Publication Date
5-26-2026
Abstract
Department of Defense (DoD) Impact Level 4 and Impact Level 5 (IL4/IL5) systems require continuous assurance of cybersecurity posture under stringent operational and regulatory constraints. While the NIST Risk Management Framework (RMF) and DoD DevSecOps guidance emphasize continuous authorization supported by real-time evidence, many existing Governance, Risk, and Compliance (GRC) platforms remain documentation-centric and insufficiently integrated with operational telemetry. This paper presents a GovSecOps-oriented GRC architecture that integrates vulnerability ingestion, automated Plan of Action and Milestones (POA&M) lifecycle management, dynamic risk scoring, and continuous authorization dashboards within IL4/IL5 environments. Using a Design Science Research methodology, the study develops and evaluates the architecture through a quantitative simulation experiment based on a synthetic dataset of 1,200 vulnerabilities across 150 assets. Results demonstrate a statistically significant reduction in remediation cycle time (mean reduction: 38.2%, p < 0.001) and improved documentation efficiency. A comparative multi-case study across cloud-native, hybrid, and legacy environments further evaluates feasibility under varying operational conditions. These findings indicate that embedding compliance workflows directly into operational telemetry pipelines improves authorization responsiveness and enhances governance transparency in high-assurance defense environments.
Included in
Information Security Commons, Management Information Systems Commons, Technology and Innovation Commons