https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN43546-PPM_CIO-065-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-SC-065
SAIS-CS (25-1rrrr) 14 April 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Updated Amplifying Guidance for Army Authorizing Officials
1. References. See Enclosure 1.
2. Purpose. Provide interim guidance for Department of Defense Information
Network—Army Authorizing Official (DoDIN-A AO) and Network Authorizing Official
(NAO) roles and responsibilities in alignment with the United States Cyber Command
(USCYBERCOM) Directive Authority for Cyberspace Operations (DACO).
3. Scope. This guidance applies to all Army Commands, Army Service Component
Commands, Direct Reporting Units, Program Executive Offices, and other Army
forces/elements. Guidance applies to the Regular Army, the Army National Guard, and
the Army Reserve, unless otherwise stated.
4. Guidance. Army organizations will continue compliance with DoDIN-A AO and NAO
roles and responsibilities. The 7th Signal Command (Theater) NAO is the only approver
for Authority to Connect (ATC) of systems connected to Army-affiliated portions of the
Defense Research and Engineering Network (DREN) (unclassified and classified
respectively). Refer to Enclosure 2 for additional information.
5. Compliance. Threat-informed operational concerns will be escalated for adjudication
by the Army Strategy Board (ASB). DoDIN-A AO and NAOs must comply with Army
Regulation (AR) 25-2 (Army Cybersecurity) regulatory requirements and Department of
the Army Pamphlet 25-2-12 (Authorizing Official), as well as other associated risk
management framework regulations and pamphlets.
6. Duration. This guidance supersedes the 13 March 2023 guidance (referenced at
Enclosure 1) and remains in effect until either superseded or incorporated into the next
edition of AR 25-2 by the Office of the Chief Information Officer (OCIO). The
Cybersecurity Directorate will review this guidance for inclusion in the regulation.
SAIS-CS (25-1rrrr)
SUBJECT: Updated Amplifying Guidance for Army Authorizing Officials
7. Points of Contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. Army CISO: BG Urbi N. Lewis, urbi.n.lewis.mil@army.mil.
Encls LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
(CONT)
2
SAIS-CS (25-1rrrr)
SUBJECT: Updated Amplifying Guidance for Army Authorizing Officials
DISTRIBUTION: (CONT)
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
3
REFERENCES
a. CJCS EXORD to Implement Updated Cyberspace Operations Command and
Control, 1 Feb 2016.
b. USCYBERCOM OPORD 16-0139 (Implementation of Updated Cyberspace
Operations Command and Control Framework – Delegation of DACO), 6 Sep 2016.
c. ARCYBER OPORD 2018-265/FRAGO 02.
d. ARCYBER OPORD 2018-264 (Delineation of DoDIN Operations Responsibilities),
29 Oct 2019.
e. AR 25-2 (Army Cybersecurity).
f. DA PAM 25-2-12 (Authorizing Official).
g. DoDI 8510.01 (Risk Management Framework (RMF) for DoD Information Technology
(IT)), 12 Mar 2014, incorporating Change 3, effective 29 Dec 2020.
ENCLOSURE 1
AUTHORIZING OFFICIAL ROLES AND RESPONSIBILITIES FOR THE
DEPARTMENT OF DEFENSE INFORMATION NETWORK—ARMY (DODIN-A)
1. Background.
a. The Secretary of Defense (SecDef) establishes the Directive Authority for
Cyberspace Operations (DACO) to direct Department of Defense (DoD) components for
the effective functioning and defense of the entire DoDIN. See CJCS EXORD to
Implement Updated Cyberspace Operations Command and Control (1 FEB 2016).
b. Army Cyber Command (ARCYBER) exercises DACO authority as delegated by
the SecDef and United States Cyber Command. See USCYBERCOM OPORD 16-0139,
Implementation of Updated Cyberspace Operations Command and Control
Framework— Delegation of DACO (6 SEP 2016).
c. ARCYBER delegates to Network Enterprise Technology Command (NETCOM)
the responsibility for coordination, synchronization, and execution of DoDIN-A
operations. ARCYBER delegates DACO authorities to the Commanding General,
NETCOM. NETCOM Regional Cyber Centers (RCCs) execute operational control over
DODIN-A. See ARCYBER OPORD 2018-264: Delineation of DoDIN Operations
Responsibilities (29 OCT 2019) and FRAGOs 1-3.
