What Is DOD’s Cybersecurity Risk Management Construct?

Under the RMF regime, the DOD assessed its cyber risk with a snapshot in time once every three years — not frequently enough to ensure the system stayed in tolerance, McKeown says.

“Static checklists just don’t work in a world where cutting-edge offense and cutting-edge defense work at machine speed,” says Andrew Howell, vice president of government affairs at SentinelOne.

A Phased Approach to Better Security

The CSRMC shifts to dynamic, automated and continuous risk management. The framework is grounded in a set of 10 core principles including automating to drive efficiency and scale, tracking critical controls, and continuous monitoring and continuous authority to operate (ATO). Other key pillars include DevSecOps, cyber survivability, training, and enterprise services and inheritance.

“It’s a proactive approach, and this has only become available to us over just the last couple of years,” says Jon Clay, vice president of threat intelligence at Trend Micro.

New attack surface discovery tools help IT leaders know what they’re protecting, while emerging generative artificial intelligence solutions can quickly assess and rank the risk.

The CSRMC will elevate DOD security in five phases, aligned to system development: design, build, test, onboard and operations.

“Our goal is to achieve better cybersecurity outcomes from the beginning,” McKeown says.

The phased approach signals cross-lifecycle adherence to cyber standards and best practices.

“It's important because you want to be able to understand how a system adapts and changes over time across all lifecycles,” Howell says. “Given how long deployment times can be in the department, you want to make sure that you maintain that same high level of cybersecurity from beginning to end.”

Click the banner below to read about the IT, cyber and AI experts making government more efficient.

The approach will be put into practice with capabilities in the test phase, such as digital twin technology.

“Instead of a human doing the test, it’ll be an AI agent that analyzes your phase one or phase two builds, analyzes your environment, and it can introduce attack simulations across all your different areas, your processes, your identities, your devices,” Howell says. “And it can do that continuously. You could run 50 attack scenarios in a day, whereas in the past you would run a red team test once a year or once a quarter.”

Making the DOD’s Cyber Culture More Proactive

The CSRMC promises to reshape cyber culture at the Pentagon. Cyber operators across DOD will “start looking like they complement each other, they support each other and they are not in silos,” says Carol Assi, COO to the deputy CIO for cybersecurity at DOD.

The new construct will enable military leaders to give equal weight to cyber and kinetic requirements.

“We have threats; we understand how they impact the mission,” Assi says. “We can prioritize from a resourcing perspective.”

Click the banner below for the latest federal IT and cybersecurity insights.

DOD’s move toward continuous ATOs is another driver of culture change, empowering the military to be more proactive. The previous need for fresh authorizations tended to slow deployment and increase costs of cyber tools, Howell says.

The Pentagon’s cyber culture needs to become more technology-centric to fully take advantage of the CSRMC.

“You can’t just throw people at this anymore because people can’t scale,” Clay says. “People aren’t up all night long. The AI agents will be.”

Instead, DOD leadership must support nonhuman capabilities.

“The adversary is knocking at our door,” McKeown says. “We’ve got to defend ourselves, and simple compliance isn’t going to get us there.”