Information Management: Army Cybersecurity

Risk Management Framework for Army Information Technology

By Order of the Secretary of the Army:

MARK A. MILLEY
General, United States Army
Chief of Staff

Official:

KATHLEEN S. MILLER
Administrative Assistant to the Secretary of the Army

History. This publication is an administrative revision. The portions affected by this administrative revision are listed in the summary of change.

Summary. This pamphlet provides guidance for implementing the Risk Management Framework within the Department of the Army. It supports AR 25-2 and provides amplifying procedures and guidance to DoDI 8500.01 and DoDI 8510.01 for Department of Defense information technology.

Applicability. This pamphlet applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve, unless otherwise stated. It also applies to all Headquarters, Department of the Army staff; Army commands; Army service component commands; and direct reporting units. It applies to all Army information technology, operational technology, and information in electronic format.

Proponent and exception authority. The proponent for this pamphlet is the Deputy Chief of Staff, G-6. The proponent has the authority to approve exceptions or waivers to this pamphlet that are consistent with controlling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct reporting unit or field operating agency, in the grade of colonel or the civilian equivalent. Activities may request a waiver to this pamphlet by providing justification that includes a full analysis of the expected benefits and must include formal review by the activity's senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and forwarded through their higher headquarters to the respective policy proponent. Refer to AR 25-30 for specific guidance.

Suggested improvements. Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to Publications and Blank Forms) via email to usarmy.pentagon.hqda-dcs-g-6.mbx.publications-management@army.mil.

Distribution. This pamphlet is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve.

RMF is a disciplined and structured process that combines IS security and risk management activities into the system development life cycle and authorizes their use within DoD. The RMF consists of six steps.

This chapter describes the assess only construct with an overview of RMF policy, unique terms, roles and duties, and documentation requirements to assist the Army workforce that has anything to do with IT. With mission assurance utmost in mind, this chapter is intended to provide an AO and staff with an approach to remediate or mitigate risks that may impact organizational operations, assets, individuals, other organizations, or the Nation as posed by Army IT vulnerabilities. Risks associated with vulnerabilities inherent in IT, global sourcing and distribution, and adversary threats to Army use of cyberspace must be considered in Army employment of capabilities to achieve objectives in military, intelligence, and business operations.