Army planning 2 pilot efforts to streamline improvements in cATO processes

“I feel very confident that by the end of this year, we could potentially have up to seven programs that have certified [continuous integration and continuous deployment] pipelines,” Army CIO Leonel Garciga said.

By Mikayla Easley

May 14, 2024

U.S. Army Soldiers, assigned to the 6th Squadron, 8th Cavalry Regiment, and the Artificial Intelligence Integration Center, conduct drone test flights and software troubleshooting during Allied Spirit 24 at the Hohenfels Training Area, Joint Multinational Readiness Center, Germany, March 6, 2024. (U.S. Army photo by Micah Wilson)

The Army is on the cusp of launching a new initiative to refine its ability to monitor cybersecurity risks to its systems, beginning with two pilot efforts that will inform a service-wide transition to leveraging continuous authority to operate (cATO) frameworks.

The service has identified two existing Army programs that will be the first to receive cATOs, Army Chief Information Officer Leonel Garciga told DefenseScoop on Tuesday during a roundtable with reporters. The goal is to execute a four-step implementation plan over the next few months, and for the two pilots to receive cATOs by the end of the summer, he said.

While he was unable to detail which Army programs would be part of the pilot effort, Garciga said both “are production-level systems and they are delivering to production right now. They are mature, these are not [research-and-development] programs. They’re not training, they’re not testing, these are programs that are up and running and operational today.”

Due to the growing reliance on software-based systems, organizations across the Pentagon have sought to improve the ATO process without slowing down innovation. A continuous ATO grants IT systems permission to operate without needing to be reauthorized — an often lengthy process that has been known to stifle modernization efforts — by implementing automated monitoring and security controls to ensure compliance from the early stages of development.

Much like others at the Defense Department, the Army is still at the beginning stages of reforming how it uses cATOs, Garciga said. The two pilots will be used to inform the service’s larger policy guidance on cATOs that is underway.

Overall, the Army is tracking seven programs doing DevSecOps that could be a good pool of candidates to receive a continuous ATO, Garciga said.

“I feel very confident that by the end of this year, we could potentially have up to seven programs that have certified [continuous integration and continuous deployment] pipelines,” he said.

The pilots come as the Army looks to implement modern software development and acquisition practices through its new software directive, published in March. The guidance implements a number of changes aimed at improving its approach to software, including a directive that calls on the Army to transition from the traditional ATO to a continuous ATO process.

As part of the four-step plan, the Army will first provide guidance that outlines what the accredited framework will need to look like — a document that will be out in “the next two weeks” for its first two pilot programs, Garciga said. Then, the service will provide additional guidance to the force on configuration management and release management for DevSecOps, he added.

“Once you have the first two, that builds the foundation for you to say, ‘Hey, this is what a [DevSecOps] pipeline looks like, and this is the bare minimum that you need to get it certified.’ Once that’s done and you have all that together, then we’re going to put out guidance that says, ‘This is how you get your cATO,’” Garciga explained.