Sorry, it is a "construct" now. Also, we have "war.gov" as a domain.
https://www.war.gov/News/Releases/R...-new-cybersecurity-risk-management-construct/
DoD issues replacement for risk management framework - Breaking Defense
https://media.defense.gov/2025/Sep/...-CYBER-SECURITY-RISK-MANAGEMENT-CONSTRUCT.PDF
This is funny because we're already doing a lot of this. I love the intent here, to be more dynamic, but some of this is just increased overhead. While I won't share the message because it is CUI, I find it funny it lists the tools you can use that are recommended or being evaluated. Two of them by name. Two. This feels like the CompTIA cash grab that occurred over a decade ago.
The framework...construct also sounds great but fails to mention that contracts will prohibit this from being a widespread reality. They will have to be rewritten, but the compliance timeline is a bit short for some of this to happen. There's also no mention for standalone systems and I'm sure those details are being worked out, but some standalone systems cannot connect to anything without additional funding. Some of the new data requirements will be a nightmare for some commands; more money spent with little appreciable gain.
The devil's in the details and I'll wait to see how it sorts out. If the past is an indicator we're going to shell out more money and time to "do" what we're already doing. Remember something we've all learned or experienced: once the government takes or adds, it rarely returns to subtracts.
And all of this while we're still trying to figure out how to implement other nerd changes into RMF? Uh, okay.
https://www.war.gov/News/Releases/R...-new-cybersecurity-risk-management-construct/
DoD issues replacement for risk management framework - Breaking Defense
https://media.defense.gov/2025/Sep/...-CYBER-SECURITY-RISK-MANAGEMENT-CONSTRUCT.PDF
This is funny because we're already doing a lot of this. I love the intent here, to be more dynamic, but some of this is just increased overhead. While I won't share the message because it is CUI, I find it funny it lists the tools you can use that are recommended or being evaluated. Two of them by name. Two. This feels like the CompTIA cash grab that occurred over a decade ago.
The framework...construct also sounds great but fails to mention that contracts will prohibit this from being a widespread reality. They will have to be rewritten, but the compliance timeline is a bit short for some of this to happen. There's also no mention for standalone systems and I'm sure those details are being worked out, but some standalone systems cannot connect to anything without additional funding. Some of the new data requirements will be a nightmare for some commands; more money spent with little appreciable gain.
The devil's in the details and I'll wait to see how it sorts out. If the past is an indicator we're going to shell out more money and time to "do" what we're already doing. Remember something we've all learned or experienced: once the government takes or adds, it rarely returns to subtracts.
And all of this while we're still trying to figure out how to implement other nerd changes into RMF? Uh, okay.
