Most of the standards that govern defense cybersecurity today are designed in the United States. NIST writes them, the U.S. Department of Defense (DoD) applies them, and allied nations follow.
Since 2010, the DoD has operated the Risk Management Framework (RMF), a six-step risk management process built on NIST SP 800-53. For more than a decade, RMF served as the reference point for defense cybersecurity across allied nations. But its structural limitations were clear: document-driven processes, periodic assessments, and static authorizations.
In September 2025, the DoD announced the Cybersecurity Risk Management Construct (CSRMC) to replace RMF. The shift is fundamental: from static checklists to automation, continuous monitoring, and platform-centric operations. The DoD designed this transition around a target of full Zero Trust implementation by FY2027.
This change is not an American story alone.
The same standard, adapted nation by nation
The Five Eyes allies (the United Kingdom, Canada, and Australia) and other key security partners have each built and operated their own cybersecurity risk management frameworks. All of them reference the NIST body of work. All of them redesigned it for their own military and government environments.
| Country | Framework | Established | Relationship to U.S. RMF |
|---|---|---|---|
| United States | DoD RMF → CSRMC | 2010 (CSRMC: 2025) | Original |
| Australia | ISM + IRAP | Early 2010s | Direct reference to NIST SP 800-37 |
| Canada | ITSG-33 | 2012 | Directly mapped to NIST SP 800-53 |
| United Kingdom | NCSC CAF + JSP 440 | CAF: 2018 / JSP 440: 1990s | References NIST, evolved independently |
| Japan | MoD Cybersecurity Standards | Date unconfirmed | Applied DoD RMF directly for F-35 |
| South Korea | K-RMF | Development began 2020; formalized 2024 | Based on DoD RMF + ISO 27001 |
What the table doesn’t show is how these frameworks spread beyond the Five Eyes: Japan and South Korea both applied RMF directly through F-35 programs and defense cooperation with the United States, then built national frameworks on that foundation.
Every one of these countries went beyond simply following the U.S. standard. Each built an independent framework suited to its own environment. K-RMF belongs to the same movement — with one distinction. Korea is launching K-RMF at the very moment the United States is transitioning to CSRMC. That timing means K-RMF can be designed from the start around automation and continuous monitoring, rather than retrofitting them later.
Korea’s K-RMF: Built on RMF, Not Yet Automated
In 2020, the Republic of Korea Ministry of National Defense began developing K-RMF, based on the U.S. DoD RMF and ISO 27001. The DoD requires F-35 operator nations to comply with RMF standards, and the Korean military has applied them in practice. Following consultations at the ROK–U.S. ICT Cooperation Committee in 2021 and the signing of a joint cybersecurity guideline memorandum between the ROK JCS and USFK in 2023, K-RMF was formalized in April 2024.
K-RMF applies 761 security controls across the full lifecycle of weapon systems. Today, all 761 controls are reviewed manually. Assessing a single information system takes more than a month, and consistency is difficult to maintain across different assessors. There is also no continuous monitoring mechanism to track risk changes after authorization.
This is precisely why K-RMF needs to move in the direction CSRMC has set: automation and continuous monitoring.
CMMC: the same root, extended to the supply chain
K-RMF governs systems inside the military. CMMC (Cybersecurity Maturity Model Certification), which grew from the same NIST foundation, extends that scope to the entire DoD supply chain. It is a defense supply chain certification program that applies to every company and subcontractor doing business with the DoD.
CMMC Level 2 requires 110 controls based on NIST SP 800-171 — a defense-supply-chain-focused subset of NIST SP 800-53.
Since enforcement began in November 2025, more than 220,000 companies worldwide have come under its direct scope. That includes Korean defense exporters, Korean IT companies participating in DoD contracts, and Korean subcontractors of U.S. prime contractors. A growing number of organizations now need to understand and respond to both frameworks at once: K-RMF inside the military, and CMMC across the supply chain.
What a framework transition requires: NAC + ZTNA + EDR
Whether the framework is K-RMF or CMMC, both demand the same foundation: the ability to identify and control everything connected to the network. Automation and continuous monitoring are impossible without it.
- NAC (Network Access Control) identifies every device attempting to connect to the network and controls access according to policy. The asset identification and access control that K-RMF and CMMC require cannot begin without NAC. In military closed-network environments — where unmanaged devices, OT equipment, and legacy systems coexist — Layer 2 visibility is the starting point of security control.
- ZTNA (Zero Trust Network Access) verifies users, devices, and context at every session, granting least-privilege access only to the resources required. CSRMC’s Zero Trust direction, K-RMF’s continuous monitoring, and CMMC’s remote access requirements all connect directly to ZTNA. Broad-access VPN architectures cannot meet these requirements.
- EDR (Endpoint Detection and Response) detects and responds to endpoint behavior in real time. If NAC answers “what is connected” and ZTNA answers “who is accessing what,” EDR tracks “what is happening inside the device.” When the three technologies work together, the visibility, control, and continuous monitoring that K-RMF and CMMC require come together as a single operational system.
21 years in the field — and preparing for what comes next
Genians has operated these technologies in real military environments. Founded in 2005, Genians holds more than 70% of Korea’s public-sector NAC procurement market, serves over 5,000 customers worldwide, and is listed as a Representative Vendor by Gartner. The company has successfully delivered defense cybersecurity projects across every branch of the Korean armed forces — Army, Navy, Air Force, and Marine Corps. That record reflects a first-hand understanding of the real constraints of military closed networks and how security controls actually get applied in the field.
On June 26, at the Presidential Strategy Meeting on Fostering Future New-Security Innovation Companies, chaired by President Lee Jae-myung, the Korean government set a goal of fostering five new-security companies valued at over ₩1 trillion and fifty companies with over ₩100 billion in revenue by 2030. Genians CEO Dong-Bum Lee attended the meeting and presented the perspective of a private-sector cybersecurity innovator, framed around the convergence of K-defense and K-security.
Following a standard versus operating one
Building on this field experience, Genians continues to advance security technologies purpose-built for closed networks and dedicated infrastructure — the environments where national cyber defense actually operates in the AI era. This includes technologies for running AI models safely in air-gapped environments, AI guardrails, improving Compliance Velocity, and advancing security operations built on real-time threat analysis.
Digital sovereignty does not mean rejecting another nation’s standards. It means understanding and complying with global standards while owning the core technologies that operate them. Australia, Canada, and the UK all referenced the NIST framework yet built independent frameworks suited to their own environments. Korea is walking the same path.
Standards can come from outside. The capability to make them work must come from within.