https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN43551-PPM_CIO-070-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC
CS-SEC-SC-070
SAIS-CS (25-1rrrr) 14 April 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Cybersecurity Service Providers Alignment Guidance
1. References.
a. AR 25-2 (Army Cybersecurity).
b. DoD Manual 8530.01 (Cybersecurity Activities Support Procedures).
c. DoD Instruction 8530.01 (Cybersecurity Activities Support to DoD Information
Network Operations).
d. Office of Management and Budget Memorandum M-21-31 (Improving the Federal
Government’s Investigative and Remediation Capabilities Related to Cybersecurity
Incidents), 27 August 2022.
e. DoD Instruction 8500.01 (Cybersecurity).
2. Purpose. This policy establishes the strategic guidance and requirements for system
owners (SOs) to use certified and authorized Cybersecurity Service Providers (CSSP)
across the Army’s Unified Network. Its intent is to maintain a secure and compliant
cybersecurity posture in alignment with Department of Defense (DoD) and Department
of the Army (DA) directives, regulations, and instructions.
3. Applicability.
a. Per AR 25-2, para 2-7, the Army Chief Information Officer (CIO), on behalf of the
Secretary of the Army, establishes policy, resourcing, and oversight of the Army
Cybersecurity Program. This policy memorandum meets provisions outlined in AR 25-
2, para 1-8, where the Army CIO, when needed, will issue policy memoranda to amplify
guidance for the policies in AR 25-2.
b. This policy memorandum applies to Principal Officials, Headquarters, Department
of the Army (HQDA) elements; Army Commands (ACOM); Army Service Component
Commands (ASCC); Direct Reporting Units (DRU); Senior Leaders of Agencies and
Activities; Program Executive Offices (PEO); and the Reserve Component of the Army
National Guard (ARNG).
SAIS-CS (25-1rrrr)
SUBJECT: Cybersecurity Service Providers Alignment Guidance
c. This policy memorandum applies to all Army systems and system components
that receive, process, store, display, monitor, control, or transmit information or data
throughout the entire system development lifecycle. This includes systems supporting
research, development, test, and evaluation and Army-controlled systems operated by a
contractor or other entity on behalf of the Army.
d. This policy does not apply to special access programs (unless directed by the
authorizing official) or to the top secret/sensitive compartmented information network or
joint worldwide intelligence communications system.
4. Background.
a. The DoD establishes its organizational paradigm for cybersecurity service
delivery through US Cyber Command, Joint Forces Headquarters DoD Information
Network (JFHQ DODIN) and the DoD CIO.
b. The DoD defines cybersecurity entities as DoD components or subcomponents
responsible for providing one or more cybersecurity services internally or externally on
behalf of their component.
c. The DoD defines a CSSP as a JFHQ-DODIN certified cybersecurity entity
required to monitor its DoD Component’s aligned portion of DODIN cyber terrain 24
hours a day, 365 days a year as well as providing DoD required Identify, Protect,
Detect, Respond, and Recover cybersecurity services.
5. Policy. Effective immediately:
a. In accordance with DoD Manual 8530.01 (Cybersecurity Activities Support
Procedures), systems as outlined in para 3.c. of this memo must align to a certified and
authorized CSSP.
b. Army Cyber Command (ARCYBER) and Army Command, Control,
Communications, Computers, Cyber, Intelligence, Surveillance and Reconnaissance
(C5ISR) Center are the only two certified and authorized CSSPs in the Army.
ARCYBER has first right of refusal for providing CSSP services. As such, organizations
must first coordinate required services through ARCYBER unless the service in
question has been delegated further. ARCYBER will refer organizations to C5ISR for
any services they are unable to provide.
(1) The Commanding General, ARCYBER serves as the Army’s appointed
Directive Authority for Cyberspace Operations (DACO) and provides CSSP general
services in accordance with AR 25-2 and the CSSP services table in the enclosure.
2
SAIS-CS (25-1rrrr)
SUBJECT: Cybersecurity Service Providers Alignment Guidance
(2) In accordance with the DACO, C5ISR CSSP executes services and functions
for Army owned and operated systems in commercial and private cloud environments,
the Defense Research and Engineering Network (DREN)/Secret DREN (SDREN), and
Army-sponsored Cleared Defense Contractor (CDC) sites as delegated by ARCYBER.
C5ISR may also provide CSSP services to Non-classified Internet Protocol Router
Network (NIPR) and Secret Internet Protocol Router Network (SIPR) environments. See
the CSSP services table in the enclosure for more information.
(3) Army organizations must use ARCYBER or C5ISR for CSSP services,
provided they can support the requirement. Any CSSP service that neither ARCYBER
nor C5ISR can support must be coordinated through ARCYBER.
(4) Army organizations must budget appropriately for CSSP services, as the
availability of centralized funding will depend on the organization and the configuration
of their systems.
c. SOs must document CSSP alignment in required authorization packages and in
the Enterprise Mission Assurance Support Service. SOs must comply with all
cybersecurity reporting requirements mandated by the CSSP, including but not limited
to security incidents, breaches, and vulnerabilities.
d. In accordance with DoD Instruction (DoDI) 8530.01 (Cybersecurity Activities
Support to DoD Information Network Operations), systems without DoDIN connectivity
(to include systems on closed restricted networks) must align to a certified and
authorized CSSP.
(1) In accordance with DoDI 8530.01, SOs of these systems and enclaves must
have processes in place to receive orders and directives, report compliance, and
exchange information and reporting on the security status of the system or enclave to
their respective CSSP.
