Pentagon unveils new cybersecurity framework to counter real-time threats

The Defense Department has released its revamped Cyber Security Risk Management Construct to enable more real-time cyber defenses.

The construct has five phases that DOD says will help operators maintain a technological edge against cyber threats.

The new approach seeks to move away from checklists and manual processes that cannot keep up with evolving threats, DOD said in its Wednesday announcement.

The construct’s five phases are:

• Design phase, where security is embedded into the systems architecture.
• Build phase, in which secure designs are implemented as systems achieve initial operating capability.
• Test phase for validation and stress testing.
• Onboard phase where automated, continuous monitoring is activated.
• Operations phase, which includes real-time dashboards and alerting mechanisms for immediate detection and response.

The CRMC also includes 10 foundation tenets:

• Automation to drive efficiency and scale
• Critical controls
• Continuous monitoring
• The DevSecOps software development practice
• Cyber survivability
• Training
• Enterprise services and inheritance to reduce duplication and compliance burdens
• Operationalization
• Reciprocity
• Cybersecurity assessments

"This construct represents a fundamental shift in how the Department approaches cybersecurity," said Katie Arrington, who is performing the duties of DOD's chief information officer. "With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the [Defense Department] to defend against today's adversaries while preparing for tomorrow's challenges."

DOD also posted slides on the Cyber Security Risk Management Construct here, along with the strategic tenets here.