Comparing CRMC and RMF in Defense Cybersecurity

Goodbye RMF. Hello CSRMC! The Department of War just announced RMF's replacement - the "Cybersecurity Risk Management Construct." They say that the RMF "was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements." CSRMC shifts from "snapshot in time assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare." CSRMC organizes cybersecurity into five phases aligned to system development and operations: 1. 𝐃𝐞𝐬𝐢𝐠𝐧 𝐏𝐡𝐚𝐬𝐞 - Security is embedded at the outset, ensuring resilience is built into system architecture. 2. 𝐁𝐮𝐢𝐥𝐝 𝐏𝐡𝐚𝐬𝐞 - Secure designs are implemented as systems achieve Initial Operating Capability (IOC). 3. 𝐓𝐞𝐬𝐭 𝐏𝐡𝐚𝐬𝐞 - Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC). 4. 𝐎𝐧𝐛𝐨𝐚𝐫𝐝 𝐏𝐡𝐚𝐬𝐞 - Automated continuous monitoring is activated at deployment to sustain system visibility. 5. 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐬 𝐏𝐡𝐚𝐬𝐞 - Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response. They say that CSMRC has 10 foundational tenets: 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 - driving efficiency and scale 𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 - identifying and tracking the controls that matter most to cybersecurity 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐌𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠 𝐚𝐧𝐝 𝐀𝐓𝐎 - enabling real-time situational awareness to achieve constant ATO posture 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 - supporting secure, agile development and deployment 𝐂𝐲𝐛𝐞𝐫 𝐒𝐮𝐫𝐯𝐢𝐯𝐚𝐛𝐢𝐥𝐢𝐭𝐲 - enabling operations in contested environments 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 - upskilling personnel to meet evolving challenges 𝐄𝐧𝐭𝐞𝐫𝐩𝐫𝐢𝐬𝐞 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬 & 𝐈𝐧𝐡𝐞𝐫𝐢𝐭𝐚𝐧𝐜𝐞 - reducing duplication and compliance burdens 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥𝐢𝐳𝐚𝐭𝐢𝐨𝐧 - ensuring stakeholders near real-time visibility of cybersecurity risk posture 𝐑𝐞𝐜𝐢𝐩𝐫𝐨𝐜𝐢𝐭𝐲 - reuse assessments across systems 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐬𝐬𝐞𝐬𝐬𝐦𝐞𝐧𝐭𝐬 - integrating threat-informed testing to validate security You'll see that the attached lifecycle graphic does align CSRMC's 5 phases to RMF's steps. And there are still references to RMF documents like Information Security Continuous Monitoring (ISCM). I'm assuming they'll continue to use the NIST 800-53 security controls. If so, I'm sure they'll create additional overlays. CNSSI 1253 documented the security control baselines for RMF. If they still leverage NIST 800-53, I would think that the resulting baselines will be much smaller in the revised version. I'm very much in agreement with the tenets and applaud the shift in focus! I'm interested to learn how different this will be from the RMF process. I do know this, sometimes you need a rebrand to shake things up. It will be very interesting to see how this evolves! #csrmc #nist #rmf

The Department of War just announced the Cybersecurity Risk Management Construct (CSRMC), a five-phase, ten-tenet framework promising real-time, continuously monitored cyber defense at operational speed. 𝐂𝐒𝐑𝐌𝐂 𝐚𝐭 𝐚 𝐆𝐥𝐚𝐧𝐜𝐞 Five lifecycle phases (covering system development & operations): 1️⃣ Design – Embed security and resilience from the start 2️⃣ Build (IOC) – Implement secure designs, feed into continuous monitoring 3️⃣ Test (FOC) – Validate controls through stress testing and automation 4️⃣ Onboard – Switch on automated continuous monitoring at deployment 5️⃣ Operations – Real-time dashboards and alerts for continuous risk response 𝐓𝐞𝐧 𝐜𝐨𝐫𝐞 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞𝐬 (𝐭𝐞𝐧𝐞𝐭𝐬): • Automation • Critical Controls • Continuous Monitoring & ATO • DevSecOps • Cyber Survivability • Training • Enterprise Services & Inheritance • Operationalization • Reciprocity • Cybersecurity Assessments 𝐀𝐥𝐢𝐠𝐧𝐦𝐞𝐧𝐭 𝐰𝐢𝐭𝐡 𝐌𝐚𝐣𝐨𝐫 𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐀𝐜𝐪𝐮𝐢𝐬𝐢𝐭𝐢𝐨𝐧 𝐏𝐚𝐭𝐡𝐰𝐚𝐲 𝐈𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐢𝐨𝐧 𝐰𝐢𝐭𝐡 𝐑𝐌𝐅 The DoD CIO’s MCA Pathway Integration with RMF guidance calls for early, iterative RMF integration across the acquisition lifecycle. CSRMC’s phases echo those same steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor, emphasizing: • Early risk planning and digital engineering during the Design/MSA phase • Control tailoring, artifact reuse, and reciprocity throughout Build and Test • Continuous monitoring and cATO practices in Onboard and Operations This structural overlap is intentional, both aim to bake security into the mission from concept to sustainment, not bolt it on after Milestone C. 𝐓𝐡𝐞 𝐑𝐞𝐚𝐥𝐢𝐭𝐲 𝐂𝐡𝐞𝐜𝐤 Veterans of DIACAP, multiple RMF rewrites, and countless “next-gen” compliance pushes know the pattern: • Strong concepts on paper • Cultural inertia in practice • Checklists creeping back as schedules tighten CSRMC will only succeed if program managers, engineers, and Authorizing Officials own continuous risk and resist the slide back to point-in-time authorizations. Otherwise it risks becoming just the next framework awaiting replacement. - A well-written playbook is necessary. - A true culture shift is decisive. Question for the community: Will CSRMC finally make continuous cyber defense a living practice, or will we be here again in five years debating the next revamp? DoW CRMC Release: https://lnkd.in/eCtTU2kC CSRMC Strategic Tenets: https://lnkd.in/eqsvatE5 Major Capability Acquisition Pathway Integration with Risk Management Framework: https://lnkd.in/eNzpe__E