FedRAMP unveils new framework for prioritizing emerging tech

The federal government’s secure cloud computing validation program laid out a new operating framework that prioritizes integrating emerging technologies into federal agency operations.

Released on June 27, the Federal Risk and Authorization Management Program’s Emerging Technology Prioritization Framework provides guidance for both the public and private sectors regarding how FedRAMP will work to identify which emerging technologies to focus on implementing and how cloud service providers can request their emerging tech-powered products be prioritized. 

The new framework will first apply to artificial intelligence products and technologies, with a focus on chat interfaces, code generators and debugging tools, image generators and associated application program interfaces.

In order to reconcile the growing demand for automation in public sector operations with existing FedRAMP requirements, the framework will start with prioritizing up to three cloud service offerings per capability, meaning that up to 12 AI-based offerings could be prioritized. If designated a priority cloud-emerging technology system, FedRAMP will fast track the provider for agency use and adoption. 

“The framework is designed to expedite the inclusion of emerging technologies in the FedRAMP Marketplace, so agencies can more easily use modern tools to deliver on their missions,” a blog post on the framework’s release states. 

This final framework was preceded by a draft version issued in January. According to the General Services Administration — which manages the FedRAMP program — comments on that draft resulted in one key change: how to analyze if a given service qualifies as generative AI technology. In order to effectively classify an AI-enabled cloud service, a provider must submit public links to industry standard “model cards,” or descriptions of how underlying AI models are being leveraged in a digital system. 

Part of this change was due to a lack of sufficient benchmarks to standardize the performance and structure of emerging tech systems. 

“FedRAMP will use the information on model cards to validate whether the AI being used is the type of capability being advertised,” the agency said. “The purpose of collecting this information is not to assess the performance of the AI capability, but about whether the capability being offered is the one intended for prioritization.”

As the new framework launches, FedRAMP will only accept submissions for this prioritization twice in the fiscal year. 

GSA has been working to modernize the FedRAMP authorization processes to meet increasing demand for cloud services, including work in late 2023 to leverage automation to help expedite the backlog in vendor authorization requests. 

GSA AdministratorRobin Carnahan told Nextgov/FCW in June that the agency has been piloting multiple AI technologies to improve internal workflows. She added that the agency is planning to create an AI advisory committee to better understand if and how agency needs can be improved through AI tech adoption.