18F seeks to streamline ATO process

Innovation group 18F has launched an interagency project aimed at reducing the time and red tape in the security compliance process for commercial products.

Shutterstock image (by retrorocket): Cutting red tape.

Innovation group 18F has launched an interagency project to make it easier for federal agencies to adopt commercial software and products.  

Project Boise’s goals are “to reduce the burden (time, cost and pain) and improve the effectiveness of the federal government’s software security compliance processes,” according to a statement posted on GitHub.

Those security compliance processes require agencies to obtain an authority to operate (ATO) before adopting commercial software and entail additional requirements depending on individual agencies’ rules.

Those reviews can be handled by government employees or third parties, but they add a bureaucratic hurdle for agencies that want to use commercial products.  

Federal officials estimate that it takes about four months for a cloud provider’s service to be approved for government use. Jason Hess, chief of cloud security at the National Geospatial-Intelligence Agency, said in March that his agency has managed to obtain ATOs in seven days and wants to shorten that time frame to a single day.

18F officials would like all agencies to have a turnaround time closer to NGA’s. To do that, they plan to build on the effectiveness of ongoing ATO improvement projects by working with chief information security officers, cybersecurity policymakers and private-sector entities engaged in security compliance, among others.

The innovation shop also hopes to collaborate with the National Institute of Standards and Technology, the Department of Homeland Security and the Office of Management and Budget to help turn its research into policy.

The Trump administration created the Office of American Innovation to help agencies deliver better services to citizens by adopting private-sector practices. Earlier this month, the General Services Administration, 18F’s parent agency, announced that it is collaborating with the office to improve the ATO process.

In a July 25 blog post on Medium.com, former U.S. Deputy CTO Nick Sinai wrote that Project Boise aims to make it easier for agencies to securely and quickly launch software by integrating “security and compliance into the very beginning of how federal agencies buy and build IT systems   --  combining development, security and operations...rather than bolting on security at the end.”  

Sinai, who is now a venture partner at Insight Venture Partners, added that “if the Trump administration is going to build on the Obama administration’s efforts to modernize, it will need to transform how the federal government does security compliance.”