The Pentagon is rolling out a new Risk Management Framework (RMF) in November 2025, promising faster approvals, stronger monitoring, and a push toward continuous risk management. Teams that rely on RMF today will see a shift toward faster, more dynamic risk decisions.
Why DoD Is Making This Move
The DoD says the new framework will include a set of “10 commandments” aimed at streamlining the process, cutting down on backlog, and making risk decisions faster. It’s a response to what many IT and cybersecurity leaders have felt for years, that the RMF can be slow and paperwork-heavy.
Key Changes You’ll Notice
What we can expect to see based on the DoD’s preview and what the RMF already encourages includes:
Continuous ATOs – The RMF already says to “make the transition to ongoing authorization a priority,” but many organizations still treat ATOs as three-year cycles. Expect DoD to require proof that you can maintain authorization continuously.
Continuous Monitoring as the Backbone – RMF’s Prepare step requires an “organization-wide strategy for monitoring control effectiveness.” Under the new RMF, this will likely be more explicit and enforceable.
Automation Expected, Not Optional – NIST says agencies should “maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the RMF.” Tools that pull real-time security posture will be table stakes.
Tighter Role Definitions – Expect more clarity on who qualifies as a cybersecurity service provider and who can inherit common controls — tying directly to RMF’s guidance to “identify, document, and publish common controls available for inheritance.”
More Training and Governance – The Prepare step starts with assigning roles and establishing a risk management strategy. DoD’s new RMF will likely force leadership involvement and team education earlier in the process.
Steps to Take Before November
Inventory ATOs – Know which systems are in cycle, which are overdue, and which could transition to ongoing authorization.
Review Monitoring – Do you have near real-time visibility into controls? Are results centralized?
Automate Evidence Collection – Get ahead of requirements by reducing manual reporting.
Document Common Controls – Make inheritance clear and reduce duplicate effort.
Brief Leadership – Get buy-in now so governance and resources don’t become a bottleneck later.
This update about compliance and speed. The RMF is shifting from a once-every-few-years paperwork exercise to a continuous, data-driven process. Departments that invest in monitoring, automation, and governance now will be ready when the new RMF drops in November.
