https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42924-PPM_CIO-040-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-IA-040
SAIS-CS (25-1rrrr) 31 January 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Information Systems Software Assurance Policy
1. References. See enclosure.
2. Purpose. To provide amplifying guidance regarding Army information systems (IS)
software assurance (SwA) policy in support of Army and DoD development, security,
and operations (DevSecOps) initiatives and the DoD Risk Management Framework
(RMF) process.
3. Applicability.
a. Per Army Regulation (AR) 25-2, the Army Chief Information Officer (CIO), on
behalf of the Secretary of the Army, establishes policy, resourcing, and oversight of the
Army Cybersecurity Program. This policy memorandum meets provisions outlined in
AR 25-2, para 1-8, where the Army CIO, if applicable, will issue policy memoranda to
amplify guidance for the policies in AR 25-2.
b. This policy applies to all Headquarters Department of the Army (HQDA)
elements, Army Commands (ACOM), Army Service Component Commands (ASCC),
Direct Reporting Units (DRU), and the Reserve Component (Army National Guard/Army
National Guard of the United States, and the U.S. Army Reserve) regardless of the service
status.
c. This guidance applies to all development teams, contractors, integrators, and
third-party vendors involved in software development activities at all stages of the
SDLC.
4. Software assurance.
a. SwA is the level of confidence that software is free from unmitigated
vulnerabilities, either intentionally designed into the software or accidentally inserted at
any time during its lifecycle, and that software functions in the intended manner. All
Army systems are required to have SwA requirements validated against the latest
National Institute of Standards and Technology Special Publication (NIST SP) 800-53
security control requirements and reported through the RMF process when obtaining
authorizations under the Assess & Authorize (A&A) or assess only process.
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
b. Organizations must perform SwA to the greatest extent practicable on all
software and source code.
c. Software and the code sourced to build it are divided into the following
categories:
(1) Commercial off-the-shelf (COTS). Software that is available for sale, lease, or
license to the general public without custom development or modification. COTS is
further subdivided into the following two categories: open-source software and closed-
source software. These software components, particularly open-source, are often found
in government off-the-shelf (GOTS) and other than commercial software.
(2) GOTS. Software that is developed by the technical staff of a U.S.
Government organization for use by the Government. GOTS may be developed by an
external entity with specification from a government organization to meet a specific
Government purpose and can normally be shared among Federal agencies without
additional cost. GOTS products are not commercially available to the general public.
(3) Other than commercial. Software that is created for government purpose, not
available to the general public, and with restricted rights to the government.
Note: Each of these categories can be modified based on the amount of code sourced
from each software product category and are not all encompassing.
5. Policy. All information system owners will perform SwA, using a certified
DevSecOps platform, in accordance with policy outlined in this memo and applicable
Army policy. This memo updates, amplifies, and as applicable, supersedes guidance in
AR 25-2, Department of the Army Pamphlet (DA Pam) 25-2-5, and Deputy Chief of Staff
(DCS), G-6 SwA tactics, techniques, and procedures (TTP).
6. Roles and responsibilities.
a. The Army Chief Information Officer will publish and maintain SwA policies for
Army IS.
b. The Army Chief Information Security Officer (CISO) will collaborate with the DCS,
G-6 to develop procedures, guidelines, and baseline requirements acceptable for SwA.
c. The DCS, G-6 will:
(1) Advise the Army CIO in developing SwA policy.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
(2) In conjunction with the Army CISO, develop procedures, guidelines, and
baseline requirements for SwA.
(3) Update and maintain applicable SwA procedures, specifically, DA Pam 25-2-5
and the DCS, G-6 SwA TTP.
(4) Develop, organize, and implement an Army approved product list (APL).
(5) Integrate industry standard cyber supply chain risk management practices
outlined in NIST SP 800-161 Rev. 1 and Executive Order (EO) 14028 into Army SwA
procedures.
d. Authorizing officials will:
(1) Consider SwA risks into the overall authorization determination.
(2) Approve baseline requirements for tailoring security controls during SwA.
