https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN45511-PPM_CIO-078-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-RI-078
SAIS-CS (25-1rrrr) 12 December 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Operational Technology Cybersecurity Policy
1. References. See Enclosure 1.
2. Purpose. Define operational technology (OT), assign roles and responsibilities, and
clarify criteria for OT system registration in the Enterprise Mission Assurance Support
Service (eMASS).
3. Applicability. Per Army Regulation (AR) 25-2, the Army Chief Information Officer
(CIO), on behalf of the Secretary of the Army, establishes policy, resourcing, and
oversight of the Army Cybersecurity Program. This policy memorandum meets
provisions outlined in AR 25-2, wherein the Army CIO, if applicable, will issue policy
memoranda to amplify guidance for the policies in AR 25-2. See reference a.
4. Background.
a. Compromise of OT presents significant risks, to include the health and safety of
human lives, serious damage to the environment, and severe financial issues, such as
production losses, negative impacts to the Nation’s economy, and the compromise of
proprietary information. See reference b.
b. The Secretary of the Army’s memorandum, “Strengthening Cybersecurity for
Army OT and Critical Infrastructure,” states that the Army must change the way it
addresses threats, specifically calling out the need for increased protection of OT. See
reference c.
5. Definitions and Functional Areas.
a. Component. Individual hardware or software that is physically part of, dedicated to,
and essential in real-time to the mission performance of OT functions. See reference d.
b. Asset. OT components are grouped together in a single physical location to
perform a singular physical process which does not rise to the level of OT System. See
reference e.
c. System. Control systems or controllers (i.e., groups of OT assets),
communication architectures, and user interfaces that monitor or control infrastructure
SAIS-CS (25-1rrrr)
SUBJECT: Army Operational Technology Cybersecurity Policy
and equipment operating in various environments, such as weapon systems, utility or
energy production and distribution, or medical, logistics, nuclear, biological, chemical, or
manufacturing facilities. For Army purposes, an OT system is not embedded with
technology within a larger non-OT system boundary. See reference b.
d. Enclave. A set of systems (OT exclusively or a combination of OT and traditional
IT systems) that operate in the same security domain and share the protection of a
single, common, continuous security perimeter. See reference e.
e. National Security System (NSS). Army OT that meets the definition of an NSS
(references e and f) will follow guidance for securing NSS (references a and g).
f. Critical Assets and Infrastructure. Army OT that supports critical missions and
meets the definition of a Task or Defense Critical Asset will implement additional
mission assurance requirements in coordination with Headquarters Department of the
Army (HQDA) Deputy Chief of Staff (DCS) G-3/5/7 (reference h).
g. Army OT systems are categorized into five functional areas: facility related
control systems, industrial base, civil works, medical systems, and mission/weapon
systems. This does not mean all systems within one of the five areas is OT, rather, all
can be categorized into one of these five areas. See Enclosure 2.
6. Roles and responsibilities.
a. Army CIO will provide policy, oversight, and serve as the primary point of contact
for updates and recommendations.
b. The DCS, G-6, will develop and publish OT cybersecurity implementation
guidance in coordination with the CIO and Army Cyber Command (ARCYBER).
c. ARCYBER is responsible for the execution and oversight of all OT cybersecurity.
See reference f.
(1) Serve as the supported command for OT cybersecurity operations and the
defense of Army OT, in coordination with the CIO and DCS, G-6. See reference f.
(2) Coordinate with system owners and authorizing officials (AOs) to ensure
monitoring, detection, and response are executed by system owners. See references a,
i, and j.
(3) Support enterprise visibility of OT risks and synchronize incident response
with system owners and AOs. See references i and j.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Operational Technology Cybersecurity Policy
d. Authorizing officials will:
(1) Render authorization decisions for Army OT under their purview in alignment
with relevant OT-specific standards. See reference g.
(2) Formally appoint OT authorizing official designated representatives and OT
information system security managers (ISSM).
(3) System Authorizing Officials (SAO) will notify HQDA DCS G-3/5/7 (DAMO-
OD) when categorizing any eMASS record as Critical, to coordinate potential Army
Mission Assurance requirements.
(4) Network Authorizing Officials (NAO) will coordinate any unique requirements
for systems/enclaves containing OT with SAOs and System Owners (SO)/ Program
Managers (PMs), and issue ATCs as appropriate.
e. SO remains responsible for implementing, operating, and maintaining security
controls; maintaining the accuracy of OT entries in eMASS; and coordinating with the
AO and ARCYBER on monitoring and incident response. See references a, i, and j.
f. ISSM, Control Assessors, and SO/ PM will ensure unique OT considerations
throughout the Army Risk Management Framework (RMF).
7. Policy. OT requires deliberate, tailored risk management as part of the Army
Cybersecurity Program. The Army will account for OT of progressive
importance/criticality within the RMF.
a. Enclaves, and OT Systems not covered by an Enclave, require a full RMF
Assess and Authorize and will be registered in eMASS. Refer to reference h for
entrance criteria guidance.
