https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN43921-PPM_CIO-069-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-SC-069
SAIS-CS (25-1rrrr) 28 April 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Business System Application Layer Audit Log Policy
1. References. See Enclosure 1.
2. Purpose. This memorandum provides policy and amplifying guidance on generating
audit logs for Army business applications. The purpose is to identify anomalous activities
and assist in post-incident security investigations.
3. Applicability.
a. In accordance with Army Regulation (AR) 25-2, para 2-7, the Army Chief
Information Officer (CIO), on behalf of the Secretary of the Army, establishes policy,
resourcing, and oversight of the Army Cybersecurity Program. This policy memorandum
meets provisions outlined in AR 25-2, para 1-8, stating that the Army CIO, when
needed, will issue policy memoranda to augment or clarify the policies in AR 25-2.
b. This applies to all Army business systems that reside on and off Army networks.
This memorandum serves to clarify the policy regarding audit logging to support the
analysis process for business systems within the Department of the Army.
4. Background.
a. An Army business system is a type of information technology system used by the
U.S. Army to manage its business operations and processes. These systems are
designed to support various administrative and logistical functions, such as financial
systems, financial data feeder systems, contracting systems, logistics systems, planning
and budgeting systems, installations management systems, human resources
management systems, and training and readiness systems, and other essential
business activities. The goal of these systems is to improve efficiency, accuracy, and
effectiveness in managing the Army's resources and operations. Ensuring their
reliability, integrity, and security is crucial for maintaining operational advantage.
b. Opportunities exist to enhance application layer auditing capabilities for Army
business systems. By enhancing these capabilities, the Army can achieve greater
visibility to support continuous monitoring, assessment, and response to security
threats. The Army's implementation of various security measures, including audit
logging and security information and event management (SIEM) systems, have set a
SAIS-CS (25-1rrrr)
SUBJECT: Business System Application Layer Audit Log Policy
foundation for continued improvement. The Army must leverage emerging technologies
and best practices to enable comprehensive visibility and analytics capabilities.
c. Application layer audit logging refers to the creation of transactional event logs
that record person and non-person entity (NPE)-initiated actions and changes within an
application, linking each transaction to a specific persona for accountability and
analysis.
d. The complexity of Army business systems, with their diverse functionalities and
intricate workflows, results in vast and multifaceted logs. Each log entry may contain
critical information about user actions, system changes, and potential security events,
but without proper context and understanding, this data can be overwhelming. Skilled
analysts are needed to identify patterns, detect anomalies, and correlate events across
systems to provide meaningful insights. This expertise ensures that monitoring is
comprehensive and actionable, enabling the Army to respond swiftly to potential threats
and maintain the integrity and security of its operations.
e. This memorandum provides a proactive approach to ensuring the security and
integrity of Army business applications by providing clear and actionable direction on
audit logging requirements.
5. Policy.
a. Standard Audit Log Events and Attributes: Organizations that own and operate
Army Business Systems must configure business applications to generate application
layer audit logs containing standard events and attributes as defined in the Auditable
Events Standard (Enclosure 2). This may be achieved using vendor-provided logs when
appropriate. This requirement is in addition to any requirements specified for other
elements of the application stack and subsystems (e.g., application server, web server,
database server, operating system).
b. Application Log Routing: Application logs must be routed to the Army's Unified
SIEM (U-SIEM) system in a timely and accurate manner in accordance with reference b
of this memorandum.
c. The proponent to U-SIEM must work with the United States Army Cyber
Command (ARCYBER), the Assistant Secretary of the Army (Acquisition, Logistics, and
Technology) (ASA(ALT)), Development Command (DEVCOM), and other Army
Business System Owners on establishing the governance and the technical capabilities
to ensure that application logs can be identified, transmitted, and validated within the U-
SIEM environment.
d. Business System SIEM Transition Planning: Organizations that own and operate
Army Business Systems must develop a transition plan within 120 days of the signing of
this memorandum. Army business system owners must create a transition plan to move
2
SAIS-CS (25-1rrrr)
SUBJECT: Business System Application Layer Audit Log Policy
to the Army's U-SIEM system. The plan should include a timeline, coordination and
alignment details, and required resources.
6. Implementation.
a. HQDA Deputy Chief of Staff G-6 will drive coordination between Army business
system owners, Army Cyber Command, designated cybersecurity service providers,
and the U-SIEM management office to ensure the U-SIEM capability is suitable and
sufficient to meet the requirement stated in paragraph 5.
b. System owners are responsible for ensuring compliance with this policy and any
future updates.
c. The system/program authorizing official (AO) must examine the plan of action
and milestones entry, validate the proposed resolution, weigh the risk, and decide
whether to accept the risk until the weakness can be resolved. To meet the intent of this
policy memorandum, the AO may direct a more aggressive resolution.
