https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN44862-PPM_CIO-087-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-GOV-CP-087
SAIS-CS (25-1rrrr) 25 August 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Denial of Authorization to Operate for Internal Controls Over Financial
Reporting Systems that Fail Cyber Audit Inspections
1. References.
a. CIO memorandum PRP-GOV-CP-031 (Denial of Authorization to Operate for
Internal Controls Over Financial Reporting Systems that fail Cyber Audit Inspections),
26 June 2024 (hereby superseded).
b. AR 25-1 (Army Information Technology).
c. AR 25-2 (Army Cybersecurity).
d. NIST Special Publication 800-53 Rev 5 (Security and Privacy Controls for
Information Systems and Organizations).
e. DoDI 8510.01 (Risk Management Framework for DoD Systems).
f. CIO memorandum CS-SEC-SC-007 (Business System Log Data Ingest to Army
Enterprise Unified Security Information and Event Management and Gabriel Nimbus),
17 Nov 2023 (contains CUI).
2. Purpose. Due to continued financial audit findings on weak cybersecurity control
implementation and continued cybersecurity threat, the Army is prioritizing specific
cybersecurity controls for focused implementation. Consistent with authorities and
direction in the above references, this memorandum supersedes and updates the
reference 1a controls enclosure, identifies the priority controls for Internal Controls over
Financial Reporting (ICOFR) systems, specifies immediate consequences of failing to
meet these controls, and required remediation approval process.
3. Background. The Army financial audit has reported Notices of Findings and
Recommendations (NFRs) concerning critical cybersecurity controls in Army ICOFR
systems. Several of these findings have been repeated over multiple audit inspections.
System owners (SOs) and authorizing officials (AOs) have taken remedial action to
SAIS-CS (25-1rrrr)
SUBJECT: Denial of Authorization to Operate for Internal Controls Over Financial
Reporting Systems that Fail Cyber Audit Inspections
financial systems is a no-fail mission. Therefore, the Army will more actively inspect the
Department is
changing its risk tolerance against cybersecurity and failing systems are being taken off-
line until remedied.
4. Guidance.
a. Financial management (FM) SOs and AOs will implement the critical controls
(see enclosure) as a priority, as well as the full Risk Management Framework (RMF)
system control set based on the baseline categorization and applicable FM overlay.
(1) To obtain and maintain an authorization to operate (ATO), systems must
implement the minimum control set in the enclosure. Discrepancies in roles and
responsibilities or shifting blame to another party allegedly responsible for maintaining
an acceptable operational security posture is intolerable. SOs and their service
providers must comply with the RMF and ensure clear roles and responsibilities are
defined for controls performance and monitoring in a memorandum of understanding,
memorandum of agreement, service level agreement, and/or standard operating
procedures. SOs will be held responsible for failing to do so. A failed inspection will
result in a denial of authorization to operate (DATO).
(2) This does not negate the need to implement the broader control as part of the
RMF.
(3) If a system fails inspection, the CIO will issue a DATO. The CIO will lift the
DATO when the system AO in coordination with the network AO has provided a detailed
way ahead to comply with controls directly to the CIO.
b. Additionally, CIO will mobilize inspection teams to visit each organization using
ICOFR Systems with a one-to-two-week notice and verify compliance where possible.
5. Intent. The purpose of this guidance is to mitigate the risk of financial crimes
stemming from an insider threat or exploitation of a system vulnerability. By
implementing the specified critical controls, organizations strive to protect their ICOFR
Systems from unauthorized access and misuse.
6. Points of Contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
2
SAIS-CS (25-1rrrr)
SUBJECT: Denial of Authorization to Operate for Internal Controls Over Financial
Reporting Systems that Fail Cyber Audit Inspections
SAIS-CS: Mr. William G. Bessemer (Mack), William.G.Bessemer.civ@army.mil.
SAIS-CSP Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil
Encl LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
(CONT)
3
SAIS-CS (25-1rrrr)
SUBJECT: Denial of Authorization to Operate for Internal Controls Over Financial
Reporting Systems that Fail Cyber Audit Inspections
DSITRIBUTION: (CONT)
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director, Office of Analytics Integration
Commander, Eighth Army
4
CRITICAL SECURITY CONTROLS
It is imperative that systems meet or exceed the standards set forth in the Critical
Security Controls criteria. The list below outlines the controls that systems will be
inspected on to remain active and have an ATO.
# Control Description
1 AC-1 Access Controls Policies and Procedures
2 AC-2 Account Management
3 AC-2(1) Automated System Account Management
4 AC-2(2) Account Management /Removal of Temporary / Emergency Accounts
5 AC-2(3) Account Management /Disable Inactive Accounts
6 AC-3 Access Enforcement
7 AC-5 Segregation of Duties
8 AC-6 Lease Privilege
9 AC-6(5) Least Privilege/Privileged Accounts
10 AC-6(9) Least Privilege/Auditing Use of Privilege Functions
11 AC-9 Previous Logon (Access) Notification
12 AC-16 Security Attributes
13 AC-21 Information Sharing
14 AU-1 Audit and Accountability Policies and Procedures
15 AU-2 Audit Events
16 AU-3 Content of Audit Records
17 AU-5 Response to Audit Processing Failures
18 AU-6 Audit Review, Analysis, and Reporting
19 AU-9 Protection of Audit Information
20 AU-11 Audit Record Retention
21 AU-12 Audit Generation
22 CA-2 Security Assessments
23 CA-2(2) Security Assessments/Specialized Assessments
24 CA-5 Plan of Action and Milestones
25 CM-1 Configuration Management Policy
26 CM-2 Baseline Configuration
27 CM-2(6) Baseline Configuration/Development and Test Environments
28 CM-3 Configuration Change Control
29 CM-5 Access Restrictions for Change
30 CP-2 Contingency Plan
31 CP-2(1) Contingency Plan/Coordinate with Related Plans
Enclosure
32
33
34
35
36
37
38
39
40
41
42
43
44
45
CP-9 Information System Backup
IA-2 Identification and Authentication (Organizational Users)
IA-5 Authenticator Management
IR-1 Incident Response Policy and Procedures
IR-4 Incident Handling
IR-4(6) Incident Handling/Insider Threats-Specific Capabilities
IR-4(7) Incident Handling/Insider Threats-Intra-Organization Coordination
PM-10 Security Authorization Process
PM-12 Insider Threat Program
RA-5 Vulnerability Scanning
SI-2 Flaw Remediation
SI-4 Information System Monitoring
SI-4(12) Information System Monitoring/Automated Alerts
SI-11 Error Handling
2