{"id":17584,"date":"2025-09-26T09:10:49","date_gmt":"2025-09-26T12:10:49","guid":{"rendered":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=17584"},"modified":"2025-09-26T09:10:49","modified_gmt":"2025-09-26T12:10:49","slug":"el-departamento-de-defensa-de-eeuu-reemplaza-el-modelo-de-gestion-de-riesgos-de-ciberseguridad","status":"publish","type":"post","link":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=17584","title":{"rendered":"El Departamento de Defensa de EEUU reemplaza el modelo de gesti\u00f3n de riesgos de ciberseguridad"},"content":{"rendered":"<p>El Departamento de Defensa present\u00f3 un nuevo marco de cinco fases para evaluar los riesgos cibern\u00e9ticos en sus redes, denominado Sistema de Gesti\u00f3n de Riesgos de Ciberseguridad, para reemplazar su antiguo sistema de gesti\u00f3n de riesgos. El anterior Marco de Gesti\u00f3n de Riesgos depend\u00eda excesivamente de listas de verificaci\u00f3n est\u00e1ticas y procesos manuales que no contemplaban las necesidades operativas ni los requisitos de cibersupervivencia.<\/p>\n<hr \/>\n<p>WASHINGTON \u2014 The Department of Defense unveiled a new five-phased framework for assessing cyber risks on its networks, dubbed the Cybersecurity Risk Management Construct, to replace its old risk management system.<\/p>\n<p>\u201cThe previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements. These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field,\u201d a statement from the department said. \u201cThe CSRMC addresses these gaps by shifting from \u2018snapshot in time\u2019 assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.\u201d<\/p>\n<p>According to the statement, the new framework involves a five-phase lifecycle aligned to system development and operations with an additional ten foundational tenets.<\/p>\n<p>The five-phased lifecycle includes:<\/p>\n<ul class=\"wp-block-list\">\n<li>a design phase where security is embedded at the outset, ensuring resilience is built into system architectures;<\/li>\n<li>a build phase where secure designs are implemented as systems achieve Initial Operating Capability;<\/li>\n<li>a test phase where comprehensive validation and stress testing are performed prior to Full Operating Capability;<\/li>\n<li>an onboard phase where automated continuous monitoring is activated at deployment to sustain system visibility; and<\/li>\n<li>an operations phase where real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.<\/li>\n<\/ul>\n<p>Among the ten core principles, the DoD listed automation to drive efficiency; continuous monitoring and authority to operate to enable real-time situational awareness; DevSecOps to support secure and agile development; cyber survivability to enable operations in contested environments; and cybersecurity assessment to integrate threat informed testing to validate security.<\/p>\n<p>\u201cThis construct represents a cultural fundamental shift in how the Department approaches cybersecurity,\u201d\u00a0<a href=\"https:\/\/breakingdefense.com\/tag\/katie-arrington\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Katie Arrington (Opens in a new window)\">Katie Arrington<\/a>, who is performing the duties of the DoD chief information officer said. \u201cWith automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW [Department of War] to defend against today\u2019s adversaries while preparing for tomorrow\u2019s challenges,\u201d she added, using the Trump administration\u2019s new moniker for the DoD.<\/p>\n<p>Arrington has derided the old process, on several occasions vowing to\u00a0<a href=\"https:\/\/breakingdefense.com\/2025\/05\/how-a-key-pentagon-tech-leader-plans-on-blowing-up-outdated-software-risk-framework\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"blow up the old RMF (Opens in a new window)\">blow up the old RMF<\/a>, describing it as outdated and not operationally effective.<\/p>\n<p>The DoD notes in its statement that by institutionalizing the new construct, it is ensuring cyber survivability and mission assurance in every domain.<\/p>\n<p>But one expert isn\u2019t so sure the new process differs much from the previous.<\/p>\n<p>\u201cOverall, I am not seeing how this process will expedite the risk management framework process or how it addresses the supply chain vulnerabilities,\u201d Georgianna Shea, chief technologist at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation, said. \u201cIt seems more like a rearranging of current processes under a new name without substantial change.\u201d<\/p>\n<p>For example, she noted the first phase, design, could be stronger on cyber-informed engineering and adding penetration testing to identify design vulnerabilities. As it currently stands, it keeps cybersecurity as an add on to the design.<\/p>\n<p>Phase two, build, doesn\u2019t articulate quantifiable metrics yet. Instead, she noted, it should include measurable survivability parameters.<\/p>\n<p>On phase five, operation, Shea raised concerns with empowering cybersecurity service providers as watch officers that can disconnect systems in real time is the potential for unintended mission disruption.<\/p>\n<p>A disconnect action could remove critical capabilities at a key moment.<\/p>\n<p><strong>Fuente:<\/strong> <a href=\"https:\/\/breakingdefense.com\/2025\/09\/dod-issues-replacement-for-risk-management-framework\/\" target=\"_blank\" rel=\"noopener\"><em>https:\/\/breakingdefense.com<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>El Departamento de Defensa present\u00f3 un nuevo marco de cinco fases para evaluar los riesgos cibern\u00e9ticos en sus redes, denominado Sistema de Gesti\u00f3n de Riesgos&hellip; <\/p>\n","protected":false},"author":1,"featured_media":17585,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23,28],"tags":[],"_links":{"self":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/17584"}],"collection":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17584"}],"version-history":[{"count":1,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/17584\/revisions"}],"predecessor-version":[{"id":17586,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/17584\/revisions\/17586"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/media\/17585"}],"wp:attachment":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}