7. Exception Request. Requests for exceptions to the requirements contained in this
policy will be documented and submitted to the Army CIO (see paragraph 9). Exception
requests must provide a detailed justification to include cost and mission impacts, and
each request will be adjudicated based upon cybersecurity risk to the Business System
and the DoDIN-A enterprise.
8. Expiration and review. This policy is effective immediately and remains in effect until
superseded or rescinded. The Army CISO will annually review this policy for update no
later than 1 October of each calendar year.
9. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil
b. Audit log routing to ARCYBER: ARCYBER-G36-UNO@army.mil
c. SAIS-CS Director: BG Urbi Lewis, CISO, urbi.n.lewis.mil@army.mil
d. SAIS-CSP Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil
Digitally signed by
GARCIGA.L GARCIGA.LEONEL.
EONEL.T.1 T.1186170411
Date: 2025.04.28
18617041109:32:10 -04'00'
Encls LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION: (see next page)
3
SAIS-CS (25-1rrrr)
SUBJECT: Business System Application Layer Audit Log Policy
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4
REFERENCES
a. AR 25-2 (Army Cybersecurity)
b. Army CIO memorandum ((CUI) Business System Log Data Ingest to Army
Enterprise Unified Security Information and Event Management and Gabriel Nimbus),
17 November 2023
c. Office of Management and Budget memorandum M-21-31 (Improving the Federal
Government's Investigative and Remediation Capabilities Related to Cybersecurity
Incidents), 21 August 2021
d. NIST Special Publication 800-53 Revision 5 (Security and Privacy Controls for
Information Systems and Organizations), September 2020
e. DoD 5000.75 (Business Systems Requirements and Acquisition)
f. DoD 7000.14 - R (Financial Management Regulation)
g. DoDI 8520.04 (Access Management for DoD Information Systems)
h. DoD Instruction 8510.01 (Risk Management Framework for DoD Systems)
i. AR 25-1 (Army Information Technology)
j. AR 380-5 (Army Information Security Program)
k. HQDA EXORD 211-22 (Army Support to Defensive Cyberspace)
l. HQDA EXORD O56-022, FRAGO 3 (Army Unified Network Plan)
Enclosure 1
Army Business Systems Application Layer Auditable Events Standard
1. Auditable Events
(U) The following tables represent a superset of auditable event types for Army
business applications. The events, represented as target:action pairs, are aligned with
Annex E to EXORD 056-22 ISO AUNP, Data Artifact Definitions and Retention Policy
and OMB M-21-31 auditable event requirements. Not all event types will be applicable
to all business applications. In accordance with DoDI 8520.04, “system owners in
conjunction with IT resource owners must… define logging function requirements” and
logs will include “all successful and unsuccessful requests to access identified IT
resources.” Accordingly, system owners will identify the events that are applicable to the
business application and document the implementation as an element of their
authorization package. If the target:action pair is representative of a use case of the
application, the event should be considered mandatory for the baseline audit logging
requirements.
Note: Logs should not contain Law Enforcement Sensitive (LES) information and should
limit any personally identifiable information (PII) other than the required user / entity
information for the minimum necessary to meet the purpose(s) of the auditable event.
Account Management
Account Management activities pertain to events associated with person and
non-person entity accounts. These events are applicable only when the account
management is performed within the application boundary.
Event (Target:Action) Description
Account: View Examining an account or profile
Account: Add Creation of an account
Account: Modify Changing aspects / attributes of an account
Account: Delete Removal of an account
Account: Lock Temporary inactivation of an account
Account: Unlock Enabling an account following a temporary
inactivation
Group/Role
Management
Group/Role Management activities pertain to events associated with groups and
roles. These events are applicable only when group/role management is
performed within the application boundary.
Event (Target:Action) Description
Group/Role: View Examining a group/role
Group/Role: Add Creation of a group/role
Group/Role: Modify Changing aspects / attributes of a
group/role
Group/Role: Delete Removal of a group/role
Enclosure 2
Entity Access Control
Entity Access Control events describe the activities associated with identity
verification (e.g., password, pin, certificate) and granting of access to systems and
resources. These events are applicable only when the access control event is
performed within the application boundary.
