Nearly four years into a Pentagon initiative meant to accelerate software innovation across the military, much progress has been made. But there’s still plenty more to be done, experts say.
The concept of “continuous authorization to operate” (cATO) was explained to armed forces leadership in a 2022 memorandum issued by the Department of Defense’s senior information security officer. Up to that point, the framework the military had used to manage software cybersecurity risk had largely revolved around temporary information system authorizations from DoD “authorizing officials.” If a software developer wanted to make a significant update to a system, for example, they first had to submit a security authorization package showing exactly how the modified system would comply with federal standards.
This ATO process was systematic and comprehensive, but it was also commonly criticized as too slow and cumbersome.
“You can’t move at the pace of relevance with traditional ATO, because you’re stuck with a three- to five-year development cycle,” says Nicolas Chaillan, who from 2019 to 2021 served as Air Force and Space Force’s first chief software officer. With cATO, on the other hand, that development is fluid and never-ending, “so now, you can release software multiple times a day, with features that you build with real-time feedback from your end users,” he says.
Click the banner below to accelerate automation within your agency.
A ‘Massive Problem’ With a Clear Solution
One technology advocate who says he’d like to see much more progress on the cATO front is Dave Raley, digital program manager at Marine Corps Community Services.
In 2023, Raley led the launch of an MCCS software factory called Operation StormBreaker. The system is built on an Amazon Web Services (AWS) cloud landing zone and relies on the Navy’s Rapid Assess and Incorporate Software Engineering (RAISE) framework to securely deliver authorized workloads in a matter of minutes.
While Operation StormBreaker was initially created specifically for the Marine Corps, today it’s available to the entire DoD, Raley says. His mission now is to get military leadership to understand its capabilities and advantages over traditional ATO and what he calls “monolithic” cATOs.
“We used to face the same issues at MCCS that mission owners across the department face,” Raley says. “With our legacy waterfall development and compliance approaches, it was nearly impossible to get capability authorized and delivered to the mission owner.”
The development bottlenecks, as he describes them, quickly disappeared once Operation StormBreaker was in place. Today, the solution is used by mission owners as varied as PEO Digital, the Naval Surface Warfare Center Crane Division and the Defense Innovation Unit, and as the only Marine Corps RAISE Platform of Choice, it’s helped the service deliver mission-ready capabilities orders of magnitude faster than previously possible, he says.
A member of the Advanced Technology Academic Research Center (ATARC) cATO Working Group, Raley contributed to its recently published “Continuous Authorization to Operate Implementation Playbook.” The report notes that obtaining an initial ATO today while abiding by federal risk management requirements can take anywhere from six months to three years. That delay typically drives up operating costs, “sometimes in excess of $1.5 million per system.”
Raley considers figures like that and can’t keep from doing the math: “There’s so much time and money wasted. It’s such a massive problem.” He argues that the entire DoD must embrace these modern software development and delivery approaches, and that right now “we have a once-in-a-generation opportunity” to do it.
“I think there is still a lot of doubt that it’s technically feasible,” Raley adds. “But platforms like Operation StormBreaker and others have proved it is possible, if you can overcome the cultural and bureaucratic hurdles.”
DoD Pushes for cATO Adoption
Former Air Force official Chaillan is familiar with cATO because he brought it to the Air Force through a system called Platform One. A U.S. military software factory providing open-source tools that streamline development workflows, P1 today is one of dozens of such systems the DoD uses to automate compliance and build software at scale.
Chaillan says he ultimately left the military in part because he was frustrated by the resistance he saw to cATO adoption. While the Air Force had immediate success with the model, and the commercial sector had used it for years, government silos and institutional gridlock had kept it from gaining traction across the DoD.
“It was all of the things we’ve always struggled with,” he says. “Teams from different agencies refusing to partner, everyone wanting to do their own thing.”
Some of those same barriers still exist today, but Chaillan says he’s more optimistic about cATO’s prospects. For one, there was the 2022 DoD memo, which stated that cATOs “are a privilege and represent the gold standard for cybersecurity risk management for systems.” Then, even more promising, the topic was addressed in depth in a department report published last spring.
The 47-page document, titled “The State of DevSecOps,” notes that the military operates “in a high-stakes environment where security, efficiency and speed are paramount, and DevSecOps offers a pathway to achieve these objectives simultaneously.”
It goes on to explain that DevSecOps enables continuous authorization to operate, which it describes as a “significant shift in DoD cybersecurity practices” incorporating real-time assessments and zero trust principles “to secure our supply chain against emerging threats and improve our overall cybersecurity posture.”
Army Initiatives Demonstrate cATO in Action
Two recent cATO initiatives at the Army are prime examples of the process in action, Chaillan says.
In August 2024, at the AFCEA TechNet Augusta Conference and Expo, Army CIO Leonel Garciga said the Program Executive Office Soldier had turned to cATOs for the situational awareness and battlefield command software that is critical to its Nett Warrior initiative. Also, U.S. Army Cyber Command and PEO-Intelligence, Electronic Warfare and Sensors were using cATOs for their Gabriel Nimbus Big Data platform.
UP NEXT: Rapid app development is an Army priority.
Finally, in early 2025, Garciga mentioned cATO again in announcing plans to leverage continuous integration and continuous deployment pipelines at the Army Combat Capabilities Development Command Aviation and Missile Center. (In May 2025, the service unveiled its Army Transformation Initiative, a top-down effort to improve its operations that will include “faster prototyping and fielding of critical technologies” such as software and software-defined hardware.)
Outside of the Army, other service branches have also turned to cATO. At the U.S. Coast Guard, for example, a new software factory built in AWS GovCloud will purportedly use cATO to drive time and cost savings while improving quality and security. In 2023, the Marine Corps embarked on a software factory pilot project (the MCSWF) to develop applications for the force “at the speed of operations.” And at the Navy, which leverages Red Hat and Palo Alto Networks for automation and security in its platform engineering pipelines, a new approach to cybersecurity dubbed Cyber Ready revolves around what the service is calling ongoing ATO
