Army set to release new guidance to improve cATO processes through new pilot efforts
The Army’s chief information office is about to publish a memorandum that establishes two pilot efforts aimed at streamlining the service’s continuous authority to operate (cATO) processes, as well as lay the foundation for other programs to join in.
Speaking during a panel Wednesday at the annual AUSA conference, Army CIO Leonel Garciga said the upcoming memo — set to release in the next two weeks — will approve two continuous integration and continuous deployment (CI/CD) pipelines. One will be for the Army’s Nett Warrior program of record at program executive office soldier, and a second will be for the defensive cyber operations (DCO) under PEO intelligence, electronic warfare and sensors, which develops capabilities for Army Cyber Command.
“So, two different views and two different operating models, but the intent here is to get their CI/CD pipelines approved,” Garciga said, adding that around eight more programs have expressed interest in getting the green light for similar frameworks.
The memo comes on the heels of the Army’s new focus on implementing modern software development and acquisition practices via its new software directive, published in March. Along with overarching guidance to improve the service’s approach to developing and delivering software, the directive calls on the Army to transition to continuous ATO processes.
“One of the tasks in the software directive — besides just more generalized risk management framework and cybersecurity reform — was really like, can we get to this point to put out guidance for cATO?” Garciga said. “There hasn’t really been any guidance, right? It’s still the traditional checklist. So we’re taking the new digital process and using our great industrial-age processes to overlay on top of them. [That] doesn’t end well for most of us.”
Organizations across the Pentagon have been looking to implement continuous ATO frameworks due to a growing reliance on software-based warfighting systems. By using automated monitoring and security controls to ensure compliance, a continuous ATO grants IT systems permission to operate on a network without the need for reauthorization — an often lengthy process that can stifle modernization.
Along with the two CI/CD pipeline pilots, the upcoming memo will lay the initial foundation for the Army’s transition to cATO processes and establish requirements for accredited frameworks, Garciga said.
“The first level is identifying and saying, ‘Hey look, if you meet these requirements — whether you’re a department asset, an Army asset or even a commercial asset — if you meet these requirements, we’ll approve these platforms to be used,’” he said. “We got to make sure that they’re platforms that are safe to operate on, they got to meet the minimum requirements break.”
The goal is to work with different Army program offices and ensure they can have new code for their systems delivered securely, and in a manner that is tailored for their specific programs.
“Some programs may just not need to have a full CI/CD pipeline, and we’ve got to acknowledge that, right? So the plan is … as folks come in, we walk through what their pipeline is. And it’s not a checklist, it’s about [concept of operations],” Garciga said.
As the service works through the first two pilot efforts, the Army CIO will begin looking at how to integrate cATO processes for larger weapon systems programs, such as the High Mobility Artillery Rocket System (HIMARS), Garciga noted.
“Because that’s where we’re talking major dollars and major effects, right? Getting a new firing table out there in a couple of hours is a big deal. So, how do we get that? That is our next pilot effort, is working with the program over there to work on some of these problems, to have a hardware-in-the-middle approach,” he said.
