Certified Cybersecurity Risk Management Construct (CSRMC)

Certified Cybersecurity Risk Management Construct (CSRMC) Certification Program by Tonex

Mission-Driven RMF Operationalization Across the System Lifecycle. The Tonex Certified CSRMC course provides a practical, operational understanding of the DoD Cybersecurity Risk Management Construct (CSRMC)—a modernized approach to managing cyber risk that is faster, less burdensome, automation-enabled, and mission-focused.

Built directly on the CSRMC lifecycle diagram
DOD-CIO-CYBER-SECURITY-RISK-MAN…

This course teaches how RMF activities are distributed across Design, Build, Test, Onboard, and Operations, with tight integration of:

• NextGen CSSP
• ISCM & continuous monitoring
• Critical controls
• DevSecOps
• cATO
• Cyber survivability
• Operational decision-making

Participants learn how CSRMC reimagines RMF to give commanders and leaders real-time, mission-relevant cyber risk visibility.

Learning Objectives

By the end of this course, participants will be able to:

• Explain the CSRMC philosophy, structure, and strategic tenets.
• Apply CSRMC across the full system lifecycle.
• Integrate RMF steps into continuous, operational workflows.
• Understand the role of NextGen CSSP in onboarding and operations.
• Design ISCM-driven continuous authorization (cATO) models.
• Apply automation, critical controls, and survivability requirements.
• Make operational cyber risk decisions during live operations.
• Align DevSecOps, assessments, and reciprocity under CSRMC.

Target Audience

• Cybersecurity and RMF professionals
• Program Managers and System Owners
• Mission Owners and Operational Leaders
• CSSP / SOC personnel
• DoD contractors and integrators
• Acquisition and engineering teams

Prerequisites

• Familiarity with RMF concepts (NIST 800-37/53) recommended
• No prior CSRMC experience required

2-Day Program Modules

DAY 1 – CSRMC Foundations & Lifecycle Integration

Module 1: CSRMC Overview & Strategic Tenets

• Why CSRMC was created
• CSRMC vs traditional RMF
• Mission-centric risk management
• Strategic tenets:
• Automation
• Critical controls
• Continuous monitoring (CONMON)
• DevSecOps operationalization
• Cyber survivability
• Enterprise services & inheritance
• Reciprocity
• Cybersecurity assessments
• DOD-CIO-CYBER-SECURITY-RISK-MAN…

Workshop 1 – RMF vs CSRMC Comparison

• Map pain points of traditional RMF
• Identify where CSRMC accelerates decision-making

Module 2: Phase 1 – DESIGN (RMF: Prepare, Categorize, Select)

• Capability need identification
• Selecting functional, cybersecurity, and cyber survivability requirements
• Team formation:
• Mission Owner
• System Owner / PM
• Engineers
• CSSP
• DOD-CIO-CYBER-SECURITY-RISK-MAN…
• Early mission risk framing

Workshop 2 – Mission-Driven Security Design

• Define mission objectives
• Identify security and survivability requirements

Module 3: Phase 2 – BUILD (IOC) (RMF: Implement)

• Implementation of security requirements
• Feeding data into ISCM alignment systems
• DevSecOps integration
• Automation of security evidence
• Preparing systems for evaluation
• DOD-CIO-CYBER-SECURITY-RISK-MAN…

Workshop 3 – Security Implementation Mapping

• Map controls to automated evidence
• Identify build-time security data sources

Module 4: Phase 3 – TEST (FOC) (RMF: Assess)

• Mission customization for ISCM
• Vulnerability remediation and assessment teams
• Penetration testing (high-risk systems)
• Automated test reporting dashboards
• Assess & remediate loop
• DOD-CIO-CYBER-SECURITY-RISK-MAN…

Workshop 4 – Test & Remediation Planning

• Decide what gets tested, when, and why
• Prioritize remediation by mission risk

DAY 2 – Onboarding, Operations & Continuous Risk Decisions
Module 5: Phase 4 – ONBOARD (RMF: Authorize)

• NextGen CSSP role in CSRMC
• Full onboarding vs partial onboarding:
• Isolation
• Re-sensoring
• Additional risk review
• DOD-CIO-CYBER-SECURITY-RISK-MAN…
• Validation of critical controls and mandatory artifacts
• Transition to cATO mindset

Workshop 5 – Onboarding Decision Exercise

• Determine onboarding path for a system
• Justify authorization decisions

Module 6: Phase 5 – OPERATIONS (RMF: Monitor)

• System acceptance for ISCM
• Continuous monitoring and data redirection
• Automated dashboards and alerts
• CSSP watch officer decision authority
• Disconnect decisions for high risk
• DOD-CIO-CYBER-SECURITY-RISK-MAN…

Workshop 6 – Live Operations Scenario

• Respond to real-time risk indicators
• Decide when to isolate or disconnect systems

Module 7: CSRMC, cATO & Continuous Risk Management

• Continuous authorization concepts
• Risk-based monitoring
• Control effectiveness vs compliance
• Operational feedback loops
• Reciprocity and reuse of assessments

Workshop 7 – cATO Design Exercise

• Design a continuous authorization model
• Identify decision thresholds

Module 8: CSRMC Capstone – End-to-End Lifecycle Exercise

• Capstone Exercise
• Participants walk a system through:
• Design
• Build
• Test
• Onboard
• Operate
• Using the CSRMC construct, teams:
• Identify risks
• Validate controls
• Make authorization decisions
• Respond to operational threats

Examination Description

Tonex Certified CSRMC Exam

• Format: Multiple-choice + scenario-based questions
• Number of Questions: 40
• Duration: 90 minutes
• Passing Score: 70%

Exam Domains

1. CSRMC Concepts & Strategic Tenets
2. Lifecycle Integration (Design → Operations)
3. RMF Alignment & Continuous Authorization
4. ISCM, Automation & Critical Controls
5. NextGen CSSP & Operational Decision-Making

Certification Awarded

Upon successful completion, participants earn:

Tonex Certified Cybersecurity Risk Management Construct (CSRMC) Professional

Course Positioning

This course:

• Complements RMF training
• Aligns with DoD CIO guidance
• Supports NextGen CSSP onboarding
• Prepares teams for real-time cyber risk decisions