In partnership with

Read on grclab.com | Read time: 3 minutes

Welcome to GRC Lab, a weekly newsletter where we provide actionable advice to help you launch, grow and accelerate your career in Governance, Risk and Compliance.

P.S. You can find free tutorials on our YouTube Channel.

Inside this Edition

Here’s what we got for you today:

  • Next-Gen Cyber Defense: DoW Unveils New Cybersecurity Risk Management Construct

  • Links to some of our most popular articles.

GRC Spotlight

Next-Gen Cyber Defense: DoW Unveils New Cybersecurity Risk Management Construct

CYBER SECURITY RISK MANAGEMENT CONSTRUCT

The Department of War (DoW) has announced a significant evolution in its approach to cybersecurity with the introduction of the new Cybersecurity Risk Management Construct (CSRMC). This move marks a departure from the long-standing NIST Risk Management Framework (RMF), signaling a shift towards a more dynamic and automated approach to cyber defense. You can read the full announcement here.

Become An AI Expert In Just 5 Minutes

If you’re a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch ‘n learns, and all that jazz, just know there’s a far better (and simpler) way: Subscribing to The Deep View.

This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, you’ll be an expert too.

Subscribe right here. It’s totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.

The DoW states the RMF has become "overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements." The CSRMC, in contrast, aims to enable "cyber defense at the speed of relevance required for modern warfare" by focusing on automation, critical controls, and continuous monitoring.

CSRMC
“Cyber Security Risk Management Construct”

The New 5-Phase Lifecycle

At the heart of the CSRMC is a five-phase lifecycle that aligns with system development and operations:

  • Design Phase: Security is embedded at the outset, ensuring resilience is built into the system architecture.

  • Build Phase: Secure designs are implemented as systems achieve Initial Operating Capability (IOC).

  • Test Phase: Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).

  • Onboard Phase: Automated continuous monitoring is activated at deployment to sustain system visibility.

  • Operations Phase: Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.

From 7 Steps to 5 Phases: A Paradigm Shift

The CSRMC's five phases represent a streamlined and more integrated approach compared to the seven steps of the NIST RMF:

RMF Steps

CSRMC Phase

1. Prepare

Phase 1: Design

2. Categorize

Phase 1: Design

3. Select

Phase 1: Design

4. Implement

Phase 2: Build

5. Assess

Phase 3: Test

6. Authorize

Phase 4: Onboard

7. Monitor

Phase 5: Operations

Key Takeaways

The introduction of the CSRMC signifies a major shift in the DoW's cybersecurity strategy, with a clear emphasis on:

  • Automation: To increase the speed and efficiency of risk management.

  • Continuous Monitoring: To achieve real-time situational awareness and a constant state of authorization.

  • Integration: Embedding security into the development lifecycle from the very beginning (DevSecOps).

  • Cyber Survivability: Enabling operations to continue even in contested cyber environments.

This new construct is not just a replacement for the RMF; it's a fundamental change in mindset, moving from a compliance-based approach to a risk-based, operational, and data-centric model. As the DoW rolls out the CSRMC, contractors and stakeholders can expect a greater emphasis on automated security solutions, real-time data, and a more agile and responsive approach to cybersecurity.

ISO 27001 Documentation: Security Controls

Learn the essentials of cybersecurity risk management in this beginner-friendly guide. Explore key concepts like threats, vulnerabilities, and security controls, and discover how the NIST Cybersecurity Framework 2.0 and ISO 27001 help organizations protect data and achieve their goals.

grclab.com/iso27001-docs/controls

ISO 27001 Documentation: Project Plan

Discover a proven 12-step approach to implement ISO 27001 and achieve certification. Simplify your ISMS with GRC Lab’s ISO 27001 Project Toolkit, featuring a 450-task project plan, policy templates, and more.

grclab.com/iso27001-docs/project-plan

Test your Knowledge

Today’s question is from the CISM curriculum:

Which of the following is MOST important for ensuring data integrity during a disaster recovery process?

A) Encryption
B) Data validation checks
C) Backup frequency
D) Physical security measures

👉 Think you know the answer? Scroll down for the solution!

Share the Lab

Give yourself a free “MBA” in GRC with our library of must-have resources for every GRC professional.

👉 Refer just 1 friend and we’ll send over the database.

Your current referral count: {{ rp_num_referrals }}

Share with friends

Or share your personal link with others: {{ rp_refer_url }}

Your Feedback Matters

How helpful was today's Email?

If this issue were an audit finding, how would you rate its impact?

Login or Subscribe to participate

Answer: The correct answer is B.

A) Encryption is important for security but not directly related to data integrity during recovery.
B) Data validation checks ensure that the data being restored is accurate.
C) Backup frequency is important but secondary to data validation.
D) Physical security measures are important but not directly related to data integrity during recovery.

Keep Reading

No posts found

© 2025 Aron Lange.

Privacy policy

Terms of use

Powered by beehiiv