https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42912-PPM_CIO-061-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
ZAX-TECH-CS-061
SAIS-ZAX (25-1rrrr) 28 January 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Contingency Planning for cArmy Cloud Tenants
1. References.
a. DODI 8510.01 (Risk Management Framework for DOD Systems)
b. NIST SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems
and Organizations)
c. FIPS 199 (Standards for Security Categorization of Federal Information and
Information Systems)
d. NIST SP 800-34 Rev. 1 (Contingency Planning Guide for Federal Information
Systems)
2. Purpose. To establish organizational policy for Alternate Site Storage, Alternate
Processing Site, and retention of backups/snapshots within the Program Executive
Office (PEO) Enterprise cloud environments.
3. Applicability. This policy applies to all tenant organizations that manage cloud
resources within the Army Cloud (cArmy) environment.
4. Background. The Enterprise Cloud Management Agency (ECMA) currently
maintains the baseline infrastructure in support of Army Multi-Cloud and supporting
strategy. Enterprise Cloud Service Providers (CSPs), to include Amazon Web
Services (AWS), Microsoft Azure, Oracle Cloud Infrastructure (OCI), and Google
Cloud Platform (GCP) provide highly redundant and highly available services. The
CSPs have developed a tiered approach to providing these services:
a. Availability Zones: Discrete data centers, each of which has redundant power,
networking, and connectivity, and is housed in separate facilities. Each Availability
Zone (AZ) has multiple Internet connections and power connections to multiple grids.
SAIS-ZAX (25-1rrrr)
SUBJECT: Contingency Planning for cArmy Cloud Tenants
b. Regions: Geographically located centers of computing that consist of multiple
Availability Zones (multi-AZs) to enable fault tolerance, data sovereignty, network
connectivity, etc.
c. Cloud AZs within a single region provide a sufficient degree of separation
between primary and alternate processing sites to meet the requirements for
moderate and most high availability requirements. Implementation of cloud-based
multi-AZ infrastructure, platforms, and applications in accordance with this policy will
reduce costs, increase efficiency, improve cyber security posture, and standardize
deployments within the Army.
5. Policy. All cArmy tenants with a system security categorization level of moderate
or high for availability shall implement contingency plans based on deploying across
specific Cloud AZ architecture. Programs currently operating in the cArmy baselines
across NIPRNET and SIPRNET shall update organizational critical controls to update
in accordance with this policy.
a. All cloud hosted systems will utilize multi-AZ configuration for their Alternate
Processing Site requirements. Systems should be configured to utilize a minimum of
two AZ’s.
b. All cloud hosted systems will utilize multi-AZ configuration to meet Alternate
Storage Site requirements.
c. Programs that require additional data protection, replication, and/or availability
requirements not met through cloud multi-AZ shall work with the ECMA to identify
additional storage replication requirements.
d. All Enterprise cloud hosted information systems will implement fourteen (14)
day automated lifecycle policies for retention of data backups and snapshot images.
For data requiring additional retention requirements per non-cyber controls, (e.g.
Army Records retention policy) shall follow policies outlined.
e. Lifecycle policies shall be configured to prevent modification to backups/
snapshots and protect against deletion.
f. All programs are responsible for ensuring compliance with this policy.
g. Any requests for extending services beyond data retention/replication in multi-
Region must be submitted for approval for waiver to the point of contact (POC) in
paragraph 6b below for review by the Cloud Governance Committee (CGC).
2
SAIS-ZAX (25-1rrrr)
SUBJECT: Contingency Planning for cArmy Cloud Tenants
6. POCs.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. Mr. Gabriele Chiulli, ECMA CTO, gabriele.j.chiulli.civ@army.mil,
(520) 725-1758.
LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
(CONT)
3
SAIS-ZAX (25-1rrrr)
SUBJECT: Contingency Planning for cArmy Cloud Tenants
DISTRIBUTION: (CONT)
Director, Civilian Protection Center of Excellence
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Arm
4