Leonel Garciga , U.S. Army chief information officer and a two-time Wash100 Award winner, is tackling continuous authority to operate, a.k.a. cATO, processes, for physical weapon systems and platforms as part of an overall service effort to enhance how it uses software on its networks.

Centralizing cATO processes is a top priority for Garciga, who is keynoting the Potomac Officers Club’s 2025 Army Summit on June 18. Having worked with Army Combat Capabilities Development Command Aviation and Missile Center and other offices, Garciga is now planning to allow programs largely based on hardware to use continuous integration and continuous deployment , a.k.a. CI/CD, channels, according to DefenseScoop.

CI/CD aims to consolidate and speed up the software development lifecycle. The Army wants to have a better vision of how it can certify these frameworks and have a testing apparatus created in the next one to one-and-a-half years.

“We’re moving down that path and in very nascent conversations, starting with the ground system folks who have a very similar requirement,” Garciga said. “They’re [saying], ‘Hey, if you guys could do this for the aviation guys and for the missile folks, why can’t you do this for us?’”

What Is cATO?

A cATO is a modernized authorization strategy designed to work with software developers that want to move faster. The Department of Defense believes it must create and deploy software with better agility and speed while also bolstering security.

DOD also wants to respond faster to rapidly changing threats through constant integration and delivery of cybersecurity, resilience and capabilities. DOD desires to achieve this by using DevSecOps practices in software development, which can blunt threats early on as well as during operations.

A cATO transitions a software posture from only using documents and point-in-time technical security assessments. Instead, a cATO uses a continuous risk determination and authorization concept through constantly assessing, monitoring and managing risk. A cATO should provide a better level of security over a traditional ATO and allow faster deployment of software to the field.

What Is the Difference Between ATO and cATO?

The difference between an ATO and a cATO is that a human makes a decision in an ATO while a cATO is a state of resilient and secure software development. DOD defines an ATO as an official management decision given by a senior official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations.

On the other hand, a cATO is when an organization that develops, secures and operates a system has demonstrated enough maturity to sustain a resilient cybersecurity posture that traditional risk assessments and approvals become redundant. Instead, this organization must have developed robust information security continuous monitoring capabilities, active cyber defenses and secure software supply chain requirements that would allow regular delivery of capabilities without negatively impacting its cyber posture.

Army Agile Software Development

Garciga’s cATO effort is part of a broader Army initiative to better adopt agile software development practices . The service in 2024 issued a new policy cementing modern software development approaches—such as agile and lean practices—in line with industry standards.

The Army previously had only applied a cATO to two programs under its control: Nett Warrior and Gabriel Nimbus. Nett Warrior has a goal of providing faster and more accurate leadership decisions by rapidly providing mobile mission integrated capabilities, better situational awareness and interoperability at the tactical edge among brigade combat teams.

Nett Warrior employs the Tactical Assault Kit software package using map-based and situational awareness applications along with custom Nett Warrior programs. Nett Warrior also uses a broad platform approach leveraging Android, Windows, Linux and HTML software capabilities.

Gabriel Nimbus is a system created to store and visualize large datasets and connect the tactical part of the enterprise network to the strategic level. The goal is to help in decision making. Garciga previously pointed to Gabriel Nimbus as an example of how the Army has performed well in aggregating and analyzing data.

What’s Next for Army cATO Efforts?

Garciga’s team has been collaborating with personnel from the office of the assistant secretary of the Army for acquisition, logistics and technology to create an all-inclusive, cloud-based test capability where different programs can validate their software. The Army wants this operational between July and September.