{"id":173809,"date":"2026-01-01T07:00:00","date_gmt":"2026-01-01T12:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/01\/defense-industry-welcomes-initial-csrmc-policy\/"},"modified":"2026-01-01T16:55:10","modified_gmt":"2026-01-01T21:55:10","slug":"defense-industry-welcomes-initial-csrmc-policy","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/01\/defense-industry-welcomes-initial-csrmc-policy\/","title":{"rendered":"Defense Industry Welcomes Initial CSRMC Policy"},"content":{"rendered":"<p><a href=\"https:\/\/www.afcea.org\/signal-media\/cyber-edge\/defense-industry-welcomes-initial-csrmc-policy\">Defense Industry Welcomes Initial CSRMC Policy<\/a><\/p>\n<p><a href=\"https:\/\/www.afcea.org\/signal-media\/cyber-edge\/defense-industry-welcomes-initial-csrmc-policy\">https:\/\/www.afcea.org\/signal-media\/cyber-edge\/defense-industry-welcomes-initial-csrmc-policy<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-01 07:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.afcea.org\">www.afcea.org<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Moreover, implementation of CSRMC will come down to those designing systems or acquiring them, Usserman ventured.\u00a0<\/p>\n<p>\u201cI see this a lot in applying zero trust,\u201d he said. \u201cZero trust is largely left up to the understanding of the architects and the program owners to implement. If you do not have any experience in how adversaries exploit systems, then you may not be able to best defend your network. And it is the same thing here.\u201d<\/p>\n<p>Officials need to be able to take into account the classified information related to how threat actors are actually exploiting networks to then implement appropriate controls, he stressed.\u00a0<\/p>\n<p>\u201cOne of the things that we often find, from a standards perspective, is the segregation of IT [information technology] versus cybersecurity teams,\u201d Usserman said. \u201cThe most functional groups are the ones that actually work together.\u201d\u00a0Proper implementation of CSRMC also needs to address the current reality of cloud-based assets, including multicloud and hybrid-cloud environments, with a real understanding of what is actually on one\u2019s network. This is \u201cparamount,\u201d he stated.\u00a0<\/p>\n<p>For Magdalena LoGrande, cybersecurity engineering fellow at Sigma Defense, the CSRMC is \u201cgoing in the right direction,\u201d but the policy will need strength and innovative consequences to ensure implementation.<\/p>\n<p>\u201cI think RMF was really moving in that direction before this,\u201d she said. \u201cSo, is this just a cosmetic change? Is it just a name change? Because I think what was missing from RMF was the teeth and the leadership buy-in.\u201d<\/p>\n<p>To add \u201cteeth\u201d or strength to the policy, CSRMC has to be addressed from an acquisition perspective, which the department is doing to a limited extent, LoGrande noted.\u00a0<\/p>\n<p>\u201cI do see that oftentimes that the RFP language in contracts does not really address cybersecurity as an operational imperative,\u201d LoGrande said. \u201cThat has to be identified from the get-go. Then, it is the culture, the educational piece of continuing to drive programs to see cybersecurity as an engineering discipline.\u201d\u00a0<\/p>\n<p>The National Institute of Standards and Technology and some military components were already moving toward continuous monitoring and other aspects of the CSRMC. The policy must, however, be comprehensively implemented, and again, at an engineering level.\u00a0<\/p>\n<p>\u201cI believe those tenets were already in place, but I do not think that they are fully assimilated, internalized and implemented by programs,\u201d LoGrande noted. \u201cAnd I think a lot of it is probably driven by the fact that cybersecurity is still relatively stove-piped. It is not considered an element of engineering that has to be taken into account, as cost, performance and schedule factors are.\u201d<\/p>\n<p>The implementation must also be a robust framework, with industry understanding the breadth of such a policy. \u201cMany folks in our space still see cybersecurity as just an ATO [authority to operate], like, \u2018We just want an ATO,\u2019\u201d she noted. \u201cBut you could argue that you could have a very secure system that provides mission assurance. Even if it does not have an ATO and vice versa, you could have an ATO system that is not secure. Well, this is a framework to assess residual risk. The end is that we want secure systems that provide mission assurance and that, at the end of the day, is a fighting function.\u201d\u00a0<\/p>\n<p>That kind of framework has to be embraced by program managers, those who write requests for proposals and contracts, chief engineers and testers, she emphasized.<\/p>\n<p>\u201cI think we are slowly changing, but it needs to be solidified from an enforcement perspective,\u201d LoGrande stated. \u201cTypically, you want to have carrots, or incentives. You do not want to have a stick. You want to have intrinsic incentives, healthy incentives, which, honestly, are difficult to do.\u201d<\/p>\n<p>Here, she suggested the department look at successful pilot programs that operationalized cybersecurity on an engineering level, and where a return on investment was measured and achieved.<\/p>\n<p>\u201c[Those] that followed the spirit of the CSRMC already and this is how they saved money, that is the language that programs understand,\u201d LoGrande noted. \u201cAt the end of the day, they want to see a return on investment. When you are in the DOW, it is not business; it is mission, and everybody has to engage in trade-offs. But if there were shining examples that can prove that this is a way of doing it right, and this is actually going to save programs money, that could be useful.\u201d<\/p>\n<p>However the CSRMC is implemented, it must succeed, given the risks, Smith said.\u00a0\u00a0<\/p>\n<p>\u201cCyber attackers, they can adapt, and really their goal in life is to adapt faster than we can actually implement controls or preventative measures to keep them from doing the bad things that they do,\u201d Smith advised.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Defense Industry Welcomes Initial CSRMC Policy https:\/\/www.afcea.org\/signal-media\/cyber-edge\/defense-industry-welcomes-initial-csrmc-policy Publish Date: 2026-01-01 07:00:00 Source Domain: www.afcea.org Author:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":173810,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.afcea.org\/sites\/default\/files\/styles\/medium\/public\/2025-12\/F7_CSRMCpic1JAN26.jpeg?itok=u0uTYBUQ","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31],"class_list":["post-173809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173809"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=173809"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173809\/revisions"}],"predecessor-version":[{"id":173811,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173809\/revisions\/173811"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/173810"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=173809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=173809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=173809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}