On January 26, 2024, the Federal Risk and Authorization Management Program (“FedRAMP”) published a draft Emerging Technology Prioritization Framework developed in response to President Biden’s Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (previously analyzed by our colleague here and discussed in a flash briefing available here). The Executive Order charged FedRAMP with developing a framework to prioritize Emerging Technologies in the FedRAMP authorization process, starting with generative AI.
The first three generative AI capabilities selected for prioritization are:
- chat interfaces
- code generators
- debugging tools
Emerging Technologies selected for prioritization will have a reduced waiting time before the authorization process (i.e., they get to skip the line), but the authorization process will not be accelerated. The authorization process still will take a similar amount of time as it would for other offerings with the same level and type of authorization.
Notably, the Draft Framework emphasizes two points. First, no more than three capabilities will be prioritized at any time to avoid losing the benefits of prioritization. Second, when three cloud service offerings whose primary purpose is to offer one of the prioritized capabilities have achieved FedRAMP authorization, then the capability no longer will be prioritized and any additional offerings using the same technology will return to the standard prioritization process. As such, if you are developing a cloud service offering whose primary purpose is to offer one of the three generative AI capabilities selected for prioritization, it is critical to seek authorization early or risk missing out on the benefits of prioritization for your cloud offering.
The Draft Framework also outlines the governance process for establishing prioritization of capabilities. On an annual basis (at minimum), the Chief Information Officer Council and Federal Chief Information Security Officer Council[1], with consultation from the Federal Secure Cloud Advisory Committee, the National Institute of Standards and Technology, and third party assessment organizations, is responsible for nominating Emerging Technologies for FedRAMP to consider for prioritization. The FedRAMP Program Management Office (“PMO”) will review the nominations and propose an updated list of up to three Emerging Technologies for prioritization. The FedRAMP Board is responsible for approving the final list but, as of the date of the publication, the FedRAMP Board has not yet been assembled. Therefore, the FedRAMP PMO is planning to adopt the first three capabilities and finalize the evaluation criteria without a presentation to the FedRAMP Board.
Cloud service providers must complete an Emerging Technologies Request Form, which provides the business case demand justification and an attestation to the Emerging Technology criteria for review by the FedRAMP PMO. The justification will explain how the cloud service offering meets the Emerging Technology criteria. The FedRAMP PMO reviews the form and determines whether the cloud service offering meets the criteria established for the particular Emerging Technology and whether its technical characteristics match capabilities that the federal government is seeking to accelerate. If the criteria are met, the cloud service offering will be placed in the FedRAMP PMO’s authorization queue. If the criteria are not met, the cloud service offering still will be placed in the authorization queue, but it will not be prioritized. Appendix A of the Draft Framework provides an overview of artificial intelligence and provides the benchmarks for each of the three capabilities that will be used to measure a cloud service offering’s technical performance.
The public comment period currently is open and will close on March 11, 2024. Companies are encouraged to submit comments, questions, or recommendations using this form. FedRAMP published a blog about the draft framework and included several questions on which the General Services Administration is particularly interested in receiving feedback. Providing feedback is critical to the development of the FedRAMP Emerging Technologies Prioritization Framework.
We are monitoring the emerging federal government AI landscape and will continue to provide updates as federal agencies publish AI Executive Order-related materials.
FOOTNOTES
[1] The Chief Information Officer Council and Federal Chief Information Security Council is a forum of Federal Chief Information Officers (“CIOs”) with the goal of improving information technology practices across U.S. Government agencies.