(1) Use Case 1: A critical asset or vital to national security, directly underpinning
critical warfighter and civilian missions. Example: A missile defense system that detects
and intercepts incoming threats. The failure of this system could result in loss of life and
compromise national security.
(2) Use Case 2: The OT system has an external network interconnection outside
of the authorization boundary. Example: A supervisory control and data acquisition
(SCADA) system providing power to the bulk electric power grid that is connected to a
third-party vendor’s monitoring network for maintenance purposes.
(3) Use Case 3: The OT system is integrated into the installation's internal
network enabling centralized monitoring, control, and optimization of operational
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Operational Technology Cybersecurity Policy
processes and allowing data analytics. Example: Utility Monitoring and Control System
(UMCS) managing energy and water distribution within an installation.
b. Assets requiring an Assess Only record.
(1) Use Case 1: Multiple programmable logic controllers (PLCs) networked
together that receive commands from an operator workstation on site to lift and lower
retainer gates to prevent flooding of a reservoir.
(2) Use Case 2: Radio antennas, traffic lights, or morale, welfare, and recreation
enclaves.
(3) Use Case 3: OT that control building electrical and mechanical systems such
as heating, ventilation, air-conditioning (HVAC) (including central plants), lighting, and
vertical transport systems.
c. OT Components functioning in isolation do not require an assessment and are
not registered individually in eMASS, such as a grey water pump operating in a
campground. OT Components within an OT System are included in the overall system
authorization and documentation in eMASS and are not registered separately.
d. For cybersecurity purposes, all hardware and software used within the defined
OT system boundary including firewalls, servers, switches, engineering workstations,
firmware, software, computers, laptops, PLC, and other technologies, are considered
OT components and will be secured using OT security principles. See reference g.
8. Effective Date. This memorandum is effective immediately until it is rescinded.
9. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CS Deputy Director: Mr. Nate Colodney, nathan.colodney2.civ@army.mil.
c. SAIS-Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
Encls LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
(CONT)
4
SAIS-CS (25-1rrrr)
SUBJECT: Army Operational Technology Cybersecurity Policy
DISTRIBUTION: (CONT)
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
5
REFERENCES
a. AR 25-2 (Army Cybersecurity).
b. National Defense Authorization Act for Fiscal Year 2022, December 27, 2021.
c. Secretary of the Army’s memorandum (Strengthening Cybersecurity for Army
Operational Technology and Critical Infrastructure), 12 December 2024.
d. CSRC Glossary.
e. CNSSI 4009, Committee on National Security Systems (CNSS) Glossary, 2022.
f. Secretary of the Army memorandum (Protecting the Army from Cyber Threats to
Operational Technology), 22 April 2024.
g. National Institute for Standards and Technology (NIST) Special Publication (SP)
800-82, Rev (r)3 (Guide to Operational Technology (OT) Security).
h. Army CIO Memorandum (RMF Entrance Criteria Guidance), 2 May 2025.
i. NIST SP 800-37r2 (Risk Management Framework for Information Systems and
Organizations).
j. DoD Instruction 8510.01 (Risk Management Framework for DoD Systems).
k. DoD Control System Security Requirements Guide.
Enclosure 1
Operational Technology (OT) Functional Areas
OT functional areas. Army OT systems are categorized into five functional areas:
facility related control systems, industrial base, civil works, medical systems, and
mission/weapon systems. This does not mean all systems within one of the five areas is
an OT system, rather, all OT systems can be categorized into one of these five areas
(e.g. not every medical system is an OT system).
1. Facility Related Control Systems refers to OT used within the Army to monitor,
control, and manage the operational aspects of a facility's infrastructure. These systems
include, but are not limited to, the following: electronic security systems, building
management system, access control systems, video surveillance systems, energy
management systems, utility monitoring controlling systems, airfield lighting systems,
petroleum, oil, and lubricant refueling systems, and water/wastewater treatment
systems.
2. Industrial Base Systems refers to OT systems that are within the Army organic
industrial base with capabilities to manufacture, maintain, modify, overhaul, and/or
repair military components or parts to meet joint warfighter requirements. These
systems include, but are not limited, defense manufacturing, warehousing and storage,
munition and energetic manufacturing, munition disposal/destruction, medical
manufacturing, logistic ports, and logistic transportation.
3. Civil Works refers to OT systems which directly support civilian national critical
infrastructure in the Civil Works hydropower, navigation, flood risk management, water
management, dam safety, environmental stewardship, and marine traffic control
missions. Also includes the OT that support these systems.
4. Medical refers to the OT systems that directly support the readiness and sustainment
of health services support and force health protection in support of the total force to
enable readiness and to conserve the fighting strength while caring for our people and
their families.
5. Mission and Weapons Systems refers to OT systems that support the development,
generation, and delivery of effects (inclusive of research and development-related
activities), and systems part of the command, control, communications, computers,
cyber, intelligence, surveillance, and reconnaissance (C5ISR) functions. Includes all OT
assets associated with Program Executive Office managed systems and systems
associated with capability development and similar functions.
Enclosure 2