Overview[]
The Army Information Assurance Program (AIAP) is a unified approach to protect unclassified, sensitive, or classified information stored, processed, accessed, or transmitted by information systems (IS}, and is established to consolidate and focus Army efforts in securing that information, including its associated systems and resources, to increase the level of trust of this information and the originating source. The AIAP will secure ISs through IA requirements, and does not extend access privileges to special access programs (SAPs), classified, or compartmentalized data; neither does it circumvent need-to-know requirements of the data or information transmitted.
The AIAP is designed to achieve the most effective and economical policy possible for all ISs using the risk management approach for implementing security safeguards. To attain an acceptable level of risk, a combination of staff and field actions is necessary to develop local policy and guidance, identify threats, problems and requirements, and adequately plan for the required resources.
The AIAP applies to ISs including, but not limited to, computers, processors, devices, or environments (operating in a prototype, test bed, stand-alone, integrated, embedded, or networked configuration) that store, process, access, or transmit data, including unclassified, sensitive (formerly known as sensitive but unclassified (SBU)), and classified data, with or without handling codes and caveats. ISs used for teleworking, telecommuting, or similar initiatives; contractor owned or operated ISs; ISs obtained with non-appropriated funds; automated tactical systems (ATSs); automated weapons systems (AWSs); distributed computing environments (DCEs); and systems processing intelligence information are required to adhere to the provisions of this regulation.
The AIAP is not a stand-alone program, but incorporates related functions from other standards or policies such as: operations security (OPSEC), communications security (COMSEC), transmission security (TRANSEC), information security (INFOSEC), personnel security, and physical security to achieve IA requirements.
Source[]
- AR 25-2, at 1-2.