https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42690-PPM_CIO-051-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-DV-051
SAIS-CS (25-1rrrr) 12 December 2024
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Transition to Continuous Authority to Operate
1. Reference. Army Chief Information Officer (CIO) Memorandum (Software
Modernization Directive—Initiative 8—Implementation Plan).
2. Purpose. Establish criteria for the transition from the traditional authority to operate
(ATO) process to continuous authority to operate (cATO).
3. Background. As the Army Software Modernization Directive—Initiative 8—
Implementation Plan details, all Army software development supporting capabilities that
require an ATO will transition to certified DSOPs. Software development that utilizes
CI/CD will transition to certified DevSecOps pipelines, as appropriate. This transition
enables cATO.
a. A cATO authorizes secure and fully continuous deployment of applications to
production as often as necessary for ongoing development, patching, and security
updates. The cATO framework enables existing and new applications to deploy without
completing lengthy Risk Management Framework (RMF) tasks.
b. A DSOP is a set of tools and automation that enables software development. It
includes the ability to create DevSecOps pipelines.
c. A DevSecOps pipeline is a collection of DevSecOps tools, which implement
control gates, enforces thresholds, and is automated to the greatest extent possible.
d. A deployment platform is where the software executes. It ranges from hyper
scaling cloud, to traditional on premises, to embedded at the tactical edge.
e. Continuous monitoring (ConMon) involves the continuous security assessment of
production platforms. It includes real-time risk decisions through dashboards, rapid
response through alerting, and active cyber defense (ACD).
f. cATO is a continuous authorization provided by the Army CIO granted the criteria
detailed in this policy is met. The diagram below depicts the key components: existing
ATO, certified DSOPs and pipelines, release management, and ConMon.
SAIS-CS (25-1rrrr)
SUBJECT: Army Transition to Continuous Authority to Operate
4. Policy. The following criteria comprise the process to transition from a traditional
ATO to cATO:
a. An existing ATO in the RMF monitor stage to serve as the foundation for the
cATO, which may use reciprocity.
b. Use certified DSOPs and pipelines per their certification policy memos.
c. The system owner establishes ConMon, which includes the DevSecOps artifacts
and logs, in addition to logs from the deployment platform. The established mechanism
for ConMon must:
(1) Accept authorizing official (AO)-approved thresholds and collate all security
relevant logs to enable the visualization of security data and thresholds via dashboards
to enable real-time decisions.
(2) Include alerting for events that warrant real-time action or cyber defender
intervention.
(3) Include ACD, which involves automated, pre-approved defensive response
actions to security events.
(4) Include the ability to monitor artifacts from DevSecOps pipeline artifacts,
chiefly the software bill of materials, in addition to the control gates and thresholds in the
pipelines, this process (monitoring artifacts) is a major element of software component
supply chain risk management. Monitoring these artifacts enables the dashboards,
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Transition to Continuous Authority to Operate
alerts, and ACD to respond to emerging threats in the supply chain and newly
discovered vulnerabilities.
(5) Include the delivery of cybersecurity data to the enterprise Unified Security
Information and Event Management program based on cybersecurity service provider
alignment.
5. Roles and responsibilities
a. The Army Chief Information Officer will:
(1) Receive recommendations from the Chief Information Security Officer.
(2) Retain overall authority to approve or deny cATOs.
(3) Approve the charter of the DevSecOps review board.
b. The Army Chief Information Security Officer will:
(1) Provide recommendations to the CIO for the award of a cATO based on input
from the DevSecOps review board.
(2) Manage the cATO program and, informed by the DevSecOps review board,
ensure approved cATOs stay current.
c. Authorizing officials will:
(1) Determine system readiness and request transition to a cATO.
(2) Remain the ultimate responsible party for maintaining the cATO requirements
identified herein and future updates.
(3) Approve and support their organization’s ConMon.
d. System owners will:
(1) Perform an assessment of current systems for suitability to enter the cATO
program and initiate the transition request with the AO.
(2) Request and receive certification of their DevSecOps platforms and pipelines
or transition to certified DevSecOps platforms and pipelines that are suitable for their
system requirements.
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Transition to Continuous Authority to Operate
(3) Implement and execute ConMon.
e. ARCYBER. Retains Directive Authority for Cyberspace Operations.
6. Policy review. The OCIO Policy & Risk Governance Division (SAIS-CSP) will review
this policy annually, or as required, and update as appropriate.
7. Points of contact:
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CS Director: BG Urbi Lewis, urbi.n.lewis.mil@army.mil.
c. SAIS-CSP Policy Team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
d. Chief, Software Modernization AAG: Lauren Pavlik, lauren.c.pavlik.civ@army.mil.
LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
(CONT)
4
SAIS-CS (25-1rrrr)
SUBJECT: Army Transition to Continuous Authority to Operate
DISTRIBUTION: (CONT)
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
5