https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42685-PPM_CIO-049-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-DV-049
SAIS-CS (25-1rrrr) 12 December 2024
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Development, Security, and Operations Platform Certification
1. References.
a. Army Chief Information Officer (CIO) Memorandum (Software Modernization
Directive—Initiative 8—Implementation Plan).
b. Army Chief Information Officer (CIO) Memorandum (Army Development, Security,
and Operations Configuration Management Framework).
2. Purpose. To establish the criteria and process to evaluate and certify development,
security, and operations (DevSecOps) platforms (DSOPs).
3. Background. As the Army Software Modernization Directive—Initiative 8—
Implementation Plan details, all Army software development supporting capabilities that
require an ATO will transition to certified DSOPs. Software development that utilizes
CI/CD will transition to certified DevSecOps pipelines, as appropriate.
a. A DSOP is defined as a set of tools that enables the creation of tailored
DevSecOps pipelines to automate cybersecurity and mission requirements.
b. A DevSecOps pipeline is defined as a collection of DevSecOps tools, which
implement control gates, enforce thresholds, and are automated to the greatest extent
possible.
c. A deployment platform is defined as the compute, storage, and networks within
which software executes. Such platforms range from hyper scaling cloud to traditional
on premises, to embedded at the tactical edge.
4. Policy. For a DSOP to receive a certification, the owner must request an evaluation,
and the DevSecOps review board, as established in the Army Software Modernization
Directive – Initiative 8 – Implementation Plan, must certify the platform. The certification
ensures the platform adheres to the following:
a. General requirements for DSOP certification:
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Platform Certification
(1) Must have an authority to operate (ATO) or continuous ATO (cATO).
(2) Must at a minimum provide source code management and the ability to
execute DevSecOps pipelines including registries for the resulting software and security
artifacts.
(3) While not all software-related artifacts on the platform may qualify as
controlled unclassified information (CUI), all DSOPs must be designated and meet the
requirements for impact level 4 (IL4) or IL5. This designation prevents the accidental
commits that qualifies as CUI including SP-CTI, OPSEC, and other handling caveats.
(4) Must not be accessible from the open internet except for integrity validation,
general information, and other specifically designated components.
(5) Must enforce commit signing at the DSOP level to support integrity for all
commits including those from web web-based interactive development environments
(IDEs).
(6) Should provide a mechanism for securely accessing current, open-source
components while reducing risks present in the software supply chain.
(7) Because it is more efficient and secure, DSOPs should not be hosted at IL6
or up, except when the classification of the code specifically requires it.
(8) Deployment platforms may be of a higher impact level than the DSOP. This
practice referred to as “code-low, deploy-high” may include using a classified DSOP to
augment the software prior to deployment.
(9) The DSOP owner should provide either or both:
(a) A secure developer workstation or virtual developer workstation with a
consistent image and access to the DSOP.
(b) A zero-trust access mechanism, such as a virtual private network, to enable
the defense industrial base and niche development use cases to utilize DSOPs with
robust security. This practice enables hardware in the loop.
5. Policy review. The OCIO Policy & Risk Governance Division (SAIS-CSP) will review
this policy annually, or as required, and update as appropriate.
6. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Platform Certification
b. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
c. SAIS-ADS Deputy Director: Dr. Gregory Smoots, gregory.c.smoots.civ@army.mil.
d. Chief, Software Modernization AAG: Lauren Pavlik, lauren.c.pavlik.civ@army.mil.
LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
(CONT)
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Platform Certification
DISTRIBUTION: (CONT)
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4