Information Network (DoDIN).
• The framework emphasizes automation, continuous monitoring and reciprocity, moving away from what DoD characterizes as static, checklist-driven processes.
• Although it does not impose direct obligations on contractors, CSRMC may influence program requirements and contractual expectations, potentially changing how contractors are asked to demonstrate cybersecurity posture in future procurements.

Background

On September 24, 2025, DoD announced CSRMC, a new framework to replace the long-standing RMF as DoD’s primary set of guidelines for protecting its systems and networks against cyber threats. The RMF, in place since 2014, required programs to secure an Authority to Operate (ATO) by implementing security controls, documenting them in a System Security Plan (SSP) and undergoing formal assessments. While it standardized cybersecurity practices, RMF was criticized by some for being slow, overly prescriptive and insufficiently responsive to operational needs.

CSRMC is intended to embed cybersecurity throughout the system lifecycle by emphasizing continuous monitoring, with the goal of achieving constant authorization status. In contrast to the RMF, CSRMC introduces real-time dashboards and automated alerts, allowing DoD to maintain a “constant ATO posture” rather than requiring periodic reviews.

The Ten Foundational Tenets

DoD describes CSRMC as grounded in ten principles that will guide how its cybersecurity is managed:

1. Automation – Using tools to scale and improve efficiency.
2. Critical Controls – Focusing on the safeguards that matter most.
3. Continuous Monitoring and ATO – Moving toward a “constant” authorization posture.
4. DevSecOps – Integrating security into agile development and deployment.
5. Cyber Survivability – Maintaining operations even in contested environments.
6. Training – Ensuring personnel are prepared for evolving threats.
7. Enterprise Services & Inheritance – Reducing duplication by sharing controls and services.
8. Operationalization – Providing near real-time visibility into risk posture.
9. Reciprocity – Reusing assessments across systems where appropriate.
10. Threat-Informed Assessments – Validating security through active testing.

The Five Phases

Building on these tenets, CSRMC organizes cybersecurity into five phases aligned with system development and operations:

1. Design. At the planning stage, cybersecurity is treated as a design requirement rather than an afterthought. The emphasis is on building resilience into system architecture and leveraging enterprise services and inheritance to avoid duplicating controls across programs.
2. Build. As systems are developed toward Initial Operating Capability (IOC), security is implemented alongside functionality. This reflects CSRMC’s focus on DevSecOps, ensuring that agile development processes incorporate security checkpoints at every stage.
3. Test. Prior to Full Operating Capability (FOC), systems undergo validation and evaluation that go beyond documentation. DoD signals that testing will be threat-informed and designed to validate system security under operational conditions.
4. Onboard. Deployment triggers the start of continuous monitoring, shifting oversight from static review to active visibility. This phase is central to CSRMC’s concept of a “constant ATO,” where authorization is maintained dynamically rather than revalidated only at fixed intervals.
5. Operations. Once in sustained use, systems are monitored in real time through dashboards and automated alerts. If risks reach an unacceptable level, DoD personnel retain the authority to limit or disconnect systems from the DoDIN. This operational phase is intended to ensure that cybersecurity is not static but actively managed for as long as the system remains in service.

What This May Mean for Contractors

Although CSRMC is directed at DoD systems, its principles are likely to filter into program requirements and contractual language over time, requiring contractors to adapt compliance strategies. Just as RMF required contractors to provide SSPs, test results and other artifacts to support DoD’s authorization process, CSRMC’s emphasis on automation and continuous monitoring suggests contractors may be asked to deliver real-time monitoring data or other new forms of evidence to enable DoD’s oversight.

Importantly, CSRMC is not a substitute for the Cybersecurity Maturity Model Certification (CMMC). The CMMC program remains the operative compliance regime for defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). At present, there is no official linkage between the two frameworks. That said, CSRMC’s focus on reciprocity and continuous monitoring may influence how DoD chooses to integrate contractor certifications like CMMC into its broader risk management processes.

Key Takeaways

• Government-only: CSRMC governs DoD systems connected to the DoDIN, not contractor networks.
• Program deliverables will be affected: Just as the RMF drove contractors to produce SSPs, test results and control evidence, CSRMC will likely require new forms of evidence to support DoD’s continuous monitoring.
• No link to CMMC: CSRMC is separate from CMMC, which remains the binding compliance regime for contractors handling FCI and CUI.
• Contractor next steps: Begin tracking CSRMC implementation updates (e.g., DoD guidance, industry working groups, new solicitation language) and assess, with counsel where appropriate, how changes may affect program deliverables and contract requirements.