In order to manage a device, Defense Orchestrator must have its own copy of the device's configuration stored in it's local file system. When Defense Orchestrator "reads" a configuration from a device it manages, it takes a copy of the device's running configuration and saves it. The first time Defense Orchestrator reads and saves a copy of a device's configuration is when the device is onboarded. When Defense Orchestrator reads the device's configuration from the device to Defense Orchestrator, it completely overwrites the copy of the configuration it has stored on Defense Orchestrator. It does not overwrite only sections of the configuration that have changed.
As you manage and make changes to a device's configuration with Defense Orchestrator, Defense Orchestrator saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on Defense Orchestrator until they are "deployed" to the device. Staged configuration changes have no affect on the network traffic running through the device. Only after Defense Orchestrator "deploys" the changes to the device do they have an affect on the traffic running through the device. When Defense Orchestrator deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device.
These articles describe how to read configurations from the devices CDO manages and deploy configuration changes from CDO to the device: