In order to manage a device, Cisco Defense Orchestrator (CDO) must have its own copy of the device's configuration stored in it's local database. When CDO "reads" a configuration from a device it manages, it takes a copy of the device's running configuration and saves it. The first time CDO reads and saves a copy of a device's configuration is when the device is onboarded. When CDO reads the device's configuration from the device to CDO, it completely overwrites the copy of the configuration it has stored on CDO. It does not overwrite only sections of the configuration that have changed.
As you manage and make changes to a device's configuration, CDO saves the changes you make to its own copy of the configuration. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no effect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an effect on the traffic running through the device. When CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device.
Deployments can be initiated for a single device or on more than one device simultaneously. You can schedule individual deployments or recurring deployments for a single device.
These articles describe how to read configurations from the devices CDO manages and deploy configuration changes from CDO to the device: