惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
P
Proofpoint News Feed
V
Visual Studio Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
S
Schneier on Security
T
Threat Research - Cisco Blogs
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
GbyAI
GbyAI
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
T
Tenable Blog
S
Secure Thoughts
T
Threatpost
V2EX - 技术
V2EX - 技术
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
罗磊的独立博客
P
Privacy & Cybersecurity Law Blog
Engineering at Meta
Engineering at Meta
小众软件
小众软件
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Y
Y Combinator Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
H
Heimdal Security Blog
量子位
B
Blog

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook
Tom Tapley · 2026-06-03 · via 2024 Sonatype Blog

Let's be honest about the legacy Risk Management Framework (RMF): for the last decade, achieving an ATO has been less about actual cybersecurity and more about creative writing. We built three-year "snapshot" PDFs, crossed our fingers, and hoped the underlying code didn't rot before the next audit.

As of 2026, that era is officially over.

With the Department of War (DoW) mandating the Cybersecurity Risk Management Construct (CSRMC) and FedRAMP enforcing the RFC-0024 OSCAL mandate, the government is sending a clear message that compliance is no longer a paperwork exercise; it's a data-streaming exercise. Authorizing Officials (AOs) don't want a 400-page System Security Plan. They want deterministic telemetry.

If you're a Program Manager or AppSec Lead staring down a backlog of 500+ legacy RMF systems that need to migrate to the CSRMC's 5-Phase lifecycle, panic is a natural response. Manual updates are mathematically impossible to scale.

Navigating this is why we've put together this playbook with CSRMC steps on how to automate the transition, kill the backlog, and turn your static authorizations into a true Continuous ATO (cATO).

1. Fuel the OSCAL Pipeline (The Evidence Engine)

Under the legacy RMF, we documented "what we planned to do." Under the CSRMC's Operations Phase, you have to prove what you are doing right now.

The government wants machine-readable OSCAL packages, but an OSCAL System Security Plan is only as good as the data feeding it. If you manually type an inventory into a GRC tool, you still have a dead document.

By deploying Sonatype Lifecycle, you transform from manual documentation to a live data stream. Sonatype acts as the automated "Evidence Engine," continuously streaming living SBOMs (SPDX/CycloneDX) and exact Pass/Fail metrics for controls like CM-8 and SR-3 directly into your native OSCAL tools via open APIs. We provide the ingredients, and your GRC handles the filing.

2. Automate the 'Build' Phase (Block at the Front Door)

A core tenet of the CSRMC is DevSecOps Integration. If you are waiting until the Test Phase to run a vulnerability scan, you are already failing the construct.

To clear your RMF backlog, you must stop treating security as a tollbooth at the end of the highway. Sonatype acts as an automated policy gate directly inside the developer's environment. By blocking malicious, unapproved, or architecturally unsound components at the front door, before they ever enter your source code repository, you eliminate the rework loops that traditionally drag out ATO timelines by months.

3. Govern the Ghost in the Machine (The AI RMF Overlay)

AI-assisted development is the elephant in the SCIF. Your developers are using AI coding agents, and those agents are pulling in dependencies based on static, often outdated training data.

The new DoD AI RMF Overlay demands strict data provenance and model integrity. How do you govern an AI agent? You use Sonatype Guide. Think of this as the Authorizing Official's proxy sitting on the developer's shoulder. It feeds real-time threat intelligence directly into the AI assistant via a Model Context Protocol (MCP) server, ensuring that every library hallucinated or suggested by an LLM is instantly validated against your specific CSRMC policies.

4. Deploy the Developer Trust Score for 'Active Defense'

The CSRMC requires operators to make real-time risk decisions. To do that, you need a standardized risk currency.

This is where Sonatype's Developer Trust Score changes the game. Instead of asking a developer to interpret a massive CVE database, Guide provides a single 0-to-100 rating that factors in security, legal compliance, and quality. This operationalizes the CSRMC's "Active Defense" requirement so your development environment can automatically quarantine high-risk components and auto-remediate legacy debt without human intervention.

5. Achieve Radical Reciprocity

The ultimate bottleneck in gov-tech is the "AO ego," the refusal to accept another agency's security testing. The CSRMC is designed to crush this via the Onboard Phase, emphasizing the mandate to "Certify Once, Use Many."

By standardizing your software supply chain on Sonatype, you aren't just securing your own pipeline; you are producing standardized, universally trusted evidence. When your artifacts are machine-readable, threat-informed, and continuously updated, other agencies can instantly ingest your risk posture. This is how you achieve true reciprocity, slashing deployment times across different combatant commands from months to minutes.

The Bottom Line

The transition from legacy RMF to the CSRMC isn't a security upgrade; it is an operating system swap for the federal government.

If you try to migrate your backlog using the manual processes of the past, your mission will be dead on arrival. In 2026, automation is the only valid form of compliance. Stop writing PDFs, and start streaming your security.

Tags

government risk management devsecops framework devops in government Sonatype Lifecycle federal Sonatype Guide