topic DoW Cybersecurity Risk Management Construct (CRMC) in Industry News

DoW Cybersecurity Risk Management Construct (CRMC)

Until_then — Tue, 30 Sep 2025 12:52:27 GMT

https://www.war.gov/News/Releases/Release/Article/4314411/department-of-war-announces-new-cybersecurity-risk-management-construct/

I have read that many feel that this is replacing RMF. I never read or heard anything about OMB Circular A-130 being modified. A-130 (which extends from FISMA) specifically states that all US federal agencies will follow the NIST RMF. Anyone with insight?

Re: DoW Cybersecurity Risk Management Construct (CRMC)

nkeaton — Fri, 26 Sep 2025 19:34:56 GMT

@Until_then Maybe they are trying to expand it? This oddly pairs well with something that I read earlier today: publications.armywarcollege.edu/News/Display/Article/4305189/who-is-in-charge-of-cyber-incidence-response-in-the-homeland

Re: DoW Cybersecurity Risk Management Construct (CRMC)

emb021 — Mon, 29 Sep 2025 13:34:56 GMT

As I understand it, this NEW Cybersecurity Risk Management Construct (CSRMC) is SEPARATE from RMF as it deals with software development.

Oh, so you think something from the federal government, which the DOW is, is somehow "illegal"???

Re: DoW Cybersecurity Risk Management Construct (CRMC)

Until_then — Tue, 30 Sep 2025 12:44:50 GMT

Agreed. Looks like an add-on to improve rather than replace.

Re: DoW Cybersecurity Risk Management Construct (CRMC)

Until_then — Tue, 30 Sep 2025 12:46:53 GMT

DoD is part of the federal govt. It is not by itself the federal govt. I have heard there are US federal agencies out there that are not even following RMF which is against the FISMA and OMB A-130 mandate.

Re: DoW Cybersecurity Risk Management Construct (CRMC)

emb021 — Tue, 30 Sep 2025 18:36:07 GMT

@Until_then wrote: "DoD is part of the federal govt. It is not by itself the federal govt."

Yes, but CRMCS is an add-on to RMF, not a replacement. This is little different then the creation of the CMMC within the DOD to address DFARS matters.

@Until_then "I have heard there are US federal agencies out there that are not even following RMF which is against the FISMA and OMB A-130 mandate."

Yeah, because the RMF is a beast. This is why many agencies are wanting to use the NIST CSF to get themselves to meeting RMF.

Re: DoW Cybersecurity Risk Management Construct (CRMC)

SprunkiRetake — Fri, 03 Oct 2025 07:16:04 GMT

I’ve seen the same confusion, but as far as I know, OMB Circular A-130 hasn’t changed, and it still mandates NIST RMF under FISMA. A lot of the “replacement” talk seems to come from misunderstanding new frameworks or tools being introduced—not actual policy shifts. Took a break with Sprunki Retake while reading up on this, and it really helped me refocus!