The Department of War on Tuesday unveiled a new Cybersecurity Risk Management Construct, a department-wide framework intended to deliver real-time defense of digital systems and keep pace with fast-changing threats. The move is designed to move cybersecurity from periodic compliance checks to a continuously measured and actively defended posture aligned with operational needs.
According to the department, the prior risk framework leaned too heavily on checklist-driven, manual activities that did not sufficiently reflect mission conditions or cyber survivability. The new construct emphasizes automation, ongoing measurement, and rapid response, with the goal of moving risk decisions and defenses at operational speed.
The framework is organized around five phases that map to the lifecycle of weapon systems and digital platforms:
– Design: Security requirements and resilience are built into architecture from the outset.
– Build: Secure designs are implemented as systems reach initial fielding.
– Test: Rigorous evaluation and stress testing occur before full deployment.
– Onboard: Automated monitoring is activated at rollout to maintain visibility.
– Operations: Dashboards and alerting support immediate detection and response in production.
Ten core principles underpin the approach. They include heavy use of automation; prioritization of the most consequential security controls; continuous monitoring tied to a near-constant authorization posture; integration with DevSecOps practices; an emphasis on operating through attack; training to upskill the workforce; shared enterprise services to reduce duplication; near real-time visibility for operators and leaders; reuse of assessments across systems; and threat-informed testing to validate defenses.
The department said the construct is intended to harden systems, provide verifiable security evidence, and maintain active defense across domains including air, land, sea, space, and cyberspace. It also aims to speed delivery of secure capabilities to the field by replacing one-time assessments with dynamic risk management and instrumentation that can surface issues as they emerge.
“This construct represents a cultural shift in how the Department approaches cybersecurity,” said Katie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”
Successful adoption will depend on scaling automation across heterogeneous systems, ensuring data feeds are trustworthy and timely, and harmonizing practices across programs that currently rely on bespoke processes. The focus on enterprise services and inheritance is meant to cut redundant work, while reciprocity—accepting assessments performed elsewhere—could reduce delays tied to repeated reviews.
No implementation timeline or metrics for measuring progress were included in the announcement, but the department framed the effort as an institutional change intended to make cyber survivability and mission assurance a baseline expectation throughout system development and operations.
