The General Services Administration (GSA) has released a draft framework on how its Federal Risk and Authorization Management Program (FedRAMP) will prioritize certain Cloud Service Offerings (CSOs) that provide specific generative AI technologies.
The FedRAMP program is run by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
The release meets a goal set by President Biden’s recent AI executive order (EO), which directed GSA to release the draft framework within 90 days.
Specifically, the EO called for the draft framework to focus on three prioritized emerging technology capabilities that use large language models (LLMs) and include: 1) chat interfaces, 2) code-generation and debugging tools, and 3) prompt-based image generators.
“The prioritization process will be integrated into existing and future FedRAMP authorization paths,” GSA said in a Jan. 26 FedRAMP blog. “The prioritization framework will not create additional authorization pathways and will maintain the same rigorous and thorough authorization requirements.”
According to the draft framework, FedRAMP will keep an evolving list of capabilities of emerging technologies and update it at least annually with approval from the FedRAMP Board. Technologies will be removed from the prioritization list either when the board decides, or when sufficient CSOs with the desired capabilities are available to agencies.
GSA is looking for public feedback on the draft framework, and it is accepting comments until March 11, 2024.
The draft document explains that the goal of prioritizing specific tech capabilities is to make sure the most important capabilities are available to Federal agencies. Therefore, it requires some basic reporting requirements to determine the eligibility of offerings.
GSA is especially interested to know if this requirement helps ensure the prioritized offerings meet agency needs, as well as if the specific benchmarks provided are sufficient.
Additionally, GSA wants to know how FedRAMP can best assess whether providing a relevant emerging technology is the “primary purpose” of the cloud service offering, and if there’s any other information FedRAMP should consider before allowing a specific CSO to be prioritized in the queue.
