Enable breadcrumbs token at /includes/pageheader.html.twig

U.S. Army Officials Launch New Way to Constantly Monitor Risks

Personnel roll out the framework to their “continuous authority to operate” pilot programs.

Authority to Operate (ATO) certifications don’t address the vigilance that officials need when it comes to monitoring risks. The Army hopes the Continuous Authority to Operate, or cATO initiative, solves this issue.

After several years of development and experimentation, U.S. Army officials are applying their initial continuous authority to operate (cATO) projects to existing software.

The Department of Defense defines a cATO as “the state achieved when an organization that develops, secures and operates a system demonstrates sufficient maturity in its ability to maintain a resilient cybersecurity posture that traditional risk assessments and authorizations become redundant.” In simpler terms, the Army’s cATO initiative offers a new, constant way for software and artificial intelligence to observe and analyze cybersecurity risks.

In the past, Army operations focused only on implementing and procuring ATOs; however, these certifications fail to address the constant vigilance that officials must have when it comes to monitoring risks. The Army hopes the cATO initiative solves this issue.

SIGNAL Media spoke with Leonel Garciga, the chief information officer for the U.S. Department of the Army. He said this development marks a major shift in how Army officials monitor and address threats.

“It’s really about understanding the risk of the software you’re delivering as opposed to our more compliance-based culture that we have today, so part of that was getting to this idea of a continuous ATO,” said Garciga. “What that really is, is this thought that we don’t have to be in this malaise of administrivia all the time. We’re really focused on threat-based, understanding what the environment looks like and making decisions on software we’re building based on the risks that we’re creating of that software.”

As of now, Army crews have applied the cATO framework to two systems under their control: Nett Warrior and Gabriel Nimbus.

Maj. Matthew Bailey, executive officer, 3rd Squadron, 2d Cavalry Regiment and 1st Lt. Trevor Rubel, battle captain for the tactical command post, 3/2CR, review an operational overlay on a Nett Warrior device in preparation for an airfield seizure during Saber Strike 18 in Kazlu Ruda, Lithuania, June 13, 2018. The end-user device has a multitude of features and programs that connect leadership teams in real time and allows for mission command to succeed.

According to the Program Executive Officer Soldier within the Army, the Nett Warrior technology connects leaders in the field to the network in Brigade Combat Teams, allowing for soldiers to make better decisions faster during a tactical fight. Nett Warrior also offers several transmitting options using advanced technology containing tactical applications wired through the Integrated Tactical Network.

On the other hand, Gabriel Nimbus, operated by the Program Executive Office–Intelligence, Electronic Warfare & Sensors, is a system that allows crews to access and send large amounts of data. In fact, officials with the Program Executive Office–Intelligence, Electronic Warfare & Sensors call it “the Army’s Big Data Platform.” According to those same officials, those copious quantities of data can be transferred “to users via applications and analytics that drive decisions, enhance situational understanding and drive automation while enabling commanders to achieve objectives in and through multi-domain operations.” In other words, it provides soldiers with a computing option that is universally utilized by Army personnel.

Since the new cATO initiative is still in extremely early stages, it is not yet available to other members of the public sector, and it has yet to be launched within the private sector.

When the Army does decide to make the cATO framework more accessible within the private and public sectors, Garciga says not every system will qualify for the application. When that time comes, he said the Army will move away from a checklist approach he calls the “traditional cybersecurity model” and toward a maturity-based model. Using this, crews would evaluate the software’s maturity, allowing Army officials to determine which software is advanced enough to apply the cATO infrastructure.

Furthermore, Garciga noted organizations that utilize the cATO framework will be able to accomplish necessary tasks more quickly and complete arduous and time-consuming duties more efficiently.

“We’re going to assess your maturity, and based on your maturity, we’re going to make a decision on whether or not you’re a good candidate to be in this continuous ATO [program],” said Garciga. “I.E., you have a valid operational framework, you can build code and move as fast as you want within that framework, you stay in that box, and you don’t have to do a lot of this administrivia stuff because it’s kind of already baked in.”

Garciga noted that the two systems that have received the cATO programming, Nett Warrior and Gabriel Nimbus, have extraordinary maturity levels, making them good fits for the framework.

Other requirements that software must show to receive the cATO framework, according to the Office of the Secretary of Defense, include:

Ongoing visibility of key cybersecurity activities inside the system boundary with a robust continuous monitoring of Risk Management Framework controls.
The ability to conduct active cyber defense to respond to online threats in real time.
The adoption and use of an approved DevSecOps reference design.

Garciga announced during his keynote speech at TechNet Augusta 2024 in August that Army crews were beginning to implement the cATO framework to Nett Warrior and Gabriel Nimbus, and personnel officially launched the innovation this fall. Garciga noted that this process took a long time, and it required help from several teams within the Army.

“I have been at this with a small team, with some people coming in and out of the team, since about 2019,” Garciga said. “We started on the intel side, made some progress, did a lot of policy work, got our first program in to start grinding with. Then another program, because of their employment pattern here in Nett Warrior, brought them into the fold. But this has been a labor of love for a real small group of folks in the Army who have been experimenting and really focused on operationalizing the way we deliver software.”

“We didn’t wake up last year and say we were going to do this,” said Garciga. “This has been, in many ways, about a three-year effort between some folks in the Army G2, some folks in CIO, some folks in the G6 and some folks at ARCYBER [Army Cyber Command] to really lay the foundation to make this happen for the Army.”

Looking ahead, Garciga expects this framework to be widely utilized among the Army. He says that seven other programs, in addition to Nett Warrior and Gabriel Nimbus, have already contacted his office to see if they qualify for the cATO initiative. With that in mind, Garciga added that much more work must be done to get this idea used universally around the Army.

“I think over the next 90 days, we’re going to be building the approach here on how we go look at programs,” Garciga said. “What’s the governance? How do we do this at scale? So, there’s still some work to do, but right now, the environment’s low density with programs that are ready, so I think we’re in a good place. We’ll learn a couple of lessons over the next year that’s going to shape, what does next year look like where I think we’ll have a much bigger backlog of systems that are moving in that direction.”