(3) After the initial assessment, determine if information system owners (ISOs)
are sufficiently trained and have the appropriate resources to conduct continuous SwA
assessments internally. AO approval is documented in a memorandum for record and
uploaded into Enterprise Mission Assurance Support Service (eMASS).
e. Information system security managers will:
(1) Develop and maintain the baseline requirements for tailoring security controls
during SwA. These requirements will vary from program to program based on the
specific requirements to satisfy each program’s SwA requirements, however, all controls
referenced by the Application Security and Development security technical
implementation guide must be included as required security controls.
(2) Work with the ISO and manage the SwA process, providing input to the AO to
inform the overall authorization determination.
f. Information system owners will:
(1) Create/update the security plan as part of the system’s RMF package.
(2) Use existing third-party assessment results to the greatest extent possible to
prevent unnecessary reassessment of software. Existing third-party assessments
should include test plan information in adequate detail, allowing the ISO to confirm
whether the assessment addresses the applicable portions of the security plan and
meets the program’s baseline requirements for tailoring security controls.
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
(3) Manage SwA risk throughout the life cycle of the software.
(4) Ensure evidence is included in the applicable eMASS record showing SwA
has been performed in accordance with the security plan.
(5) Create a continuous assessment strategy to address timely remediation of
known and emerging SwA requirements. This must be included in the security plan.
(6) Submit justification via an eMASS POA&M if SwA assessment cannot be
performed for the RMF authorization. Exception requests must include justification
(including cost and mission impacts) and will be adjudicated based upon cybersecurity
risk to the IS and the Army enterprise.
g. The control assessor will conduct a comprehensive independent assessment of
SwA management activities employed within or inherited by an IT system. This includes
a review of weaknesses or deficiencies discovered in the IS and recommended
corrective actions to address identified vulnerabilities.
7. Guidance.
a. This memo aligns with the adoption of modern software development and
acquisition practices, enabling the transition from the traditional authority to operate
(ATO) process to continuous authority to operate (cATO). For software development
see reference 1.j and associated Army policy on the use of certified DevSecOps
platforms and pipelines as well as DevSecOps configuration management.
b. Security plan.
(1) The security plan will include the results of the SwA assessment, to include
the vulnerabilities and weaknesses found, the controls implemented to mitigate the
associated risk, and the continuous assessment strategy.
(2) Additional guidance for the security plan, incorporating SwA results into the
security plan, and the security plan approval process can be found in NIST SP 800-18,
on the DoD RMFKS portal (https://rmfks.osd.mil/rmf/Pages/default.aspx), and at the
following links on the Army RMF portal:
(a) https://armyeitaas.sharepoint-mil.us/sites/NETCOM-CSD-
RMF/SitePages/SSPInformation.aspx
(b) https://armyeitaas.sharepoint-mil.us/sites/NETCOM-CSD-
RMF/SitePages/SPApproval.aspx
4
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
c. Software assurance assessments.
(1) An initial SwA assessment is required for software not already present in the
RMF authorization package. A third party must conduct this assessment, and
organizations are encouraged to leverage existing assessments to reduce the time and
cost associated with conducting a new SwA assessment.
(2) Existing assessments provided by the following external agencies’ approved
product lists are granted reciprocity:
(a) Defense Information Systems Agency
(b) National Geospatial-Intelligence Agency
(c) National Reconnaissance Office
(d) National Security Agency
(e) Additional organizations as approved by the Army CIO
(3) Army organizations may also use existing third-party assessments from
organizations other than the ones referenced above, provided they have a reciprocity
agreement with the organization.
(4) The Army will use eMASS to share security authorization packages and risk
assessment data with AOs from other organizations.
(5) Third-party service providers can be found on the Joint Federated Assurance
Center portal (https://jfac.dso.mil).
(6) Continuous SwA assessments must be conducted by an internal team and in
accordance with DA Pam 25-2-5 and the DCS, G-6 SwA TTP.
