18F working to overhaul the ATO process

GSA’s innovation arm, 18F, has its sights set on changing the way the federal government authorizes what software it buys.
(Ted Eytan / Flickr)

The General Services Administration’s innovation arm has its sights set on changing the way the federal government decides what software it buys.

In a July 24 comment on its GitHub site, 18F officials said they are developing a plan entitled “Project Boise” to overhaul the authority to operate process by which an agency determines that products meet the security requirements needed to operate on federal IT systems.

18F innovation specialist and developer Aidan Feldman — who is leading the Project Boise team with designer Andrew Maier and strategist Timothy Jones — said in the post that the plan aims to “reduce the burden (time, cost, and pain) and improve the effectiveness of the federal government’s software security compliance processes.”

There are already ATO reform efforts underway at the GSA-based Federal Risk and Authorization Management Program, where officials are developing multiple formats to streamline the authorization process for cloud service providers and give agencies more vendors to choose from.


FedRAMP released a new baseline for its anticipated Tailored service — a proposed software-as-a-service cloud solution would provide agencies with lower-risk security options — for public comment July 13, shortly after requesting information from industry on how it could automate some of its ATO processes.

To develop new policies, the 18F team will collaborate with stakeholders like the Department of Homeland Security’s Continuous Diagnostics and Mitigation group, the Office of Management and Budget, the White House’s Office of American Innovation, the National Institute of Standards and Technology, and FedRAMP.

While the plan is in its discovery phrase, Feldman added that the Project Boise would be reaching out to stakeholders in both the public and private sectors for feedback through the GitHub site on how to simplify the process, including chief information security officers, cybersecurity policymakers and companies crafting products surrounding security compliance.

In the first month, the Project Boise plan calls for the team to map ATO processes across federal agencies to determine the common paths and where they can be improved.

Nick Sinai, a former U.S. deputy CTO under President Obama and now a venture partner at Insight Venture Partners, explained the importance of improving the ATO process in a recent Medium blog post. As it stands, it can take a vendor more than a year to receive an authorization, deterring many innovative companies from even trying.


“We need innovative firms entering the federal market — like those that Insight Venture Partners invests in — to make our government more secure, more effective at delivering services, and more efficient for the taxpayer,” Sinai wrote.

He added: “If the Trump Administration is going to build on the Obama Administration’s efforts to modernize, it will need to transform how the federal government does security compliance.”

Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts