diff --git a/.allstar/branch_protection.yaml b/.allstar/branch_protection.yaml
index 2a52c6cf..689cc10f 100644
--- a/.allstar/branch_protection.yaml
+++ b/.allstar/branch_protection.yaml
@@ -1 +1,20 @@
-dismissStale: false
+# Branch protection rules
+# Implements AC-2 (part g):  requires peer review by at least
+#   one other team member for the production “main/master” branch.
+# AC-2 (part k): cans, checks, and branch protection policies are enforced
+#   configurations through the GSA-TTS Github Allstar implementation.
+# SI-7 Software, Firmware, and Information Integrity
+optConfig:
+  disableRepoOverride: false
+  optOutStrategy: true
+action: issue
+# Policies
+approvalCount: 1
+blockForce: true
+dismissStale: false # Login.gov override
+enforceDefault: true
+enforceOnAdmins: true
+optOutArchivedRepos: true
+requireApproval: true
+requireSignedCommits: true # SI-7
+requireUpToDateBranch: true