The Defense Department's authorization frameworks have long operated on a foundational assumption: that security is a periodic event. Review a system, grant it an Authority to Operate, and revisit the paperwork in three to five years. On September 24, 2025, DoD formally abandoned that assumption. The Cybersecurity Risk Management Construct — CSRMC — replaces the Risk Management Framework as the department's governing standard for protecting its systems and networks, and the change is structural, not cosmetic.
The RMF's core failure was its orientation toward documentation rather than operational security. Programs accumulated system security plans, controls assessments, and privacy overlays — then submitted them for an ATO review that might occur once every three to five years. In the interim, threat actors evolved, vulnerabilities accumulated, and the gap between a program's authorization documentation and its actual security posture widened without accountability. For a department running hundreds of interconnected systems across a globally contested network environment, snapshots are not security. They are the appearance of security, which is a different and more dangerous thing.
Five Phases, One Constant Authorization State
The CSRMC organizes cybersecurity across five lifecycle phases — Design, Build, Test, Onboard, and Operations — with a clear through-line: security is not audited at a single milestone but embedded continuously from initial design and maintained in real time throughout a system's operational life. The most operationally significant change is the "constant ATO" concept. Authorization is no longer a discrete event followed by years of relative dormancy. From the moment a system onboards to DoD networks, continuous monitoring is active. Automated dashboards and real-time alerts replace periodic review cycles, and DoD retains explicit authority to limit or disconnect any system whose risk posture exceeds acceptable thresholds — without waiting for a scheduled review.
Ten strategic tenets anchor the construct: automation for efficiency and scale; emphasis on critical controls over exhaustive checkbox compliance; continuous monitoring as the authorization mechanism; DevSecOps integration to embed security in the development pipeline; cyber survivability in contested environments; personnel upskilling; reduction of cross-program duplication; near real-time risk posture visibility; reciprocity of assessments across interconnected systems; and threat-informed validation before full operating capability. Individually, each tenet reflects a known gap in how DoD has managed cyber risk. Together they represent a doctrine that treats authorization as an ongoing operational state, not a bureaucratic milestone.
What Changes for Program Offices and Contractors
The practical implications are significant and immediate. Program offices that have treated ATO as a finish line — something to achieve and then maintain at minimal cost — will need to build continuous monitoring infrastructure into their operational baseline from the outset. The CSRMC's Test phase explicitly requires threat-informed validation before full operating capability: adversarial assessment of system security under realistic operational conditions, not documentation review. This is a mandate for red-team testing against live system configurations, with findings that feed back into architecture and hardening decisions before operational deployment. A compliance artifact does not satisfy this requirement. A cyber range exercise does.
For programs with operational profiles in DDIL environments — where systems operate beyond reliable connectivity to enterprise monitoring infrastructure — the cyber survivability tenet carries particular weight. A forward-deployed system cannot rely on constant connectivity to a central ATO dashboard to maintain its authorization posture. It must sustain acceptable security autonomously: local anomaly detection, on-platform monitoring, the ability to identify and report compromise indicators when connectivity is restored. This is not a configuration decision to be made late in the acquisition cycle. It is an architecture decision that must be established at design. Programs that surface this requirement at System Acceptance Review will not have time to address it credibly.
The T&E Infrastructure Imperative
The CSRMC's threat-informed testing requirement exposes a persistent gap in how defense acquisition approaches cybersecurity validation. Running a penetration test against a sanitized lab configuration is categorically different from exercising a system against realistic adversary toolsets in an environment that replicates the operational network topology — including the degraded, denied, and congested conditions the system will encounter in contested operations. The construct's demand for credible threat-informed assessment before FOC creates a requirement for cyber range infrastructure that most program offices have not historically planned for, much less funded at scale.
The cost calculus here is not ambiguous. Discovering a critical vulnerability through adversarial testing during development — where the fix is an architecture change or a configuration update — is orders of magnitude cheaper than discovering the same vulnerability through continuous monitoring after operational deployment, where the fix may require taking a fielded system offline, issuing emergency patches across a distributed installation base, and potentially reporting a compromise to oversight authorities. The CSRMC's architecture makes this calculus explicit and ties authorization continuity to the quality of pre-deployment validation. That is the right policy. The question for program offices and their industry partners is whether they have the T&E infrastructure in place to execute against it — and whether they have accounted for that investment in their program baselines before it becomes a late-stage constraint.
