Overview

• The process by which software staged for use in the federal government is checked for security compliance is known as the “Authority to Operate (ATO)” process. The ATO process is usually handled by either government staff or a third-party vendor.
• “Project Boise” is a working title for a Discovery (exploratory) phase of research that builds upon 18F’s Compliance Toolkit.
• The Project Boise team is led by Aidan Feldman, with help from designer Andrew Maier and strategist Timothy Jones.
• In the short term, the Project Boise team will evaluate the ATO landscape and determine where GSA can provide the most value. In the long term, the Project Boise team hopes to reduce the burden (time, cost, and pain) and improve the effectiveness of the federal government’s software security compliance processes. See the Goals page for more details.

The Project Boise team are relatively new to government, and even newer to ATOs. We hope that

• Approaching the problem in a humble, collaborative, human-centered way
• Bringing outside skills
• Leveraging others’ expertise
• Facilitating important conversations that may not otherwise happen

around software risk management can meaningfully move the needle on the burden and effectiveness of these processes.