d. DoDIN-A includes the Non-classified Internet Protocol Router Network
(NIPRNet), the Secret Internet Protocol Router Network (SIPRNet), Army-affiliated
portions of the unclassified and classified Defense Research and Engineering Network
(DREN and SDREN, respectively), Army data centers and cloud instances, Army
Information Technologies/Control Systems (IT/CS), Army Critical Infrastructure and Key
Resources (CI/KR), Army educational networks and commercial networks, and clouds
where Army data is stored. See ARCYBER OPORD 2018-264: Delineation of DoDIN
Operations Responsibilities (29 OCT 2019). ARCYBER OPORD 2022-003 further
defines the DoDIN Area of Operations by adding Closed-Restricted Networks (CRNs),
stand-alone systems, and networks and systems relying on commercially provided
connectivity included in the DoDIN Area of Operations.
e. In support of the Army Unified Network Plan (AUNP), HQDA EXORD 166-19
directs Army to converge and optimize all disparate organizational networks into a
single Integrated Enterprise Network (IEN) under the Command and Control (C2) and
governance of ARCYBER. To increase network visibility and security, and to set
conditions to complete Organizational Network (ORGNET) convergence, FRAGO 1 to
EXORD 166-19 directs Operational Control (OPCON) of remaining Directorates of
Information Management (DOIMs), Network Enterprise Centers (NECs), Network
Operations Centers (NOCs), and RCCs (for example, those of Army Materiel Command
(AMC), United States Army Reserve Command (USARC) and the Army National Guard
(ARNG)) to ARCYBER. For this FRAGO, OPCON is defined as the authority to issue
and enforce implementation or direction concerning Army DoDIN Operations, which
ENCLOSURE 2
includes actions taken to secure, configure, operate, extend, and maintain, Army
networks and to create and preserve the confidentiality, availability, and integrity of the
DoDIN-A.
f. The Authorizing Official (AO) is a senior official or executive with the authority to
formally assume responsibility and accountability for operating a system; providing
common controls inherited by organizational systems; or using a system, service, or
application from an external provider. The AO is the only organizational official who can
accept the security and privacy risk to organizational operations, organizational assets,
and individuals. AOs typically have budgetary oversight for the system or are
responsible for the mission and/or business operations supported by the system.
Accordingly, AOs are in management positions with a level of authority commensurate
with understanding and accepting such security and privacy risks. AOs approve plans,
memorandums of agreement or understanding, plans of action and milestones, and
determine whether significant changes in the information systems or environments of
operation require reauthorization.
g. An AO is a General Officer (GO), Senior Executive Service (SES), or equivalent,
appointed by the Army CIO, with the authority to assume responsibility formally for
operating DoD information systems or Platform IT (PIT) systems at an acceptable level
of risk to organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, and the Nation. (Enclosure 1,
references e and f).
2. Major AO Roles and Responsibilities.
a. AOs coordinate their activities with common control providers, system owners,
chief information officers, senior agency information security officers, senior agency
officials for privacy, system security and privacy officers, control assessors, senior
accountable officials for risk management/risk executive (function), and other interested
parties during the authorization process. AOs are responsible and accountable for
ensuring that authorization activities and functions that are delegated to AO Designated
Representatives are carried out as specified. For federal agencies, the role of AO is an
inherent U.S. Government function and is assigned to government personnel only.
b. The AO identifies cybersecurity requirements and includes them throughout the
network and system lifecycle to include acquisition, design, development,
developmental testing, operational testing, integration, implementation, operation,
upgrade, or replacement.
c. AR 25–2 authorizes the Army Chief Information Officer (CIO) to appoint AOs on
behalf of the Secretary of the Army. As such, the Army CIO is the appointing authority
for AOs across the Army—see Enclosure 1, reference e. The Army CIO will remain
cognizant of and accountable for any and all actions taken pursuant to the delegation of
AO authority and will comply with DoD and Federal Information Security Modernization
2
Act (FISMA) of 2014 requirements in appointing AOs for systems under their purview.
