The Department of War announced a new cybersecurity framework on Sept. 24 designed to protect U.S. military systems with automated, real-time defenses capable of operating at “the speed of war.”
The Cybersecurity Risk Management Construct (CSRMC) replaces the Pentagon’s previous reliance on static checklists and periodic assessments, which officials said left defense networks vulnerable to evolving digital threats and slowed delivery of secure capabilities.
Under the new system, cybersecurity is embedded at every stage of system development, beginning with design and continuing through operations. Once deployed, systems will undergo constant automated monitoring rather than intermittent reviews.
“This construct represents a cultural shift in how the Department approaches cybersecurity,” said Katie Arrington, performing the duties of the DoW chief information officer. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”
Officials said the framework is organized into five phases — design, build, test, onboard, and operations — and rests on ten core principles that emphasize automation, continuous monitoring, cyber survivability, and secure software development. Personnel training and the reuse of security assessments across multiple systems are also key components.
The Department plans to implement the construct across all domains — air, land, sea, space, and cyberspace — with the goal of ensuring “cyber survivability and mission assurance” for warfighters.
The Department plans to implement the construct across all operational domains. These include air, land, sea, space, and cyberspace.
Military officials say the framework ensures cyber survivability and mission assurance. It enables secure capabilities to reach warfighters faster than the previous system allowed.
The shift from manual to automated processes addresses longstanding vulnerabilities. Legacy systems failed to account for operational needs and cyber survivability requirements.
Additional documentation detailing the construct and its strategic tenets is available through Department channels.