Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Until_then
Contributor I
‎09-26-2025 09:25 AM
‎09-26-2025 09:25 AM

DoW Cybersecurity Risk Management Construct (CRMC)

https://www.war.gov/News/Releases/Release/Article/4314411/department-of-war-announces-new-cybersecur...

 

I have read that many feel that this is replacing RMF. I never read or heard anything about OMB Circular A-130 being modified. A-130 (which extends from FISMA) specifically states that all US federal agencies will follow the NIST RMF. Anyone with insight?

Reply
6 Replies
nkeaton
Advocate II
‎09-26-2025 03:34 PM
‎09-26-2025 03:34 PM

@Until_then   Maybe they are trying to expand it?  This oddly pairs well with something that I read earlier today: publications.armywarcollege.edu/News/Display/Article/4305189/who-is-in-charge-of-cyber-incidence-response-in-the-homeland

Reply
emb021
Advocate I
‎09-29-2025 09:34 AM
‎09-29-2025 09:34 AM

As I understand it, this NEW Cybersecurity Risk Management Construct (CSRMC) is SEPARATE from RMF as it deals with software development.

Oh, so you think something from the federal government, which the DOW is, is somehow "illegal"???


---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
0 Kudos
Until_then
Contributor I
‎09-30-2025 08:44 AM
‎09-30-2025 08:44 AM

Agreed. Looks like an add-on to improve rather than replace.
Reply
Until_then
Contributor I
‎09-30-2025 08:46 AM
‎09-30-2025 08:46 AM

DoD is part of the federal govt. It is not by itself the federal govt. I have heard there are US federal agencies out there that are not even following RMF which is against the FISMA and OMB A-130 mandate.
Reply
0 Kudos
emb021
Advocate I
‎09-30-2025 02:36 PM
‎09-30-2025 02:36 PM

@Until_then wrote: "DoD is part of the federal govt. It is not by itself the federal govt."

 

Yes, but CRMCS is an add-on to RMF, not a replacement.  This is little different then the creation of the CMMC within the DOD to address DFARS matters.

 

@Until_then  "I have heard there are US federal agencies out there that are not even following RMF which is against the FISMA and OMB A-130 mandate."

Yeah, because the RMF is a beast.  This is why many agencies are wanting to use the NIST CSF to get themselves to meeting RMF.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
SprunkiRetake
Viewer
‎10-03-2025 03:15 AM
‎10-03-2025 03:15 AM

I’ve seen the same confusion, but as far as I know, OMB Circular A-130 hasn’t changed, and it still mandates NIST RMF under FISMA. A lot of the “replacement” talk seems to come from misunderstanding new frameworks or tools being introduced—not actual policy shifts. Took a break with Sprunki Retake while reading up on this, and it really helped me refocus!

 
 
Reply