After developing close relationships with Army Combat Capabilities Development Command Aviation and Missile Center (AvMC) and additional offices based in Huntsville, Alabama, officials are in early stages of developing a plan that will allow hardware-centric programs to leverage continuous integration and continuous deployment (CI/CD) pipelines, Army CIO Leonel Garciga told DefenseScoop. The goal is to have a firm idea of how the service can approve the frameworks and have a testing infrastructure developed within the next 12 to 18 months.

“We’re moving down that path and in very nascent conversations, starting with the ground system folks who have a very similar requirement,” Garciga said recently in an exclusive interview. “They’re [saying], ‘Hey, if you guys could do this for the aviation guys and for the missile folks, why can’t you do this for us?’”

The effort is part of a larger ongoing initiative to streamline the Army’s cATO processes and improve how the service deploys software onto its networks, first outlined in the Army’s software directive published in 2024. The service kick-started work last fall with two pilot efforts intended to inform eventual service-wide guidance to approving cATO frameworks. 

As the Pentagon becomes increasingly dependent on software-based capabilities, organizations have sought to transition away from traditional ATO frameworks encumbered by administrative processes and manual paperwork that can take months to complete. In comparison, a continuous ATO leverages automated monitoring and security controls to ensure that CI/CD pipelines deploying software onto networks remain compliant.

“It takes this idea of paper shuffling and moving it around to experts and makes it readily available for folks to make decisions as new software is developed, … just based on the tools that are out there and what the threat position of the network they’re falling on looks like,” Garciga said.

The Army is initially focusing on accelerating programs and systems that are more mature than others, meaning their cybersecurity professionals, processes and technologies are aligned so that it’s easier to approve a CI/CD pipeline tailored for that specific program, Garciga explained. That means those programs can serve as a leading edge for the service, allowing for others to leverage that work and build their own maturity.

“We’re in the maturing stage, and we’re really focused around some small pilot programs — both programs of record within a program executive office and some commands — that have some maturity, so that we can build out that foundational approach,” he said.

But programs with hardware-in-the-middle present a number of extra challenges to getting a cATO, as many Army systems operate using customized software that doesn’t have an existing parallel in the commercial sector the service can work off of, Garciga noted.

Approving a CI/CD pipeline for those systems would require the Army to inject themselves at the vendor’s site or purchase all of the equipment again so officials can test and integrate it somewhere else, he said.

“We’re really focused on tackling the hard model first, which has been — I have it all at the vendor site, how do I share data back and forth as software gets built to validate it and test it before I put it on a kit?” Garciga said. “That’s been one that we’ve been spending quite a bit of time on, because that has been truly one of the bigger challenges and one of the big rocks that we want to slay.”

Another issue the CIO pointed to is that hardware-centric platforms often integrate with several other internal and external systems, and updating that enabling software would require either physical or simulated testing to ensure interoperability.

“There’s a technical integration between two systems that software is written on,” he said. “We have to have a way to write that software fast, put it in there and still test that maneuverability piece without having to physically go on a tank and do it every single time.”

To that end, Garciga’s team has been working alongside personnel from the office of the assistant secretary of the Army for acquisition, logistics and technology to develop a comprehensive, cloud-based test harness where different programs can validate their software. The service wants to have that platform up and running by the third quarter of 2025.

As for the service’s two ongoing pilot cATO efforts, Garciga said they’ve shown promise and that the Army is still capturing lessons learned as it moves to work with other programs. He noted that offices have come forward with a higher maturity than they initially expected, and he anticipates a continued growth of people approved for CI/CD pipelines.

“What we’re working on right now is we have about seven folks in the hopper that we’re going to walk the dog and certify their CI/CD approach,” Garciga said. “We really want to focus on having teams come and be able to explain how they have their cybersecurity people integrated into the process, and evaluate the skillset and maturity level so, as they’re developing code on these systems, we have a firm understanding that the people, process [and] technology piece is mature enough to get to what is a cATO.”

The post Army developing plans to improve cATO pipelines for weapon systems appeared first on DefenseScoop.

Exactly 30 days into his job, Leonel Garciga told attendees at the TechNet Augusta conference that in his many work roles within the Department of Defense and the Army during his career, he’s never been stopped by a policy or regulation that prevented him from getting something important done.

“I have yet, since as an intel guy, when I was at [the acquisition and sustainment office], when I was at DOD CIO, I never ran into a real thing where the policy said I couldn’t do it. I still haven’t found this mythical thing that says ‘No, you can’t do that,’” he said Wednesday at the confab.

Staff shouldn’t allow existing policies to serve as a permanent roadblock to executing changes, he suggested.

“Rescind that. We’ve got the power of the pen, go do it,” Garciga said of his mentality going forward.

If an Army rule is preventing something from being accomplished, Garciga wants his staff not to tell him they can’t do it, but present him with the policy fix and he’ll sign it.

“Most folks who’ve worked with me a long time, will tell you I’m a bureaucracy hacker. That’s what I live for. I live for people telling me why I can’t do something that’s written down or that I’m already allowed to do because of an interpretation,” he said.

Garciga added that he’s not alone in his outlook.

“We’ve got a lot, a lot of folks in critical positions right now that are all about hacking that bureaucracy [and] not allowing, in some cases, decades of practice remain that don’t need to,” he said. “I think my team will tell you right now, every time I look at something [that suggests], ‘Well, we can’t do that because of [something that was written decades ago] … I look at that and I’m like, ‘Wow, this thing is not just outdated, it doesn’t even make sense.’”

Garciga recognized there are some areas of the Pentagon bureaucracy with significant regulations, such as acquisition — sometimes with good reason. But going forward, the CIO’s office will be “masters of our own destiny,” he added.

Garciga said he aims to continue the momentum laid out by his predecessor Raj Iyer in terms of the Army’s digital transformation strategy, which sought to synchronize the service’s technology modernization efforts, adopt commercial best practices and better posture the force for multi-domain operations. But he also noted that he wants to move faster, especially in the cybersecurity realm.

The post New Army CIO, self-proclaimed ‘bureaucracy hacker,’ doesn’t want policy to prevent progress appeared first on DefenseScoop.