Goodbye RMF, Hello CSRMC

The Risk Management Framework (RMF) was introduced in 2022 to create a standardized way to measure and manage cybersecurity risk in the federal government. Modeled with standards including the Federal Information Security Modernization Act and NIST Special Publication 800-53, the RMF was a repeatable, structured method to manage cybersecurity risk and ensure compliance with federal standards. The RMF allowed agencies to identify, understand, prioritize, and reduce risks to their information systems and missions. It informed leaders of security risks, allowing them to make educated decisions about trade-offs between security and mission needs.

While it was designed to be more than a checklist, in practice the RMF had become just that. Rather than engaging with it dynamically, agencies employed highly manual processes that slowed the adoption of much-needed solutions. The process could not keep up with the quickly evolving threat landscape.

In September of 2025, the Department of Defense (DoD) introduced the Cybersecurity Risk Management Construct (CSRMC) as a new approach for assessing risk and adopting technologies. The CSRMC was designed to streamline the identification of risks and allow agencies to tailor security to meet mission needs.

The CSRMC was designed around 10 key principles.

• Automation to drive efficiency and scale
• Critical controls for focused security
• Continuous monitoring to enable real-time authority to operate
• DevSecOps approach to enable agile development with security integrated throughout the software lifecycle
• Cyber survivability for contested environments
• Ongoing training
• Enterprise services and inheritance to reduce duplication and compliance burdens
• Operationalization for near real-time visibility of risk posture
• Reciprocity of security assessments to reuse system resources
• Cybersecurity assessments that integrate threat-informed testing methodologies with mission-aligned risk-management processes

The CSRMC has a five-phase lifecycle:

• Design - security is embedded into the systems architecture
• Build - secure designs are implemented as systems achieve initial operating capability
• Test - validation and stress testing are conducted prior to full operating capability
• Onboard - automated, continuous monitoring is activated at deployment
• Operations - real-time dashboards and alerting mechanisms provide immediate detection and response

In keeping with the first principle, this lifecycle was designed as an automated system. For example, in the design phase, Infrastructure-as-Code templates embed required security configurations and controls before anything is deployed. Additionally, the testing phase uses tools that conduct vulnerability scanning, penetration testing, and threat emulation in real time. Further, continuous monitoring, a core tenet of CSRMC, allows a real-time view of systems and risks rather than static snapshots in time.

To keep up with the use and implementation of CSRMC, check out these resources:

• Building on Cyber Strengths (November 5, 2025; webcast) - Thought leaders from government and industry share what they have learned about enhancing cybersecurity without either surrendering tools and capabilities they already have or increasing the complexity of their cyber landscape.
• Cybersecurity Summit 2025 - (November 21, 2025; Reston, VA) - Join national leaders, innovators, and security experts for a dynamic summit exploring the evolving intersection of cybersecurity, advanced technologies, and public service.
• CyberTalks 2025 (February 19, 2026; Washington, DC) - Hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat new risks. CyberTalks also provides an invaluable forum for exchanging ideas and best practices on ways to bolster digital defenses and promote cyber resiliency.
• Safeguarding the Digital Realm (white paper) - Cyber threats facing government agencies are growing more sophisticated, with nation-state actors and AI-powered attacks escalating the urgency of defense. Legacy systems, budget constraints, and fragmented oversight continue to weaken cyber resilience. To counter this, experts emphasize a shift toward threat-informed risk management, Secure by Design principles, and integrating AI with strong governance.
• Using Business Impact Analysis to Inform Risk Prioritization and Response (white paper) - Understanding risk starts with knowing how disruptions impact an organization. The Business Impact Analysis (BIA) goes beyond disaster recovery--it helps leaders identify which assets are most critical and vulnerable to cyber threats. By integrating cybersecurity risk management (CSRM) with enterprise risk strategies, organizations can prioritize threats, improve decision-making, and align security efforts with business goals.
• FedRAMP: Evolving Standards, Emerging Challenges, and the Road Ahead (white paper) - As cloud technologies rapidly evolve, so too must the systems that govern their use in government. FedRAMP, once a groundbreaking framework for authorizing cloud services, is now undergoing a critical transformation through the 20x initiative--aimed at streamlining processes, reducing sponsor burden, and embracing automation over paperwork. Yet, challenges remain, from securing agency sponsorship to helping smaller innovators break into the federal market.

For more information on government cybersecurity standards and processes, search for additional events and resources on GovEvents and GovWhitePapers.