https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42684-PPM_CIO-048-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
SAIS-CS (25-1rrrr)
CS-SEC-DV-048
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Development, Security, and Operations Configuration Management
Framework
1. References. See enclosure.
2. Purpose. To provide interim policy guidance for implementing development, security,
and operations (DevSecOps) configuration and release management requirements.
3. Applicability.
a. Per AR 25-2, the Chief Information Officer (CIO), on behalf of the Secretary of
the Army, establishes policy, resourcing, and oversight of the Army Cybersecurity
Program. This policy memorandum meets provisions outlined in AR 25-2, para 1-8,
where the Army CIO, if applicable, will issue policy memoranda to amplify guidance for
the policies in AR 25-2.
b. This guidance memorandum expands on the existing policy established in
reference b and has the same applicability across software development efforts.
4. Background.
a. Configuration management (CM) is a collection of activities focused on
establishing and maintaining the integrity of information technology products and
information systems through control of processes for initializing, changing, and
monitoring the configurations of those products and systems throughout the system
development life cycle.
b. Legacy CM is burdensome and does not necessarily result in accurate tracking
of current configuration. The resulting variance in configuration across systems, also
known as configuration drift, results in untenable scaling and security vulnerabilities.
c. Modern DevSecOps-enabled CM uses automation to enhance consistency,
reproducibility, security, transparency, and scaling.
5. Roles and responsibilities.
12 December 2024
SAIS-CS (25-1rrrr)
SUBJECT: Development, Security, and Operations Configuration Management
Framework
2
a. All organizations that meet the DevSecOps applicability requirements identified in
reference b will implement the CM requirements identified in this policy.
b. Authorizing officials (AOs) will:
(1) Ensure a government security assessment professional conducts and/or
reviews security impact analysis (SIA) for security relevant changes.
(2) Ensure the use of DevSecOps pipelines and establish thresholds for control
gate configurations based on the acceptable level of risk.
c. Information System Security Managers and Information System Security Officers
will:
(1) Determine if the results of the SIA warrant a reauthorization of the system.
(2) Ensure configuration and validation thresholds in the DevSecOps pipelines
are implemented in alignment with the AO’s level of acceptable risk.
(3) Coordinate with the government security assessment professional to ensure
effective and compliant, implementation and assessment of CM controls.
d. Information system owners will:
(1) Ensure that configuration is version controlled and immutable in production
systems.
(2) Ensure security data artifacts and feeds are available and viewable to the
cybersecurity team and AO to make ongoing risk determinations.
6. Policy.
a. CM must leverage version control for configuration and supporting artifacts to
enable rollback, traceability, and collaboration.
b. Leverage configuration as code within DevSecOps pipelines as appropriate for
changes to production environments. Infrastructure and configuration as code
DevSecOps pipelines must generate artifacts to support security impact analysis (SIA)
and enable comparative monitoring of configuration artifacts and system configurations.
c. Security relevant changes require an SIA to determine impacts prior to change
implementation that may involve additional security testing, updates, security analyses
(i.e., threat modeling, penetration testing), or reauthorization.
d. Monitoring of production environments must include the configuration state as a
component of active cyber defense.
SAIS-CS (25-1rrrr)
SUBJECT: Development, Security, and Operations Configuration Management
Framework
3
7. Exception requests. Requests for exceptions to the requirements in this policy
should be documented and submitted to the OCIO Policy & Risk Governance Division
(SAIS-CSP) at the address below. Exception requests must include justification
(including cost and mission impacts). Each request will be adjudicated based upon all
factors including, cybersecurity risk.
8. Policy review. The OCIO Policy & Risk Governance Division (SAIS-CSP) will review
this policy annually, or as required, and update as appropriate.
9. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CS Director: BG Urbi Lewis, urbi.n.lewis.mil@army.mil.
c. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
d. SAIS-ADS Deputy Director: Dr. Gregory Smoots, gregory.c.smoots.civ@army.mil
e. SAIS-AAG Chief, Software Modernization: Lauren Pavlik,
lauren.c.pavlik.civ@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
(CONT)
SAIS-CS (25-1rrrr)
SUBJECT: Development, Security, and Operations Configuration Management
Framework
4
DISTRIBUTION: (CONT)
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
Enclosure
REFERENCES
a. AR 25-2 (Army Cybersecurity)
b. AD 2024-02 (Enabling Modern Software Development and Acquisition Practices)
c. NIST Special Publication 800-128 (Guide for Security Focused Configuration
Management of Information Systems), 10 October 2019
d. DoD DevSecOps Fundamentals Guidebook: DevSecOps Tools and Activities,
Version 2.0, March 2021
e. Army CIO memorandum (Army Software Modernization Directive—Initiative 8—
Implementation Plan), October 2024