Army developing plans to improve cATO pipelines for weapon systems
As the Army continues efforts to streamline continuous authority to operate (cATO) processes, the service’s chief information office has begun work to identify needs and challenges related to approving the same frameworks for physical platforms and weapons systems.
After developing close relationships with Army Combat Capabilities Development Command Aviation and Missile Center (AvMC) and additional offices based in Huntsville, Alabama, officials are in early stages of developing a plan that will allow hardware-centric programs to leverage continuous integration and continuous deployment (CI/CD) pipelines, Army CIO Leonel Garciga told DefenseScoop. The goal is to have a firm idea of how the service can approve the frameworks and have a testing infrastructure developed within the next 12 to 18 months.
“We’re moving down that path and in very nascent conversations, starting with the ground system folks who have a very similar requirement,” Garciga said recently in an exclusive interview. “They’re [saying], ‘Hey, if you guys could do this for the aviation guys and for the missile folks, why can’t you do this for us?’”
The effort is part of a larger ongoing initiative to streamline the Army’s cATO processes and improve how the service deploys software onto its networks, first outlined in the Army’s software directive published in 2024. The service kick-started work last fall with two pilot efforts intended to inform eventual service-wide guidance to approving cATO frameworks.
As the Pentagon becomes increasingly dependent on software-based capabilities, organizations have sought to transition away from traditional ATO frameworks encumbered by administrative processes and manual paperwork that can take months to complete. In comparison, a continuous ATO leverages automated monitoring and security controls to ensure that CI/CD pipelines deploying software onto networks remain compliant.
“It takes this idea of paper shuffling and moving it around to experts and makes it readily available for folks to make decisions as new software is developed, … just based on the tools that are out there and what the threat position of the network they’re falling on looks like,” Garciga said.
The Army is initially focusing on accelerating programs and systems that are more mature than others, meaning their cybersecurity professionals, processes and technologies are aligned so that it’s easier to approve a CI/CD pipeline tailored for that specific program, Garciga explained. That means those programs can serve as a leading edge for the service, allowing for others to leverage that work and build their own maturity.
“We’re in the maturing stage, and we’re really focused around some small pilot programs — both programs of record within a program executive office and some commands — that have some maturity, so that we can build out that foundational approach,” he said.
But programs with hardware-in-the-middle present a number of extra challenges to getting a cATO, as many Army systems operate using customized software that doesn’t have an existing parallel in the commercial sector the service can work off of, Garciga noted.
Approving a CI/CD pipeline for those systems would require the Army to inject themselves at the vendor’s site or purchase all of the equipment again so officials can test and integrate it somewhere else, he said.
“We’re really focused on tackling the hard model first, which has been — I have it all at the vendor site, how do I share data back and forth as software gets built to validate it and test it before I put it on a kit?” Garciga said. “That’s been one that we’ve been spending quite a bit of time on, because that has been truly one of the bigger challenges and one of the big rocks that we want to slay.”
Another issue the CIO pointed to is that hardware-centric platforms often integrate with several other internal and external systems, and updating that enabling software would require either physical or simulated testing to ensure interoperability.
“There’s a technical integration between two systems that software is written on,” he said. “We have to have a way to write that software fast, put it in there and still test that maneuverability piece without having to physically go on a tank and do it every single time.”
To that end, Garciga’s team has been working alongside personnel from the office of the assistant secretary of the Army for acquisition, logistics and technology to develop a comprehensive, cloud-based test harness where different programs can validate their software. The service wants to have that platform up and running by the third quarter of 2025.
As for the service’s two ongoing pilot cATO efforts, Garciga said they’ve shown promise and that the Army is still capturing lessons learned as it moves to work with other programs. He noted that offices have come forward with a higher maturity than they initially expected, and he anticipates a continued growth of people approved for CI/CD pipelines.
“What we’re working on right now is we have about seven folks in the hopper that we’re going to walk the dog and certify their CI/CD approach,” Garciga said. “We really want to focus on having teams come and be able to explain how they have their cybersecurity people integrated into the process, and evaluate the skillset and maturity level so, as they’re developing code on these systems, we have a firm understanding that the people, process [and] technology piece is mature enough to get to what is a cATO.”