Army AO’s will comply with DACO orders or directives for the security, operations, and
defense of the DoDIN-A. The Office of the Chief Information Officer (OCIO) is updating
AR 25-2 and prescribes the following DoDIN-A AO and Network AO roles and
responsibilities in the revised AR 25-2 to comply with higher-level policies/procedures
that reflect the changing cybersecurity environment.
d. Creating the DoDIN-A AO and Network AO (NAO) roles codifies the relationships
between System AO (SAO), System Owner (SO), Program Information Systems
Security Manager (P-ISSM), and ARCYBER/NETCOM DACO authority. The speed and
scope of threats are growing. Therefore, the collaboration between the DoDIN-A AO
and NAO is essential for increasing the ability to see the real risk to DoDIN-A. The Army
CIO, DCS G-6, and ARCYBER/NETCOM have partnered to re-scope the AO roles and
responsibilities that drove the re-articulation of the DoDIN-A AO and NAO roles in
support of achieving successful strategic alignment and transformational changes
supporting RMF Modernization To synchronize with the DACO, Army guidance will
reflect the following types of AO:
(1) DoDIN-A Authorizing Official: The DoDIN-A AO is the Senior Official
responsible for balancing the risk to the DoDIN-A presented by connecting and
operating an information system or platform information technology system to the
DoDIN-A as a whole. The Army CIO will designate in writing the Commanding General,
NETCOM as the DoDIN-A AO. The DoDIN-A AO:
(a) Nominates the NAO.
(b) Sets criteria and conditions for systems to operate on the network from initial
acceptance through continuous monitoring.
(c) Will have final approval over a system’s Army Authority to Connect (ATC)
when the System Owner has deviated from the NETCOM Security Control Assessor’s
recommendation
(d) When a high or very high risk is identified that cannot be remediated or
mitigated by the System Owner, the ARCYBER Cybersecurity Risk Assessment
Management Program (CyRAMP) will be executed. If through the CyRAMP, the residual
risk remains high or very high, the Army Cyber Risk Management Council (ACRMC) will
be convened with critical stakeholders to provide threat-informed, risk recommendations
for decision. The ACRMC is a 3-Star forum co-chaired by the Army CIO and Deputy
Chief of Staff (DCS) G-3/5/7.
(2) Network Authorizing Official: The NAO is responsible for network
cybersecurity and the execution of USCYBERCOM cyber security orders. The NAO is a
Senior Official responsible for approving network connections to the DoDIN-A under the
3
authority of, and IAW the criteria and conditions specified by, the DoDIN-A AO. A NAO
balances the cybersecurity risks present in connecting an information system to a
defined DoDIN-A network against the operational risk to the mission if not allowed to
connect. A NAO differs from an AO in that the NAO considers the risk to the network as
a whole, inclusive of global DoDIN Cyber Threat Intelligence, in issuing an Army
Authority to Connect (ATC). A NAO shall be an individual in a position that can formally
assume responsibility for accepting a risk. The Army CIO will appoint the NAO in writing
when deemed necessary. The NAO:
(a) Shall meet the AO requirements per AR 25-2 and DA PAM 25-2-12.
(b) Operates under the direction of the DoDIN-A AO.
(c) Operationalizes the Army ATC process as defined by the DoDIN-A AO.
(d) May serve as an AO per AR 25-2 and DA PAM 25-2-12 for systems under
their purview.
(e) Reviews the Control Assessor (CA) risk assessment, recommendation, and
all applicable system artifacts before granting an Army ATC.
(f) Manages network resources for network cybersecurity operations under their
area of operation.
(g) Ensures network services are provided to systems necessary to operate on
the DoDIN-A.
(h) Identifies caveats, terms of conditions, and subsequent actions to system
owners to mitigate based on threat.
(i) Executes cybersecurity functions during operations in accordance with
DACO.
(j) Is accountable to work with AOs to oversee the balancing of risk
between mission, network cybersecurity, and system cybersecurity through applying
network cybersecurity capabilities and limiting system exposure.
(3) Defense Research and Engineering Network (DREN) NAO: The NAO
responsible to grant ATCs for all systems operating on the Army-affiliated portions of
the DREN and SDREN (unclassified and classified respectively) is the 7 Signal
Command (Theater) (SC(T)) AO. Each SAO will continue to manage their system
ATOs accordingly.
4
3. Send questions regarding these roles and responsibilities to the point of contact
identified on the cover memorandum to this enclosure.
5