https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN45512-PPM_CIO-091-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-RI-091
SAIS-CS (25-1rrrr) 12 December 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Enhancing Cybersecurity Strategies Reviews for Decisive Overmatch
1. References. See enclosure.
2. Purpose. The purpose of this memorandum is to improve the quality and value of
Cybersecurity Strategies (CSS) throughout the Acquisition Lifecycle via process
enhancement.
3. Applicability.
a. Per Army Regulation (AR) 25-2 (ref 1a), the Army Chief Information Officer
(CIO), on behalf of the Secretary of the Army, establishes policy, resourcing, and
oversight of the Army Cybersecurity Program. This policy memorandum meets
provisions outlined in AR 25-2, para 1-8, where the Army CIO, if applicable, will issue
policy memoranda to amplify guidance for the policies in AR 25-2.
b. This policy applies to all Program Executive Officers (PEOs) under the Office of
the Assistant Secretary of the Army (Acquisition, Logistics, and Technology)
(ASA (ALT)).
c. This provision supersedes guidance published in ref 1b, paragraph 2-2. The
delegations in para 2-2f remain unchanged: The Army CIO delegates the CSS approval
authority of Acquisition Categories III and IV, Business Categories III and below, and
equivalent to the responsible PEOs and Army commands where the PEO is the
milestone decision authority.
4. Background.
a. The Office of the Chief Information Officer (OCIO) and the ASA (ALT) are
dedicated to improving the quality and value of Cybersecurity Strategies (CSS) through a
culture of continuous improvement and collaboration with acquisition stakeholders.
b. The requirement for robust CSSs (refs 1c e) has scaled with increased volume,
sophistication, and the rate of global cyber threats outpacing the quality and execution of
cybersecurity strategies as they often lag, miss early cybersecurity integration
opportunities, and are disconnect from current cybersecurity policies or environment
variables.
SAIS-CS (25-1rrrr)
SUBJECT: Enhancing Cybersecurity Strategies Reviews for Decisive Overmatch
c. The OCIO and ASA (ALT) are synchronizing recent reorganization and updates
to Department of War (DoW) and Army policies to implement a CSS review and
approval process that: (1) enhances system cybersecurity through quality of planning
and execution; (2) reduces document development and review timelines through
automation; (3) provides timely CSS insights to PMs, and; (4) maintain continuity of
CSS review, approval, and legal compliance activities (refs 1b and 1f)
5. Policy.
a. The OCIO expects all
development, testing, risk management, vulnerability remediation, and other aspects of
cyber survivability and resilience throughout the entire acquisition lifecycle.
b. Henceforth, the Army CISO will require for all program CSSs requiring the
approval of the Army or DoW CIO, an ASA (ALT) CISO cybersecurity endorsement
memorandum no later than 30 days before any event that requires an Army CIO or
DoW CIO approved CSS (e.g., Milestone Decision, Value Assessment, Minimum
Viable Capability Release, contract award, etc.).
c. To support ongoing acquisition programs, the ASA (ALT) CISO, in coordination
with HQDA CISO, will continue to provide timely review of
milestones and decisions (refs 1a b and 1e i).
6. Policy duration. This policy will remain in effect unless superseded by an updated
memo or contents codified in an applicable Army cybersecurity or acquisition regulation.
No later than one year from date of signature, the ASA (ALT) and HQDA OCIO will
review this policy to determine currency, needed updates, or incorporation into
applicable documents.
7. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CSP Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
c. ASA (ALT) Modernization Protection Inbox: ADASMDES-MP@army.mil.
d. ASA (ALT) Modernization Protection: Ms. J. K. (Gigi) Martin, Chief, Cybersecurity
Survivable Integration (CSI), jehan.k.martin.civ@army.mil.
Encl LEONEL T. GARCIGA
Chief Information Officer
2
SAIS-CS (25-1rrrr)
SUBJECT: Enhancing Cybersecurity Strategies Reviews for Decisive Overmatch
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director, Office of Analytics Integration
Commander, Eighth Army
3
REFERENCES
a. AR 25-2 (Army Cybersecurity).
b. DA Pam 25-2-11 (Cybersecurity Strategy for Programs of Record).
c. 40 U.S.C. Subtitle III (Clinger-Cohen Act), 2001 NDAA §811(P.L. 106-398).
d. DoDI 5000.02 (Operation of the Defense Acquisition System).
e. DoDI 8500.01 (Cybersecurity).
f. AR 70-1 (Army Acquisition Policy).
g. DoDI 5000.82 (Acquisition of Information Technology).
h. DoDI 5000.90 (Cybersecurity for Acquisition Systems).
i. DoDI 8510.01 (Risk Management Framework for DoD Systems).
j. DoDI 8580.01 (Information Assurance in the Defense Acquisition System).
k. ASA (ALT) memorandum (Army Cyber Acquisition Discipline), 2 September 2020.
Enclosure