Transcription of Risk Management Framework for Army Information …
1 UNCLASSIFIED Department of the Army Pamphlet 25 2 14 Information Management : Army Cybersecurity Risk Management Framework for Army Information Technology Headquarters Department of the Army Washington, DC 8 April 2019 SUMMARY DA PAM 25 2 14 Risk Management Framework for Army Information Technology This new Department of the Army pamphlet, dated 8 April 2019 o Amplifies procedures and guidance found in AR 25 2 regarding the process for obtaining and maintaining the Risk Management Framework authorizations necessary for operations of Army Information technology (throughout).
2 O Supports the Department of Defense transition from the Department of Defense Information Assurance Certification and Accreditation Process to Risk Management Framework process (throughout). o Includes roles, duties, instructions, and procedures for the Army s implementation of the Risk Management Framework (throughout). DA PAM 25 2 14 8 April 2019 UNCLASSIFIED i Headquarters Department of the Army Washington, DC Department of the Army Pamphlet 25 2 14 8 April 2019 Information Management : Army Cybersecurity Risk Management Framework for Army Information Technology History.
3 This publication is a new De-partment of the Army pamphlet. Summary. This pamphlet provides guid-ance for implementing the Risk Manage-ment Framework within the Department of the Army. It supports AR 25 2 and pro-vides amplifying procedures and guidance to DODI and DODI for Department of Defense Information tech-nology. Applicability. This pamphlet applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the Army Reserve, unless otherwise stated.
4 It also applies to all Head-quarters, Department of the Army staff; Army commands; Army service component commands; and direct reporting units. It ap-plies to all Army Information technology, operational technology, and Information in electronic format. Proponent and exception authority. The proponent for this pamphlet is the Chief Information Officer/G 6. The propo-nent has the authority to approve exceptions or waivers to this pamphlet that are con-sistent with controlling law and regulations.
5 The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct re-porting unit or field operating agency, in the grade of colonel or the civilian equivalent. Activities may request a waiver to this pam-phlet by providing justification that in-cludes a full analysis of the expected bene-fits and must include formal review by the activity s senior legal officer. All waiver re-quests will be endorsed by the commander or senior leader of the requesting activity and forwarded through their higher head-quarters to the respective policy proponent.
6 Refer to AR 25 30 for specific guidance. Suggested improvements. Users are invited to send comments and suggested improvements on DA Form 2028 (Recom-mended Changes to Publications and Blank Forms) directly to the Chief Information Officer/G 6 (SAIS PRG), 107 Army Pen-tagon, Washington, DC 20310 0107. Distribution. This pamphlet is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the Army Reserve.
7 Contents (Listed by paragraph and page number) Chapter 1 Introduction, page 1 Purpose 1 1, page 1 References and forms 1 2, page 1 Explanation of abbreviations and terms 1 3, page 1 Overview 1 4, page 1 Who should use this document 1 5, page 2 Applicability and scope 1 6, page 2 Chapter 2 Army Risk Management Framework Process, page 2 Risk Management Framework overview 2 1, page 2 Army governance structure 2 2, page 2 Army cybersecurity governance 2 3, page 3 Department of Defense Information technology type definition 2 4, page 5 Department of Defense Information technology types requiring assess and authorize 2 5, page 5 Department of Defense Information technology types eligible for assess only 2 6, page 6 Chapter 3 Roles and Duties, page 6 Contents Continued ii DA PAM 25 2 14 8 April 2019 Risk Management Framework team 3 1, page 6 Army Chief Information Officer/G 6 3 2, page 7 Army senior Information security officer 3 3.
8 Page 7 Authorizing official 3 4, page 7 Authorizing official designated representative 3 5, page 7 Security control assessor 3 6, page 7 Security control assessor representative 3 7, page 8 Security control assessor validator 3 8, page 8 Security control assessor organization 3 9, page 10 Information system owner/program/system manager 3 10, page 10 Program executive officers and direct reporting program/project managers 3 11, page 11 Information system security manager 3 12, page 11 Program Information system security manager 3 13, page 11 Organization Information system security manager 3 14, page 12 Information system security officer 3 15, page 13 Chapter 4 Risk Management Framework , page 13 Six primary steps of the Risk Management Framework process 4 1, page 13 Step 1: Categorize the Information system 4 2, page 14 Security control overlays 4 3, page 15 Step 2.
9 Select security controls 4 4, page 16 Step 3: Implement security controls 4 5, page 18 Step 4: Assess security controls and conduct remediation 4 6, page 18 Step 5: Authorize Information system 4 7, page 18 Step 6: Monitor security controls 4 8, page 18 System changes 4 9, page 18 Reauthorization 4 10, page 19 Decommission 4 11, page 19 Risk Management Framework security authorization package requirements and contents 4 12, page 19 Tools that support the Army Risk Management Framework process 4 13, page 20 Reciprocity 4 14, page 21 Chapter 5 Special Considerations, page 22 Tenant enclave standards 5 1, page 22 Stand-alone Information systems/closed restricted network 5 2.
10 Page 22 Control systems 5 3, page 23 Information systems that impact financial reporting 5 4, page 24 Special access program/sensitive activity 5 5, page 25 Sensitive compartmented Information 5 6, page 25 Chapter 6 Assess Only, page 25 Implementation requirements 6 1, page 25 Terms 6 2, page 26 Platform Information technology 6 3, page 26 Assess only construct 6 4, page 27 Scenario I: Assessed not included in an existing accredited boundary 6 5, page 27 Scenario I: Requirements 6 6, page 28 Scenario II: Assessed included in an existing accredited boundary 6 7, page 28 Scenario II: Requirements 6 8, page 28 Appendixes A.