Department of Defense (DoD) Impact Level 4 and Impact Level 5 (IL4/IL5) environments require continuous assurance of cybersecurity posture under stringent operational, regulatory, and mission constraints. Although the NIST Risk Management Framework (RMF) and DoD DevSecOps guidance increasingly emphasize continuous authorization supported by operational evidence, many existing Governance, Risk, and Compliance (GRC) systems remain documentation-centric and poorly integrated with modern security telemetry. This misalignment introduces delays between vulnerability discovery, remediation action, and authorization decision-making, limiting the responsiveness of governance processes in mission-critical systems.This paper presents a GovSecOps-oriented GRC architecture designed to unify vulnerability ingestion, automated Plan of Action and Milestones (POA&M) lifecycle management, dynamic risk scoring, and continuous authorization dashboards within IL4/IL5 boundary conditions. Using a Design Science Research methodology, the study develops the proposed artifact and evaluates it through a quantitative simulation experiment based on a synthetic IL4/IL5 POA&M dataset comprising 1,200 vulnerabilities across 150 assets. Statistical results demonstrate significant reductions in remediation cycle time and documentation workload. A comparative multi-case study further evaluates feasibility across cloud-native, hybrid, and legacy DoD environments. The findings support the hypothesis that embedding compliance workflows directly into operational telemetry pipelines materially improves authorization responsiveness and governance transparency in high-assurance defense contexts.
Anand Janjal (Thu,) studied this question.