Introducing the 5 Phases and 10 Tenets of the New RMF: CSRMC
The average cost of a data breach in the US is $9.48M. In 2023, the cost of cybercrime in the US totaled more than $12.5B, a 22% increase over the previous year. And each year, the number of malware, phishing, ransomware and other attacks continues to grow.
With risk on the rise, the Department of Defense/Department of War (DoD/DoW) has made some fundamental changes to the Risk Management Framework (RMF) they’ve created for their agencies to follow. Along with the new requirements, they also changed the name to the Cybersecurity Risk Management Construct (CSRMC).
“The previous Risk Management Frameworks were overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements. These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field,” a press release from the DoW stated. “The CSRMC addresses these gaps by shifting from ‘snapshot in time’ assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.”
Schedule A Demo
Understanding the importance of the risk management framework
Having an RMF in place is critical—and almost universally required—if you work in the DoD/DoW or work in the defense industrial base. RMFs like CSRMC help organizations align their security practices with regulatory and business requirements.
Align security practices with regulatory and business requirements by:
- Identifying risks and understanding what threats exist
- Assessing risk and evaluating its likelihood and impact
- Mitigating risk by choosing appropriate security controls and strategies based on your assessment
- Monitoring risk through ongoing measurement and improvement
- Governing risk through documentation and ensuring accountability and consistency
Establishing your RMF is critical to addressing the growing landscape of cyber threats, compliance mandates and operational risks organizations are faced with in the 2020s. Because the RMF aligns your security practices with regulatory and business requirements, it is indispensable for protecting your data, safeguarding your reputation, and creating operational resilience in the face of unprecedented threats.
Getting a grasp on the 5 phases and 10 tenets of the new CSRMC
In September 2025, the DoD/DoW updated/replaced the long-held NIST RMF with the Cybersecurity Risk Management Construct (CSRMC) to include a five-phase lifecycle and an additional ten foundational tenets. Early observers feel it’s not that much different from the old RMF in spirit but does refine the process in practical ways.
The five-phase lifecycle they have defined includes:
Design Phase
Security is embedded at the outset, ensuring resilience is built into system architecture
Build Phase
Secure designs are implemented as systems achieve Initial Operating Capability (IOC)
Test Phase
Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC)
Onboard Phase
Automated continuous monitoring is activated at deployment to sustain system visibility
Operations Phase
Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response
The 10 foundational tenets that accompany these phases are a series of best practices and requirements that refine the process even further:
-
1
Automation - Driving efficiency, accuracy and scale, and making establishing your RMF achievable with the staff you already have
-
2
Critical Controls - Driving efficiency, accuracy and scale, and making establishing your RMF achievable with the staff you already have
-
3
Continuous Monitoring and ATO - Enabling real-time situational awareness to achieve constant ATO posture and maintain a securely perfect environment
-
4
DevSecOps - Supporting secure, agile development and deployment for increased resilience and threat mitigation
-
5
Cyber Survivability - Enabling secure operations in contested environments
-
6
Training - Upskilling personnel to meet evolving challenges and providing users with better, more secure practices
-
7
Enterprise Services & Inheritance - Reducing duplication and compliance burdens
-
8
Operationalization - Ensuring stakeholders near real-time visibility of their cybersecurity risk posture
-
9
Reciprocity - Reusing assessments across systems for end-to-end consistency
-
10
Cybersecurity Assessments - Integrating threat-informed testing into the framework to validate security
Schedule A Demo
Navigating the challenges and best practices for applying RMF to your system
Establishing an RMF usually takes intensive time and effort. You have to identify and assess risks, mitigate those risks by applying security controls, and regularly monitor and tend to your solution. The requirements can be complex, continually evolving and, if mandated, can bear their own risk in fines and possibly even lost contracts if you are unable to sufficiently comply.
Compliance often finds friction from bumping up against already tight resources and staffing limitations. Applying security controls and integrating RMFs across IT, OT and business functions takes a lot of skilled time and effort when done manually. That’s why the first tenet of the CSRMC is to use automation wherever you can to help relieve the burden on your people.
Even though the CSRMC is new, the same automation solutions used for the old RMF model still apply here. ConfigOS, the leading cybersecurity automation solution used in the DoD for cybersecurity and RMF, fully automates the first three phases—design, build and test—and provides the continuous monitoring and alert capabilities needed for the onboard and operations phases.
Moving into a new era of RMF with automation
on your side
As DoD/DoW cybersecurity becomes more and more complex in response to the increased sophistication of bad actors, it is essential to have the most powerful tools in your toolbox to remain resilient and adaptable in the face of evolving threats.
If you talk to experts who have already tackled the task of establishing RMF/CSRMC using automation, they will tell you many disparate tools exist that can save time in one or another of the phases of CSRMC. But the greatest benefit can be found using a unified automation solution where elements of all five phases are built in to an integrated and comprehensive solution that is purpose-built for DoD/DoW needs.
To learn more about unified automation solutions and how they enable the RMF process, (as well as make certifications and assessments like CMMC and CORA much harder to fail) SteelCloud has answers. To see how unified automation fulfills the promise of CSRMC and takes a huge load off the shoulders of agencies implementing the new requirements, request a no-obligation, in-person demo and meet your new requirements with ease.
Schedule A Demo
Featured Resources