(2) SOs will contact ARCYBER to determine if existing configurations are suitable
for immediate services or if hardware and/or configuration changes are required.
e. The CSSP will work with the SO to assign a tier level and the logging standards
based upon mission criticality of the system(s) in accordance with Office of
Management and Budget memorandum M-21-31 (Improving the Federal Government’s
Investigative and Remediation Capabilities Related to Cybersecurity Incidents).
6. Exception requests. Requests for exceptions to the requirements contained in this
policy will be documented and submitted to the Army CIO. Exception requests must
include justification (including cost and mission impacts), and each request will be
adjudicated based upon cybersecurity risk.
3
SAIS-CS (25-1rrrr)
SUBJECT: Cybersecurity Service Providers Alignment Guidance
7. The OCIO Cybersecurity Directorate (SAIS-CS) will review this policy annually for
update, rescission, or inclusion in Army regulation as appropriate.
8. Points of contact.
a. For policy questions: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil
b. For ARCYBER CSSP subscriber engagement and support, contact G36 Cyber
Risk and Assessments: arcyber-g36-cssp@army.mil
c. For C5ISR Center CSSP subscriber engagement and support, contact the CSSP
Mission Support Team: usarmy.apg.devcom-c5isr.mesg.esi-csd-dcs-mission-
support@army.mil.
d. SAIS-CS Director: BG Urbi Lewis, urbi.n.lewis.mil@army.mil.
e. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
(CONT)
4
SAIS-CS (25-1rrrr)
SUBJECT: Cybersecurity Service Providers Alignment Guidance
DISTRIBUTION: (CONT)
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
5
CSSP Services Table
Cybersecurity
Activities
Must Be
Performed
By
CSSP Alignment
ARCYBER C5ISR
On-Prem Cloud (IaaS,
PaaS, SaaS) On-Prem
(DREN/SDREN,
CDC)NIPR SIPR IL
2
IL
4/5
IL
6
Identify
Vulnerability Assessment and Analysis (VAA)
External
Vulnerability Scans
(EVS)
3rd party,
SO, or
CSSP
o o o o o o
Web Vulnerability
Scans (WVS)
3rd party,
SO, or
CSSP
External Assessment
DoD Cyber Red
Team (DCRT)
Operations
SO or
CSSP o o o o
Non-DCRT Cyber
Assessment Team
Operations
3rd party,
SO, or
CSSP
o o
Penetration
Testing
3rd party,
SO, or
CSSP
o o o o
Intrusion
Assessment
3rd party,
SO, or
CSSP
o o o o o o
Protect
Vulnerability Management Maintenance
Apply DoD
required security
configurations
3rd party,
SO, or
CSSP
o o o o o o
Perform actions to
mitigate potential
vulnerabilities or
threats
3rd party,
SO, or
CSSP
o o o o o o
Monitor
Vulnerability
Management
Compliance
3rd party,
SO, or
CSSP
Awareness and
Training
3rd party,
SO, or
CSSP
o o o o o o
Endpoint Security
Capabilities
3rd party,
SO, or
CSSP
ENCLOSURE
3rd party,
Malware Protection SO, or
CSSP
Attack Sensing and Warning (AS&W) for Anomalous Events
AS&W for
Boundary
Cyberspace
Protection (BCP)
SO or
CSSP N/A N/A N/A N/A
Functions
AS&W at the
Application
3rd party,
SO, or
CSSP
Warning
Intelligence
SO or
CSSP
Information Security Continuous Monitoring (ISCM)
Maintain
continuous visibility
into endpoint
devices
3rd party,
SO, or
CSSP
Correlate asset
and vulnerability
data with threat
data
CSSP
Only
Malware
Notification
CSSP
Only
Detect
Detection Processes
24x7 Network
Security Monitoring SO or
and Intrusion N/A N/A N/A N/A
CSSP
Detection for IAP
or BCAP Functions
24x7 Network
Security Monitoring
and Intrusion
Detection for
Enclave/Perimeter
Functions
(ingress/egress)
CSSP
Only
24x7 Internal
Network and
Security Monitoring
3rd party,
SO, or
CSSP
24x7 Endpoint
Security Monitoring
3rd party,
SO, or
CSSP
DODIN User Activity Monitoring (UAM) for DoD Insider Threat Program
Employ UAM
capabilities to
detect anomalous
insider activity
3rd Party,
SO, or
CSSP N/A o o o o
(IL6: SO or
CSSP)
Page 2 of 3
Maintain insider
threat audit data
3rd party,
SO, or
CSSP
N/A o o o o
Correlate insider
threat audit data
with Component
Insider Threat
Programs
SO or
CSSP N/A o o o o
Cyber Protection Condition (CPCON) and Orders (e.g., TASKORD, OPORD,
FRAGORD)
CPCON and
Orders Notification
CSSP
Only
CPCON and
Orders
Implementation
3rd party,
SO, or
CSSP
o o o o o o
CPCON and
Orders Assistance
CSSP
Only
Respond
Event & Incident Management
Incident
Categorization
CSSP
Only
Incident Reporting CSSP
Only
Incident Handling
Response
3rd party,
SO, or
CSSP
o o o o
Incident Response
– Law
Enforcement (LE)
support
CSSP
Only
Incident Response
–
Counterintelligence
(CI) support
CSSP
Only
Incident Response
– Analysis
CSSP
Only
KEY
available
required)
Page 3 of 3