FedRAMP finalizes ‘fast pass’ approval process for AI tools

The FedRAMP cloud security program is opening up its doors to specific types of generative artificial intelligence capabilities for priority approvals starting Aug. 31.

Vendors can submit GenAI tools, specifically used for chat interfaces and code generation, and debugging tools that use large language models (LLMs), and prompt-based image generation as well as associated application programming interfaces (APIs) that provide these functions to receive expedited review as part of Federal Risk and Authorization Management Program’s (FedRAMP) new emerging technology prioritization framework. The program office released the final version today.

“FedRAMP will open submissions for prioritization requests twice a year. Requests for prioritization by cloud service providers (CSPs) are voluntary. FedRAMP holds prioritized cloud services to the same security standards as all other cloud services, and reviews them in the same way,” the program office stated in a blog post. “FedRAMP ensures prioritized cloud services are reviewed first in the authorization process. Requests will be evaluated against the qualifying and demand criteria to ensure prioritized technologies meet the goal of ensuring agencies have access to necessary emerging technologies. Initially, FedRAMP expects to prioritize up to 12 AI-based cloud services using this framework.”

FedRAMP PMO says it will announce initial prioritization determinations by Sept. 30.

The program management office said while its started first with AI tools and capabilities, the framework is technology agnostic. It features a governance and CSP evaluation process.

“The governance process defines how up to three capabilities will be prioritized for ‘skip the line’ access to FedRAMP at any given time, and the amount of cloud service offerings (CSOs) with a given capability that will be prioritized,” the framework stated. “The CSP evaluation process outlines how new cloud service providers will have their CSOs qualified to access an accelerated review. Existing cloud service providers must work with their authorizing official and will follow the significant change request (SCR) process to include new enterprise technology (ET) CSOs in their authorization.”

New forms for FedRAMP priority process

Along with the new framework, the PMO released two forms for agencies and vendors to fill out. Cloud service providers whose offerings meet the ET criteria, and can demonstrate agency demand, can apply for the initial round of prioritization by completing the Emerging Technology Cloud Service Offering Request Form for cloud service offerings and the Emerging Technology Demand Form by Aug. 31.

The General Services Administration, which manages the FedRAMP program, issued the draft emerging technology framework in March seeking industry and agency feedback.

FedRAMP PMO developed the framework as required under the November 2023 safe, secure and trustworthy AI executive order issued by President Joe Biden.

Ryan Palmer, a senior technical and strategic advisor for FedRAMP at GSA, told Federal News Network during the 2024 Cloud Exchange, that the program office received more than 200 comments.

“Some of the things that we heard were concerns around the limits that we had in the framework. We tried to adjust those and clarify that those are going to be flexible and really driven by agency’s needs, which could be more generative AI solutions getting prioritized after the initial batch.,” Palmer said. “Prioritization is not a blocker. So it’s not that other services are not going to get prioritized. It’s just that you we do want to prioritize within our review process certain capabilities. Another area we did get feedback is on the benchmarks. Collectively, people liked the benchmarks. But some of the concerns around the benchmarks were how are they relating to different agency use cases?”

Palmer said the program office is looking at ways where they can standardize the communication around what benchmarks are relevant to the use cases.

From those initial comments, the program office made four major changes to the framework and two to the prioritization list.

The PMO says one significant change was how it will analyze whether a service qualifies as generative AI.

“We’ve transitioned away from measuring cloud services against quantitative benchmarks and leaderboards. Instead, cloud service providers now submit public links to industry-standard ‘model cards.’ Those model cards describe key features of how their underlying AI models operate,” the PMO said. “Given the rapid pace of AI development, relying on benchmarks likely would have required an impractical amount of ongoing changes to have them continue to stay relevant across diverse use cases. Instead, FedRAMP will use the information on model cards to validate whether the AI being used is the type of capability being advertised. The purpose of collecting this information is not to assess the performance of the AI capability, but about whether the capability being offered is the one intended for prioritization.”

The PMO says it will continually review its processes and update its list as new requirements emerge, both AI and otherwise.

“FedRAMP will update and maintain an evolving list of prioritized ETs at least annually with input from agencies and industry followed by approval from the FedRAMP Board,” the framework stated. “Technologies will be removed from prioritization either by decision of the board, or when the target number of CSOs with the desired capabilities are available within the marketplace.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.