DEPARTMENT OF THE ARMY
HEADQUARTERS
WASHINGTON, D.C.
Headquarters
Department of the Army
Washington, DC
15 September 2021
Department of the Army
Pamphlet 25-2-5

Information Management: Army Cybersecurity Software Assurance

By Order of the Secretary of the Army:

JAMES C. MCCONVILLE
General, United States Army
Chief of Staff

Official:

MARK F. AVERILL
Administrative Assistant to the
Secretary of the Army

History. This publication is an administrative revision. The portions affected by this administrative revision are listed in the summary of change.

Applicability. This regulation applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve, unless otherwise stated.

Proponent and exception authority. The proponent of this regulation is the Deputy Chief of Staff, G-6. The proponent has the authority to approve exceptions or waivers to this regulation that are consistent with controlling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct reporting unit or field operating agency, in the grade of colonel or the civilian equivalent. Activities may request a waiver to this regulation by providing justification that includes a full analysis of the expected benefits and must include formal review by the activity's senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and forwarded through their higher headquarters to the policy proponent. Refer to AR 25-30 for specific guidance.

Suggested improvements. Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to Publications and Blank Forms) directly to the Chief Information Officer (SAIS-PRP), 107 Army Pentagon, Washington, DC 20310-0107 or Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to Publications and Blank Forms) via email to usarmy.pentagon.hqda-dcs-g-6.mbx.publications-management@army.mil.

Distribution. This pamphlet is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve.

DA PAM 25-2-5 • 15 September 2021
UNCLASSIFIED

The PM or ISO maintains software assurance information throughout the entire life cycle of the program or system. The procedure to identify software is to create a Software Products List (SPL), determine rights, and establish the baseline software assurance confidence level for each software product.

The PM or ISO is accountable to perform software assurance. This task may be assigned to a responsible party such as a software development team, third-party vendor, or software assur-ance service provider. Refer to table 3 – 1 for additional resources. This occurs whenever the PM or ISO has a need to determine the software assurance confidence level for one or more soft-ware products. This procedure may recur frequently for a given program, project, product, or system, to support the objective level of mission assurance and protection. The output of this evaluation is a Software Assurance Risk Register (SARR). Every entry in the SARR must be evaluated and include a likelihood of exploitation and a severity of the consequence of exploita-tion, in addition to other information described in the sections below.

PMs or ISOs prioritize and manage software assurance risk throughout the software life cycle by reviewing and implementing the activities in this chapter. Determine the applicable life cycle phase(s) for each product in the SPL. Implement and monitor the risk controls identified in SARR during the appropriate life cycle phase(s).

Software Assurance This administrative revision, dated 1 November 2022–– • Changes the proponency from CIOCIOChief information officer/G – 6 to the Deputy Chief of Staff, G – 6 (title page.) This new Department of the Army pamphlet, dated 15 September 2021–– • Provides Army personnel (military, civilians, and contractors) with procedures and resources to implement software assurance as a component of Army readiness (throughout). • Addresses software as an element of all information technology investments owned and maintained by Army organizations across the Warfighting, Business, Defense Intelligence, and Enterprise Information Environment Mission Areas. These include, but are not limited to research, development, test, and evaluation appropriations; procurement appropriations; military personnel appropriations; operations and maintenance appropriations; and the Defense Working Capital Fund. Software Assurance is a type of product assurance and is a component of life cycle management (throughout).