The General Services Administration’s (GSA) FedRAMP Program Management Office (PMO) released the final version of its Emerging Technology Prioritization Framework (framework) late last month. The framework seeks to expedite FedRAMP authorizations for select Cloud Service Offerings (CSOs) with emerging technology features. This will ensure that the latest tools – particularly generative Artificial Intelligence (AI) -- are readily accessible to Federal Agencies in the FedRAMP Marketplace.

Required by President Biden’s October 2023 Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI) (EO 14110), the framework has two primary processes: governance and evaluation.

Governance Process ­This explains how FedRAMP will choose which emerging technology capabilities to prioritize. There are five steps in the Governance Process:

  1. Nominate Emerging Technologies for Prioritization – The U.S. Chief Information Officer (CIO) Council will nominate emerging technology types in coordination with federal agencies and industry partners, e.g., Cloud Service Providers (CSPs) and Third-Party Assessment Organizations.
  2. Propose Emerging Technologies List – The PMO will propose a maximum of three technology capabilities to prioritize at any given time. In addition, the FedRAMP PMO will produce an analysis of its ability to process authorizations for each capability.
  3. FedRAMP Board Decision on the Emerging Technologies List – The PMO will brief the FedRAMP Board on its prioritization recommendations. The FedRAMP Board will approve or deny the final list.
  4. Update Emerging Technology Capability List and Criteria – If FedRAMP Board approves the list, the PMO will notify stakeholders and update its process documentation, website, and systems to reflect the changes.
  5. Shifting Prioritization of CSOs with Emerging Technologies – After the FedRAMP PMO authorizes the target number of CSOs for a specific technology, that capability will be removed from the list. The PMO will update the prioritized capabilities list annually at minimum, regardless of whether authorizations are completed.

Evaluation Process – Explains how FedRAMP will choose which individual CSOs to prioritize. CSOs become eligible for consideration after completing a security assessment with a Third-Party Assessment Organization. There are three steps in the Evaluation Process:

  1. Submit the Emerging Technologies CSO Request Form & Demand Forms – CSPs submit their Emerging Technology CSO Request Form, which explains how a cloud service employs the prioritized capabilities, and their Emerging Technology Demand Form, which identifies a cloud service offering’s current customers and highlights cases of “potential demand” from federal and commercial customers.
  2. Qualification Determination and Queue Placement The FedRAMP PMO determines whether the offering meets the emerging technology prioritization qualifying criteria. If yes, the FedRAMP PMO will calculate a “demand score” using information from the Emerging Technology Demand Form and select the most demanded offering. If no, the CSO will enter the normal approvals process.   
  3. Monitor ET Approvals The FedRAMP PMO will monitor the prioritized Service Offerings throughout the approval process.

Although the Governance Process states that no more than three capabilities will be prioritized at a time, the FedRAMP PMO has confirmed four capabilities for the initial round of approvals. For each of these capabilities – which EO 14110 explicitly identified – FedRAMP will prioritize three CSOs, for a total of 12 overall:

  • Chat interfaces.
  • Code generation and debugging tools.
  • Prompt-based image generators.
  • General Purpose API offerings that facilitate the integration of chat interface, code generation and debugging tools, or prompt-based image generation capabilities into new or existing systems.

The final framework closely resembles the January 2024 draft version with one key change. The final version allows CSPs to submit public links to industry standard “model cards” to verify if a cloud service is eligible for prioritization, i.e., has the desired emerging technologies features. The draft version had originally requested CSPs to measure their technical performance against a quantitative “relevant benchmark” to determine eligibility. However, the PMO conceded that benchmarks would quickly become outdated given the rapid development of AI.

Moving forward, CSPs can apply for the initial round of emerging technology prioritization by completing the Emerging Technology Cloud Service Offering Request and Emerging Technology Demand Forms before August 31. The FedRAMP PMO will announce the initial prioritization determinations by September 30. 

Luke O'Grady

Read Next

Building PQC and Crypto Resiliency Across the Public and Private Sectors

A webinar that featured industry leaders from AT&T, the National Institute of Standards and Technology (NIST), InfoSec Global, The White House, and Venable LLP, focused on cryptographic resilience and post-quantum transition.‍

NTIA Report Reveals Support for Open AI Models

The NTIA released a report examining the risks and benefits of dual-use foundation models with publicly available model weights, also examining the impact of openness on innovation and how to evaluate and quantify risk for these models.

PQC: Lead the Way or Fall Behind

NIST has selected the Post-Quantum Cryptography algorithms and now is the time for organizations to decide to lead or get left behind. Establishing a foundation of trust and protecting information and infrastructure with these standards is crucial.