The U.S. War Department (DoW) will implement a new Cybersecurity Risk Management Construct (CSRMC) to harden defenses against cyber-attacks directed at military assts.
The CSRMC is a five-phase construct designed to deliver real-time cyber defense at operational speed, officials said. The construct will create a continuously monitored and actively defended environment, the department said that will “ensure that U.S. warfighters maintain technological superiority” against cyber threats.
“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” Kattie Arrington, performing the duties of the DoW CIO, said. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”
Officials said the new construct will address shortcomings in the risk management framework that was overly reliant on static checklists and manual processes they said did not account for operational needs and cyber survivability requirements. Those weaknesses left defense systems vulnerable to adversaries and slowed the delivery of secure capabilities to the field, they said.
The new CSRMC would shift defenses to dynamic, automated and continuous risk management that would enable cyber defense at speeds “required for modern warfare.”
The construct consists of five phases – design, build, test, onboard and operations – that would uphold 10 tenets – automation, critical controls, continuous monitoring, development and deployment, cyber survivability, training, enterprise services, operationalization, reciprocity, and cybersecurity assessments.
The first phase would assess what capabilities are needed, while the second phase would feed that date into the Information System Continuous Monitoring System to create a system for evaluation. That system would test for vulnerabilities and reassess strategies before coming up on a system to address threats. Once the system has been testing it would be implemented over the entire department information network, the department said in a memo.
“This construct is intended to produce a culture, mindset and process that reimagines cyber risk management to be faster in keeping with the rate of change; more effectively assesses and conveys risk; and is less burdensome to cyber and acquisition professionals while ultimately providing operational combatant commanders with an accurate understanding of cyber risk to mission,” the department said.