scope:

Purpose. This regulation establishes Information Assurance (IA) policy, roles, and responsibilities.

a. It establishes polices and assigns responsibilities for all users and developers for achieving acceptable levels of IA in the engineering, implementation, operation, and maintenance (EIO&M) for all information system (ISs) across the U.S. Army Enterprise Infostructure (AEI). Such ISs include, but are not limited to, computers, processors, devices, or environments (operating in a prototype, test bed, stand-alone, integrated, embedded, or networked configuration) that store, process, access, or transmit data, including unclassified, sensitive (formerly known as sensitive but unclassified (SBU)), and classified data, with or without handling codes and caveats. ISs used for teleworking, telecommuting, or similar initiatives; contractor owned or operated ISs; ISs obtained with non-appropriated funds; automated tactical systems (ATSs); automated weapons systems (AWSs); distributed computing environments (DCEs); and systems processing intelligence information are required to adhere to the provisions of this regulation.

Applicability. This regulation applies to all users, information, information systems, and networks, at all classification levels, of the Active Army, Army National Guard, U.S. Army Reserve, program executive officers, direct reporting program managers; strategic, tactical, and non-tactical environments; camps, posts, and stations; internal or external organizations, services, tenants, or agencies (for example, DOD, sister Services, U.S. Army Corps of Engineers (USACE); Army and Air Force Exchange Service (AAFES); morale, welfare, and recreation activities; educational institutions or departments (for example, DOD schools, the U.S. Military Academy at West Point); and Army affiliated or sponsored agencies (for example, Western Hemisphere Institute for Security Cooperation). This regulation remains in effect, without change, during mobilization, deployment, or national emergency.