Event (Target:Action) Description
Entity: Authenticate Verification of the identity of a user, process, or
device, often as a prerequisite to allowing
access to resources in a system.
Entity: Logon Presentation of a credential or token for the
purpose of instantiating a new session on a
system or application.
Entity: Logoff Termination of a user session.
Object / Resource Activity
Object / Resource Activity events describe activities associated with an object by a
user or non-person entity (NPE). Objects are “passive system-related entities,
including devices, files, records, tables, processes, programs, and domains that
contain or receive information.” (NIST SP 800-53 Revision 5, Security and Privacy
Controls for Information Systems and Organizations). These events are applicable
only when the event is performed within the application boundary. Objects should
be defined in the context of the application / workload.
Event (Target:Action) Description
Object: View / Access Read / open action on an object.
Object: Create Generation of a new instance of an object.
Object: Delete Erasure of an instance of an object.
Object: Modify Change of state of an object.
Object: Restore Recovery or return of an object to a previous
state.
Object: Print Execution of the print command. Includes print
to file, e.g., PDF.
Object: Download Retrieval of an object from an external
information system (IS), often via network
connection.
Object: Export Transmission of an object from one IS to
another, typically for use outside the original
IS.
Object: Move Transmission of an object to/from an IS.
Includes between systems and to/from external
devices/media. May include intra-IS moves for
large/distributed systems.
Object: Import / Upload Transmission of an object from a local system
to another IS, (e.g., remote server or cloud
service) or one IS to another, often via network
connection.
Object: Ownership Modification Change of object ownership or assignment.
2
Object: Permission Modification Change of object access permissions (e.g.,
access control list).
Application /
Process
Application events describe activities associated with physical or virtual systems
as well as applications and processes operating within systems. These events are
applicable only when the event is performed within the application boundary.
Event (Target:Action) Description
Application: Search/Query Execution of a search/query function.
2. Events Attributes
(U) The table below provides a set of required event log attributes for auditable events
generated by an Army business application aligned with Annex E to EXORD 056-22
ISO AUNP, Data Artifact Definitions and Retention Policy and OMB M-21-31.
Application audit logging must be contextual and consistent and use organizational
standards to enable logged event data to be effectively consumed, correlated, analyzed,
managed, and shared as appropriate.
Attribute Category Attribute Name Descriptor
Event Information Date / Time
YYYY-MM-DDThh:mm:ss.mmmZ (Zulu,
UTC+0) or
YYYY-MM-DDThh:mm:ss.mmm+04:00
(UTC+4)
This format is based on both International
Standards Organization (ISO) 8601 and
Request For Change (RFC) 3339: Date and
Time on the Internet: Timestamps.
Software developed must include log
timestamps for each event in accordance with
these requirements.
Event Information Unique ID Unique log message identifier (ID).
Event Information
Event / Action
Type Standardized type identifier for the action.
Event Information Action Result
Result of the action, e.g., success, failure,
grant, deny
Event Information
Status
Code/Message
Details about the event, e.g., authorization
details
Event Information
Session /
Transaction ID Application-generated session ID.
Event Information Security Attributes Security markings for the event log.
3
Attribute Category Attribute Name Descriptor
Application
Metadata Application Name Application name.
Application
Metadata
Application
Version Application version.
Application
Metadata
Application Owner
Agency Application owner agency, organization.
Application
Metadata Application URL Application Uniform Resource Locator (URL).
Application
Metadata
Application
Confidentiality
Highest sensitivity/classification of the
application.
User / Entity
Information Unique Identifier
Use globally unique identifier, where feasible
(e.g., public key distinguished name); include
unique ID for non-person entities (NPEs) and
processes.
User / Entity
Information Entity Organization Person/NPE organizational affiliation.
User / Entity
Information Source IP Address Source address where the action originated.
User / Entity
Information Entity Role, Type General user, power user, administrator, NPE.
Resource Acting
Upon Type of Object
Type identifier of the object that was the action
target, e.g., file, object, user account.
Resource Acting
Upon Object Name Name of object accessed.
Resource Acting
Upon Object Description Summary / description of object accessed.
Resource Acting
Upon
Object
Classification Object sensitivity / classification.
Resource Acting
Upon Object Location Object URL.
Resource Acting
Upon
Destination IP
Address
IP address for the action target. IPv4 and/or
IPv6.
Resource Acting
Upon
Hostname of
Server Server fully qualified domain name (FQDN).
Resource Acting
Upon Resource ID
Unique ID of the target of the action, as
applicable.
Resource Acting
Upon Search Attributes Search type, search term, search facets.
4