An official website of the United States Government 
Here's how you know

Official websites use .gov

.gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Release
Immediate Release

Department of War Announces New Cybersecurity Risk Management Construct

Sept. 24, 2025

The Department of War (DoW) today announced the implementation of a groundbreaking Cybersecurity Risk Management Construct (CSRMC), a transformative framework to deliver real-time cyber defense at operational speed. This five-phase construct ensures a hardened, verifiable, continuously monitored, and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving and emerging cyber threats.

Addressing Legacy Shortcomings

The previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements. These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field.

The CSRMC addresses these gaps by shifting from "snapshot in time" assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.

The construct is composed of a five-phase lifecycle and ten foundational tenets.

The Five-Phase Lifecycle

The new construct organizes cybersecurity into five phases aligned to system development and operations:

  1. Design Phase – Security is embedded at the outset, ensuring resilience is built into system architecture.
  2. Build Phase – Secure designs are implemented as systems achieve Initial Operating Capability (IOC).
  3. Test Phase – Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).
  4. Onboard Phase – Automated continuous monitoring is activated at deployment to sustain system visibility.
  5. Operations Phase – Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.

Ten Foundational Tenets

The CSRMC is grounded in ten core principles:

  • Automation – driving efficiency and scale
  • Critical Controls – identifying and tracking the controls that matter most to cybersecurity
  • Continuous Monitoring and ATO – enabling real-time situational awareness to achieve constant ATO posture
  • DevSecOps – supporting secure, agile development and deployment
  • Cyber Survivability – enabling operations in contested environments
  • Training – upskilling personnel to meet evolving challenges
  • Enterprise Services & Inheritance – reducing duplication and compliance burdens
  • Operationalization – ensuring stakeholders near real-time visibility of cybersecurity risk posture
  • Reciprocity – reuse assessments across systems
  • Cybersecurity Assessments – integrating threat-informed testing to validate security

Delivering Cybersecurity at the Speed of War

By institutionalizing this construct across the Department, the DoW is ensuring cyber survivability and mission assurance in every domain: air, land, sea, space, and cyberspace.

"This construct represents a cultural fundamental shift in how the Department approaches cybersecurity," said Kattie Arrington, performing the duties of the DoW CIO. "With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today's adversaries while preparing for tomorrow's challenges."

For more information on the Cyber Security Risk Management Construct, click here.

For more information on the CSRMC Strategic Tenets, click here.