(7) Assessments will be conducted to support a threat-focused baseline control
set, with the findings and mitigation strategy for each vulnerability/weakness
documented in the security plan.
d. Software assurance controls.
(1) All systems should have the following activities included in their security
control baseline, as applicable based on the type of software being used, data rights,
and threat environment-
5
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
(a) Static code analysis, RMF control enhancement: SA-11(1)
(b) Dynamic code analysis, RMF control enhancement: SA-11(8)
(c) Flaw remediation, RMF control enhancement: SI-2
(2) ISOs will tailor the security controls for the SwA assessment and document in
the security plan.
(3) ISOs will plan, develop, and implement additional controls in accordance with
the organization’s security control tailoring requirements.
e. Supply chain risk assessment. The ISO is responsible for the supply chain risk
assessment of the product, in accordance with NIST SP 800-161 Rev. 1 and EO 14028.
The assessment must also be included in the security plan. The assessment may be
conducted by a third-party or an internal team and must include the following items tied
to their corresponding control enhancements outlined in NIST SP 800-53-
(1) A review of the software bill of materials (control enhancement SR-12(10)).
(2) A review of the supply chain characteristics and cybersecurity risk factors
associated with the vendor in accordance with NIST SP 800-161 Rev. 1, Table 3-2.
(3) A review of the vendor’s usage of software security labels or data sheets
(control enhancement SR-12(9)).
(4) An analysis of the vendor’s usage of open-source data (control enhancement
SR-6).
(5) An analysis of the ties between the vendor and any foreign government
(control enhancement SA-12(8), SA-12(9)).
(6) A review of commercially available third-party assessments and security
ratings of the vendor (control enhancement SA-12(5), SA-12(8)).
f. Continuous monitoring.
(1) Automated SwA tools must reside on a certified DSOP and will be leveraged
to ensure software meets a minimum threshold of quality and does not introduce
weaknesses or vulnerabilities into the system.
6
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
(2) The development of a continuous assessment strategy and use of automated
SwA tools must be combined with active cyber defense for the implementation of
continuous monitoring (ConMon). ConMon requirements are detailed in reference 1j.
8. Exception requests. Requests for exceptions to the requirements in this policy
should be documented and submitted to the CIO. Exception requests must include
justification (including cost and mission impacts). Each request will be adjudicated
based upon all factors including cybersecurity risk.
9. This policy will be reviewed annually, or as required, and updated as appropriate.
10. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CS Director: BG Urbi N. Lewis, urbi.n.lewis.mil@army.mil.
c. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
(CONT)
7
SAIS-CS (25-1rrrr)
SUBJECT: Army Information Systems Software Assurance Policy
DISTRIBUTION: (CONT)
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
8
REFERENCES
a. AR 25-2 (Army Cybersecurity).
b. DA Pam 25-2-5 (Software Assurance).
c. DoD CIO memorandum (Software Development and Open Source Software),
24 January 2022.
d. HQDA DCS, G-6 (Software Assurance (SwA) Tactics, Techniques, and Procedures
(TTP)), Version 1.0, 22 March 2022.
e. Executive Order 14028 (Improving the Nation’s Cybersecurity), 12 May 2021.
f. Defense Information Systems Agency (DISA) Application Security and Development
(ASD) Security Technical Implementation Guide (STIG), 24 July 2024.
g. NIST SP 800-18 (Guide for Developing Security Plans for Information Technology
Systems), 24 February 2006.
h. NIST SP 800-53 Rev. 4 (Security and Privacy Controls for Information Systems and
Organizations), 22 January 2015.
i. NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management Practices
for Systems and Organizations), 05 May 2022.
j. Army CIO memorandum (Army Transition to Continuous Authority to Operate).
k. AD 2024-02 (Enabling Modern Software Development and Acquisition Practices).
l. Army CIO memorandum (Information Technology Reciprocity Acceptance
Guidance), 3 November 2023.
m. Army CIO memorandum (Army Software Modernization Directive—Initiative 8—
Implementation Plan).
Enclosure