New DOW Cyber Construct Aims for ‘Machine-Speed’ Defense

The Pentagon’s new risk management plan will “deliver real-time cyber defense at operational speed” and modernize cybersecurity defenses, according to War Department officials. The plan, released in September, is set to shift the military’s posture from “snapshot in time” compliance to a state of continuous, real-time cyber defense.

“This construct represents a cultural shift in how the department approaches cybersecurity,” said Katie Arrington, formerly performing the duties of the Pentagon CIO, in a September press release. “With automation, continuous monitoring and resilience at its core, the CSRMC empowers the DOW to defend against today’s adversaries while preparing for tomorrow’s challenges.”

A New Era of Continuous Monitoring

According to DOW officials, the CSRMC is a direct response to the limitations of manual checklists that failed to account for modern operational speed and the evolving sophistication of adversaries. The CSRMC aims to provide “cyber defense at the speed of relevance” for warfighters across all domains, by institutionalizing automation and real-time monitoring.

“We need continuous monitoring. We need secure by design. We need to have red team capability. We need training, for sure, and ensuring that we have the right technical people working on the problem at hand,” Arrington told GovCIO Media & Research ahead of the release last year. “It shouldn’t be a document, It should be a living, breathing culture.”

A Five-Phase Evolution

The CSRMC organizes the system lifecycle into five phases: Design, Build, Test, Onboard and Operate. Unlike the previous Risk Management Framework (RMF), the design phase now mandates that resilience be baked into the system architecture from the outset.

Under the RMF, an Authority to Operate (ATO) was often treated as an endpoint, Shery Thomas, enterprise IT officer at Navy Installations Command, said in an interview with GovCIO Media & Research. Under the CSMRC, staff needs to see better cybersecurity as a persistent and evolving status.

“The biggest hurdle is getting people … to stop thinking from a three-year approval process to thinking of cybersecurity as a continuous state,” said Thomas. “[Cyber officials now have to have] mitigations in place to act on the fly and posture resiliency for zero days.”

Ten Strategic Tenets

According to DOW, the CSRMC is based on 10 core principles guiding continuous cybersecurity posture.

1. Cybersecurity assessments: Establish comprehensive assessment programs that integrate threat-informed testing methodologies with mission-aligned risk management processes.
2. Enterprise and inheritance: Share security controls, policies and risk determinations to increase adoption of proven frameworks, reduce compliance burdens and maintain operational consistency.
3. Critical controls: Adhere to identified critical controls and adaptive recovery strategies to strengthen defenses, ensure operational continuity and protect sensitive assets.
4. Reciprocity: Accept security assessments conducted by other organizations to reuse system resources, share security posture information and reduce duplicative efforts.
5. Continuous monitoring, controls and authorization to operate: Provide real-time visibility into threats, vulnerabilities and compliance gaps through continuous monitoring.
6. DevSecOps: Integrate security and automation into continuous development, testing and deployment processes to accelerate delivery while maintaining security.
7. Operationalization: Strengthen defenses against evolving threats through threat detection, incident response, compliance management and proactive monitoring.
8. Cyber survivability: Protect systems and data from cyber threats, disruptions and breaches through strong encryption, multi-factor authentication, continuous monitoring and incident response planning.
9. Training: Enhance role-based training for Risk Management Framework practitioners to ensure consistent performance, cybersecurity knowledge and adherence to standards.
10. Automation: Use automation to improve risk management by streamlining processes, reducing human error and increasing efficiency.

Redefining Vendor Relations

The shift is also transforming how DOW and its components interact with the private sector. The onboard phase fundamentally changes the requirements for third-party vendors and contractors. Thomas added that the goal is to see secure-by-design implemented to all new hardware and software, including those within acquisition.

“I want to see cybersecurity baked in to all their new hardware or software tech. It’s not after fact, but how are [vendors] continuously intertwining cyber? [If they] assume breach, what happens to your system functionality now?” Thomas said.

The CSRMC urges vendors to be more proactive in creating longer life cycles for products, Arrington said, adding speed is critical to cybersecurity and risk management.

“Anything that we do, we need to do expediently and get it out there. I don’t want this to languish,” Arrington said.

Real-Time Defense and ‘Machine Speed’

The CSRMC emphasizes “cyber defense at operational speed,” a requirement that demands a clear distinction between mechanical failures and malicious activity in real-time, according to officials.

Through the use of cyber planning response cells and zero-trust architectures, Thomas said that teams can now pinpoint cyber anomalies versus breaches or human error. This posture lowers the overall risk and provides essential containment layers during any mission-critical failures. The transition also requires an upskilling of the DOW workforce, according to Thomas.

“Machine-speed defense is something that must be recognized by the workforce,” he said. “Systems need to have the ability to react upon anomaly detection to ‘lower the temperature’ until human override or input.”

With the new CSRMC, DOW aims to ensure that its cybersecurity systems are compliant and resilient. For  Thomas, the end goal is a unified language of risk across the enterprise.

“Everyone talks on the same lingo and the communication is the same across the board,” Thomas said. “We all understand the risk posture at the same level and how a cyber issue at any layer affects multiple other things across a system of systems.”