https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN43740-PPM_CIO-073-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-GOV-PW-073
SAIS-CS (25-1rrrr) 02 May 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Control Assessor Alignment Guidance
1. References. See enclosure
2. Purpose. Centrally align all Army Control Assessors (CAs) into one operational
command, ensuring standardization and better streamlining of processes.
3. Background.
a. Current State. Since the Army’s move from the Department of Defense (DoD)
Information Assurance Certification and Accreditation Program (DIACAP) to Risk
Management Framework (RMF), the Army CA role has been divided into four distinct
roles (see reference 1a)—
(1) Security Control Assessor
(2) Security Control Assessor-Representative
(3) Security Control Assessor-Validator
(4) Security Control Assessor-Organization
b. Analysis of Current State. After over a decade of executing the RMF and refining
this program via various efficiency efforts, continuing to divide the CA role in these
distinct functions does not support RMF Modernization. To support a changing effort
with how to best manage CAs in the Army, a data call was completed at the beginning
of Fiscal Year (FY) 25. The data call determined that there are 154 CAs operating in
the Army between Department of the Army Civilians (DACs) and contractors, either on a
core-funded or reimbursable basis for the services provided. The dispersed control of
CAs in the Army is delaying the process, decreasing output, and impacting overall
operations.
4. Guidance.
a. The Army Chief Information Security Officer (CISO) will maintain the
responsibilities identified in reference 1c–e, to include—
SAIS-CS (25-1rrrr)
SUBJECT: Army Control Assessor Alignment Guidance
(1) Oversight of Army CA activities.
(2) Assessment of the quality, capacity, visibility, and effectiveness of security
assessments, and directing modifications, as necessary.
(3) Development of policy to ensure that the Army security assessment process
remains consistent with DoD policy and guidance.
(4) Adjudication and resolution of RMF control assessment process issues and
concerns that cannot be resolved at the CA level.
b. The Deputy Chief of Staff (DCS) G-6, as the current Management Decision
Package (MDEP) Manager, will—
(1) Allocate all current funding resources applicable to CA support to ARCYBER
and continue this distribution each FY.
(2) Request the Army Budget Office realign decentralized Control Assessor (CA)
funding from Army Commands to Army Cyber Command (ARCYBER) to centrally fund
Army CA in each fiscal year of execution until the Program Objective Memorandum’s
centralized CA funding is established for ARCYBER.
(3) Request DCS G-8 Program Analysis and Evaluation (PA&E) ensure in the
POM cycle the realignment of decentralized CA funding from Army Commands to
ARCYBER to centrally fund Army CA. This funding authority may be delegated from
ARCYBER to NETCOM but no further.
c. DCS, G-6 will ensure training programs are created, delivered, and managed to
support the CA mission, per reference 1c.
d. ARCYBER, in alignment with reference 1f, will maintain delegation as the Army
SCA, with further delegation to Network Enterprise Technology Command (NETCOM),
and provide a plan, not to exceed 90 days, to train and execute the new OPCON
structure of Army CAs upon publication of this memorandum.
e. Previous CA delegation memorandums for Command, Control, Communications,
Computers, Cyber, Intelligence, Surveillance, and Reconnaissance (C5ISR) and
Enterprise Cloud Management Agency (ECMA) (reference 1g and 1h) remain in effect.
C5ISR and ECMA will ensure compliance with any additional instruction received from
the overarching delegation stated per reference 1f.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Control Assessor Alignment Guidance
5. Policy.
a. The Army only has 1 CA role; all Army roles identified in 3.a are converted into the
1 CA role.
b. All CA’s report to and receive guidance from the NETCOM Commander, under
the delegated authority of the ARCYBER Commander, as the Army SCA.
6. This memorandum is effective immediately and will stay in effect until it is rescinded.
7. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. CIO RMF Inbox: usarmy.pentagon.hqda-cio-g-6.mbx.rmf-team@army.mil
c. SAIS-CS: Ms. Suzanne Rodriguez, suzanne.p.rodriguez.civ@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
(CONT)
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Control Assessor Alignment Guidance
DISTRIBUTION: (CONT)
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4
REFERENCES
a. DA PAM 25-2-14 (Risk Management Framework for Army Information
Technology)
b. CIO memorandum CS-SEC-RI-053 (Risk Management Framework
Modernization), 21 November 2024
c. AR 25-2 (Army Cybersecurity)
d. DoDI 8510.01 (Risk Management Framework (RMF) for DoD Systems)
e. DoD CISO memorandum (Supporting Guidance on the Reissuance of DoD
Instruction (DoDI) 8510.01, Risk Management Framework (RMF) for DoD Systems),
29 March 2023
f. OCIO memorandum (Army Chief Information Security Officer (CISO) Delegation
of Security Control Assessor (SCA) Role in support of RMF DoD IT),
21 September 2023
g. CIO memorandum (Delegation of Security Control Assessor (SCA) for DEVCOM
Information Systems (IS) to DEVCOM C5ISR), 04 June 2024
h. CIO memorandum (Army Chief Information Security Officer Delegation of Cloud
Security Control Assessor (SCA) Role in support of RMF DoD IT), 09 October 2024
i. NIST SP 800-30, Revision 1 (Guide for Conducting Risk Assessment)
j. NIST SP 800-37, Revision 2 (Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and Privacy)
k. NIST SP 800-53, Revision 5 (Security and Privacy Controls for Information
Systems and Organizations)
l. AGO 2017-07 (Designation of the USARCYBER Command as an ASCC,
Alignment of the Army’s Portion of the Department of Defense Information Network
Roles and Responsibilities, Reassignment of United States Army NETCOM to
USARCYBER Command and Discontinuation of Second Army)
ENCLOSURE