Information Management: Army Cybersecurity

Army Cybersecurity

By Order of the Secretary of the Army:

MARK A. MILLEY
General, United States Army
Chief of Staff

Official:

KATHLEEN S. MILLER
Administrative Assistant
to the Secretary of the Army

History. This publication is an administrative revision. The portions affected by this administrative revision are listed in the summary of change.

Summary. This regulation establishes the Army Cybersecurity Program and sets forth the mission, responsibilities, and policies to ensure uniform implementation of public law and Office of Management and Budget, Committee on National Security Systems, and Department of Defense issuances for protecting and safeguarding Army information technology, to include the Army-managed portion of the Department of Defense Information Network, (hereafter referred to as information technology) and information in electronic format (hereafter referred to as information). Information technology includes infrastructure, services, and applications used directly by the Army or for the Army by legal agreements or other binding contracts.

Applicability. This regulation applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve, to include all Headquarters, Department of the Army staff, Army commands, Army Service component commands,

direct reporting units, all other Army agencies, and all personnel, authorized users and privileged users, unless otherwise stated. It applies to all Army information technology and information in electronic format at all classification levels; and Special Access Program and Sensitive Activity information systems except when handling sensitive compartmented information. Nothing in this regulation alters or supersedes the existing authorities and policies of the Department of Defense or the Director of National Intelligence regarding the protection of sensitive compartmented information as directed by Executive Order 12333. The Director of National Intelligence has delegated authority for all Army Sensitive Compartmented Information systems to the Deputy Chief of Staff, G-2.

Proponent and exception authority. The proponent of this regulation is the Chief Information Officer. The proponent has the authority to approve exceptions or waivers to this regulation that are consistent with controlling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct reporting unit or field operating agency, at the rank of O-6 or GS-15. Activities may request a waiver to this regulation by providing justification that includes a full analysis of the expected benefits and risk. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and forwarded through its higher headquarters to the policy proponent. The request must include formal review by the activity's senior legal officer and endorsement by the authorizing official. Refer to AR 25-30 for specific guidance.

Army internal control process. This regulation contains internal control

provisions, in accordance with AR 11-2, and identifies key internal controls that must be evaluated (see appendix B).

Supplementation. Supplementation of this regulation and establishment of command and local forms are prohibited without prior approval from the Chief Information Officer (SAIS-CB), 107 Army Pentagon, Washington, DC 20310-0107 (army.ciog6.policy-inbox@mail.mil).

Suggested improvements. Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to the Publications and Blank Forms) via email to usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.

Committee management. AR 15-39 requires the proponent to justify establishing or continuing committee(s), to coordinate draft publications, and to coordinate changes in committee status with the Office of the Administrative Assistant to the Secretary of the Army, Department of the Army Committee Management Office (AARP-ZA), 9301 Chapek Road, Building 1458, Fort Belvoir, VA 22060-5527. Further, if it is determined that an established "group" identified within this regulation later takes on the characteristics of a committee, as found in AR 15-39, then the proponent will follow all AR 15-39 requirements for establishing and continuing the group as a committee.

Distribution. This publication is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve.

*This regulation supersedes AR 25-2, dated 24 October 2007 and AD 2013-22, dated 28 October 2013.

Commanders and senior leaders of agencies and activities at all levels and those they appoint, to include PMs, infor-mation system owners (ISOs), application owners, IT service owners, information owners, portfolio managers, re-source managers, and acquisition senior and functional services managers, are accountable for the implementation and enforcement of this regulation and will ensure individual and organization accountability within organizations and activities under their purview.