https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42682-PPM_CIO-047-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-DV-047
SAIS-CS (25-1rrrr) 12 December 2024
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Software Modernization Directive—Initiative 8—Implementation Plan
1. References. See Enclosure 1.
2. Purpose. This memorandum serves as guidance for the implementation of Initiative
8 of Army Directive 2024-02 (Enabling Modern Software Development and Acquisition
Practices). Initiative 8 seeks to modernize cybersecurity by both accelerating and
enhancing the traditional approach to the Risk Management Framework (RMF). This
memorandum aims to ensure that security is integrated into the entire software
development life cycle (SDLC) by utilizing development, security, and operations
(DevSecOps) methodologies. The following includes both specified and implied tasks
from the directive:
a. Establish criteria for evaluating and a process for certifying DevSecOps platforms
(DSOPs).
b. Establish criteria for evaluating and a process for certifying DevSecOps pipelines.
c. Establish criteria for evaluating and a process to enable transition from the
authority to operate (ATO) to continuous authority to operate (cATO), which includes
robust continuous monitoring (ConMon).
d. Transition all Army software development to certified DSOPs and development
that utilizes continuous integration and continuous delivery/deployment (CI/CD) to
certified DevSecOps pipelines as appropriate.
3. Applicability.
a. Per AR 25-2, para 2-7, the Army Chief Information Officer (CIO), on behalf of the
Secretary of the Army, establishes policy, resourcing, and oversight of the Army
Cybersecurity Program. This policy memorandum meets provisions outlined in AR 25-2,
para 1-8, where the Army CIO, when needed, will issue policy memoranda to amplify
guidance for the policies in AR 25-2.
b. This policy memorandum applies to Principal Officials, Headquarters, Department
of the Army (HQDA) elements; Army Commands (ACOM); Army Service Component
SAIS-CS (25-1rrrr)
SUBJECT: Army Software Modernization Directive—Initiative 8—Implementation Plan
Commands (ASCC); Direct Reporting Units (DRU); Senior Leaders of Agencies and
Activities; Program Executive Offices (PEO); and the Reserve Component of the Army
National Guard (ARNG).
c. This guidance applies to all development teams, contractors, integrators, and
third-party vendors involved in software development activities at all stages of the
SDLC.
4. Background. The increasing complexity and frequency of cyber threats necessitates
a continuous, proactive approach to RMF and software development that prioritizes
security throughout the SDLC. DevSecOps integrates security practices methodologies
and is recognized as an effective strategy to achieve secure software development and
fielding to meet Army’s mission requirements.
a. Software development is defined as development of a custom software solution;
customization, integration, or modification of a commercial or open-source software
solution; and software as a service. This includes, but is not limited to, weapons and
business systems acquired through formal acquisition programs and software solutions
developed or acquired.
b. A DSOP is defined as a set of tools that enables the creation of tailored
DevSecOps pipelines to automate cybersecurity and mission requirements.
c. A DevSecOps pipeline is defined as a collection of DevSecOps tools, which
implement control gates, enforce thresholds, and are automated to the greatest extent
possible.
d. A deployment platform is defined as the compute, storage, and networks within
which software executes. Such platforms range from hyper scaling cloud to traditional
on premises to embedded at the tactical edge.
5. Roles and responsibilities.
a. The Army Chief Information Officer will establish a DevSecOps review board to
assess and certify platforms and pipelines.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Software Modernization Directive—Initiative 8—Implementation Plan
b. DSOP system owners will request an evaluation from the DevSecOps review
board and either receive certification or initiate migration to a certified DSOP.
6. Policy. All Army software development supporting capabilities that require an ATO
will use certified DSOPs. Software development that utilizes CI/CD will use certified
DevSecOps pipelines, as appropriate. All software development that has not achieved
an ATO will require a certified DSOP, and as appropriate a certified DevSecOps
pipeline, before a cATO will be issued or within 365 days (whichever is later). Software
development that has an existing ATO will require the use of a certified DSOP, and as
appropriate a certified DevSecOps pipeline, in conjunction with the next ATO renewal or
365 days (whichever is later).
7. Additional policies that support the implementation of initiative 8 of Army Directive
2024-02 articulate:
a. Evaluation criteria and a certification process for DSOPs.
b. Evaluation criteria and a certification process for DevSecOps pipelines.
c. Evaluation criteria and an assessment process for cATO, which includes ConMon.
8. Policy review. The OCIO Policy & Risk Governance Division (SAIS-CSP) will review
this policy annually, or as required, and update as appropriate.
9. Exceptions. Exceptions to this policy will be evaluated through the DevSecOps
review board for CIO decision.
10. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CS Director: BG Urbi Lewis, urbi.n.lewis.mil@army.mil.
c. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
d. Chief, Software Modernization AAG: Lauren Pavlik, lauren.c.pavlik.civ@army.mil.
2 Encls LEONEL T. GARCIGA
1. as Chief Information Officer
2. Policy Nesting Diagram
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Software Modernization Directive—Initiative 8—Implementation Plan
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4
REFERENCES
a. AD 2024-02 (Enabling Modern Software Development and Acquisition Practices)
b. AR 25-2 (Army Cybersecurity)
c. Executive Order 14028 (Improving the Nation’s Cybersecurity)
d. NIST Special Publication (SP) 800-53 Rev. 5 (Security and Privacy Controls for
Information Systems and Organizations), 10 December 2020
e. NIST SP 800-218 (Secure Software Development Framework (SSDF) Version 1.1),
3 February 2022
f. NIST SP 800-204D (Strategies for the Integration of Software Supply Chain
Security in DevSecOps CI/CD pipelines), 12 February 2024
g. DoDI 8510.01 (Risk Management Framework (RMF) for DoD Systems)
h. DA Pam 25-2-5 (Software Assurance)
Enclosure 1
Policy Nesting Diagram
Enclosure 2