https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN43727-PPM_CIO-067-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-RI-067
SAIS-CS (25-1rrrr) 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Risk Management Framework Entrance Criteria Guidance
1. References. See enclosure.
2. Purpose. To assist the Army cybersecurity community with the Risk Management
Framework (RMF) Categorization process (also known as Entrance Criteria) by
providing simple definitions for information technology (IT) types, using case scenarios
to best distinguish between Assess and Authorize (A&A) versus Assess Only, and
setting specific date time groups (DTGs) to improve authorization/approval tracking
within each required system of record. This effort aligns with the planning trajectory for
the improvement and operability of RMF and cybersecurity requirements, protecting the
investment and running pace with the advancing environment.
3. Definitions. To ensure standardization, definitions will be found in CNSSI 4009
National Information Assurance Glossary for National Security Systems (NSS) and on
the Computer Security Resource Center (CSRC) website (https://csrc.nist.gov/glossary)
for non-NSS.
a. Hardware. The material physical components of an information system.
b. Software. Computer programs (which are stored in and executed by computer
hardware) and associated data (which also is stored in the hardware) that may be
dynamically written or modified during execution.
c. Enclave. A set of system resources that operate in the same security domain
and that share the protection of a single, common, continuous security perimeter.
d. System. Any organized assembly of resources and procedures united and
regulated by interaction or interdependence to accomplish a set of specific functions.
e. Platform. Hardware and software that are physically part of, dedicated to, or
essential in real time to the mission performance of special purpose systems (e.g., term
use within the Acquisition community).
SAIS-CS (25-1rrrr)
SUBJECT: Risk Management Framework Entrance Criteria Guidance
f. Application. A software program hosted by an information system.
g. Operational Technology (OT). Programmable systems or devices that interact
with the physical environment (or manage devices that interact with the physical
environment).
4. Policy.
a. Information systems as defined by Title 44 U.S.C. § 3552 (discrete set of
information resources organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information) will require an Authorization to
Operate (ATO) via the RMF A&A Process.
(1) Use Case 1: Certain applications which require special management
oversight and are considered major because of their complexity and the information in
them. Examples include: a single software application (e.g., integrated consumable
items support); multiple software applications related to a single mission (e.g., payroll or
personnel); or a combination of software and hardware performing a specific support
function across a range of missions (e.g., Global Command and Control System,
Defense Travel System, Defense Enrollment Eligibility Reporting System).
(2) Use Case 2: A local area network (LAN) with smart terminals supporting a
branch office, an agency-wide backbone, a communications network, a departmental
data processing center including its operating system and utilities, a tactical radio
network, or a shared information processing service organization.
b. IT below the system level does not require a unique ATO via the A & A process,
but still require the cybersecurity requirements to be identified, implemented, and
assessed through the Assess Only process.
(1) Use Case 3: Commercial-off-the-shelf (COTS) applications, government-off-
the-shelf (GOTS) applications, managed mobile applications, or open-source software
items.
c. Technology previously assessed under a capability-specific policy, is integrated
into an existing authorization boundary as part of the larger system's authorization
baseline and should be re-assessed as necessary and authorized as part of the system.
(1) Use Case 4: A radio that has completed the National Security Agency (NSA)
certification process, Supply Chain Risk Management (SCRM) processes, approved
and incorporated into an authorized Enclave through the Enclave’s change
2
SAIS-CS (25-1rrrr)
SUBJECT: Risk Management Framework Entrance Criteria Guidance
management process, and incorporated into an authorized Enclave authorization record
using an eMASS change request workflow.
d. Component of technology assessing risk through another process and does not
require an A&A or Assess Only as defined by RMF procedures.
(1) Use Case 5: A hardware component (e.g., modem, antenna, or power
supply) that does not host or process information, has no applicable security controls
per RMF applicability guidance, and is vetted through Supply Chain Risk Management
(SCRM) processes. The component is incorporated into an authorized Enclave via the
enclave’s change management procedures without requiring an RMF Assess Only or
A&A.
e. For any Cloud based instances refer to the Army Risk Management Framework
for Cloud Assessment and Authorization Implementation policy memo and the Cloud
Risk Management Framework (RMF) A&A Process.
f. For any additional definitions and processes, refer to each respective regulatory
document mentioned within the references (see enclosure).
4. Direction.
a. The Deputy Chief of Staff, G-6 will:
(1) Complete a crosswalk between the Army Portfolio Management Solution
(APMS) and enterprise Mission Assurance Support Service (eMASS) to ensure
standardization NLT 30 April 2025.
(2) Develop and execute a training plan to ensure standardization and
continuous effort increasing the cybersecurity workforce skill set and knowledge across
the Army no later than 31 March 2025.
b. The Army CISO will direct Network Enterprise Technology Command (NETCOM) to:
(1) Decommission all eMASS records with no action from Step three (3),
Implementation, of the RMF process 90 days and beyond NLT 02 June 2025.
(2) Delete all eMASS records that remain decommissioned for an additional 90
days, NLT 02 September 2025.
5. Effective Date: This memorandum is effective immediately until rescinded.
3
SAIS-CS (25-1rrrr)
SUBJECT: Risk Management Framework Entrance Criteria Guidance
6. Points of contact:
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. Ms. Suzanne Rodriguez at suzanne.p.rodriguez.civ@army.mil.
c. CISO Team: usarmy.pentagon.hqda-cio-g-6.mbx.rmf-team@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
4
SAIS-CS (25-1rrrr)
SUBJECT: Risk Management Framework Entrance Criteria Guidance
Director, Civilian Protection Center of Excellence
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
5
ENCLOSURE
REFERENCES
a. Committee on National Security Systems (CNSS) Glossary (No. 4009)
b. Title 44 U.S.C. § 3552
c. NIST SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems
and Organizations)
d. DoDI 8500.01 (Cybersecurity)
e. DoD Risk Management Framework Knowledge Site (RMF KS):
https://rmfks.osd.mil/rmf/Pages/default.aspx
f. AR 25-1 (Army Information Technology)
g. AR 25-2 (Army Cybersecurity)
h. DA Pamphlet 25-2-14 (Risk Management Framework for Army Information
Technology)
i. CIO memorandum (Army Risk Management Framework for Cloud Assessment
and Authorization Implementation), 30 September 2024