https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN44038-PPM_CIO-077-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-GOV-SC-077
SAIS-CS (25-1rrrr) 4 June 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Policy for Interim Army Approved Products List
1. References.
a. CIO memorandum (CS-GOV-SC-074: Interim Army Approved Products List),
15 May 2025 (hereby superseded).
b. AR 25-2 (Army Cybersecurity).
c. AR 25-1 (Army Information Technology).
2. Purpose. To establish an interim approved products list (APL) solution for use
pending the creation of a validated Army-wide APL. This policy supersedes the
reference 1a memorandum on the same subject.
3. Applicability.
a. Per Army Regulation (AR) 25-2, the Army Chief Information Officer (CIO), on
behalf of the Secretary of the Army, establishes policy, resourcing, and oversight of
Army cybersecurity. This policy memorandum meets provisions outlined in AR 25-2,
para 1-8, where the Army CIO, if applicable, will issue policy memoranda to amplify
guidance for the policies in AR 25-2.
b. This policy governs all non-intelligence security domains and applies to
Headquarters Department of the Army (HQDA) elements, Army Commands (ACOMs),
Army Service Component Commands (ASCCs), Direct Reporting Units (DRUs), and
Army National Guard and Reserve components.
c. This policy memorandum applies to all Army systems and system components
that receive, process, store, display, monitor, control, or transmit information or data
throughout the entire system development lifecycle. This includes systems supporting
research, development, test, and evaluation and Army-controlled systems operated by a
contractor or other entity on behalf of the Army.
SAIS-CS (25-1rrrr)
SUBJECT: Policy for Interim Army Approved Products List
d. This policy applies to all Army APL usage/approval processes and management.
e. This policy is not applicable to the Joint Worldwide Intelligence Communications
System for TOP SECRET–sensitive compartmented information (TS–SCI), Special
Access Program (SAP) systems, controlled cryptographic items, or cross domain
solutions.
4. Background.
a. APLs have been the foundation of authorized product usage in the Federal
government’s information technology (IT) operations in the past. The lack of a singular
validated Army-wide APL has caused concern with product use on the Department of
Defense Information Network-Army (DoDIN-A).
b. Army organizations have developed their own APLs; however, the lack of
standardized requirements and processes hinders the sharing of these locally managed
APLs with other organizations.
5. Roles and Responsibilities.
a. The CIO is responsible for developing APL policy.
b. The Deputy Chief of Staff, G-6 is responsible for implementing APL policy.
6. Policy.
a. Until a validated Army-wide APL is developed, all Army organizations will adhere
to this interim policy.
b. Army organizations and program offices may use the Air Force, Navy, Marines,
National Security Agency (NSA), Defense Information Systems Agency (DISA), the
National Geospatial-Intelligence Agency (NGA), National Information Assurance
Partnership (NIAP), and any Army Command APL.
c. As long as hardware and/or software have been vetted by an organization listed
in paragraph 6b, it is considered approved for use by all Army organizations on the
DoDIN-A. Furthermore, Army authorizing officials (AO) should not require a full
assessment of a product on an APL. The sole requirement is that the organization
ensures the APL item is suitable for operational use and its employment is consistent
with security measures of the operational environment.
(1) Testing will be performed in a test environment.
2
SAIS-CS (25-1rrrr)
SUBJECT: Policy for Interim Army Approved Products List
(2) Validating the security of a product on an APL will be managed through a
documented configuration control process published by HQDA for standardization
throughout the Army.
(3) Results of security testing will be recorded in the eMASS record that
represents the authorization boundary where the product will be used (test results,
artifacts, etc.).
(4) If introducing a product from an APL changes the accepted risk of an
authorization boundary, the AO must approve use and re-authorize the boundary.
d. APLs for products approved for use on a higher-level classification network can
also be used on networks at a lower classification. However, products approved for use
on a lower classification level may not be used on a network with a higher classification.
e. The following is a non-exhaustive list of the available APLs for the DoDIN-A.
(1) NIAP: https://www.niap-ccevs.org/Products/index.cfm
(2) NSA: https://www.nsa.gov/Resources/Media-Destruction-Guidance/NSA-
Evaluated-Products-Lists-EPLs/
(3) DISA: https://aplits.disa.mil/processAPList.action
7. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. HQDA CIO Cybersecurity Directorate, Oversight and Compliance Division:
usarmy.pentagon.hqda-cio-g-6.mbx.rmf-team@army.mil.
c. SAIS-CSP Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION: (see next page)
3
SAIS-CS (25-1rrrr)
SUBJECT: Policy for Interim Army Approved Products List
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4