+
+
+
1. Executive Summary
+
In response to the President’s Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI), FedRAMP is establishing a framework for prioritizing emerging technologies (ETs) for FedRAMP authorization. The term “emerging technology” means those technologies listed in the Office of Science and Technology Policy Critical and Emerging Technologies. This framework will enable routine and consistent prioritization of the most critical cloud-relevant ETs needed for use by federal agencies. This prioritization will control how FedRAMP prioritizes its own work and review processes, and will not address how sponsoring agencies manage their own internal priorities.
+
+
This document describes the operational framework to prioritize certain cloud service providers (CSPs) during the FedRAMP authorization process whose cloud service offerings (CSOs) provide certain ET capabilities; how FedRAMP will govern and evaluate this new process; detail the first prioritized technology, generative AI. Importantly, the prioritization process will be integrated on top of existing FedRAMP Authorization paths and will not create new pathways for authorization.
+
+
Not all ETs will be prioritized. The initial ET prioritization list includes generative AI capabilities: chat interfaces, code-generation and debugging tools, and associated application programming interfaces (APIs), as well as prompt-based image generators, as required by Executive Order 14110. FedRAMP will update and maintain an evolving list of prioritized ETs at least annually with input from agencies and industry followed by approval from the Board. Technologies will be removed from prioritization either by decision of the FedRAMP Board, or when the target number of CSOs with the desired capabilities are available within the marketplace.
+
+
FedRAMP will determine initial CSO prioritization targets, generally three per ET capability, and qualification criteria when publishing or updating the ET List. CSOs meeting the qualifying criteria move to the front of the authorization review process. After the ET capability prioritization target is reached, additional offerings of the same ET capability will not be prioritized. Initially, the FedRAMP ET prioritization framework is designed to facilitate rapid authorization of commercial AI capabilities for agency use. Prioritized CSOs that fail to make consistent progress on authorization will be returned to their former place in the queue opening up an opportunity for additional CSOs. Because this is a new paradigm for the program, FedRAMP will continually evaluate the process and make revisions as needed. Additionally, the board may approve another round of prioritization for some or all the ET capabilities based on demand.
+
+
+
+
2. Purpose and Scope
+
This guidance document describes the prioritization framework for ETs for FedRAMP. The intent is to ensure ET CSOs are prioritized during the FedRAMP authorization review and available for agency reuse.
+
+
Agencies will need to prioritize CSO sponsorship and authorization prior to FedRAMP’s prioritized authorization. Additionally, cloud service providers (CSPs) need to prioritize their remediation of any findings identified by the 3PAO, agency, and PMO in order to accelerate the complete authorization process.
+
+
Existing CSPs who wish to incorporate ET CSOs into their offerings via the significant change process must work with their authorizing official for prioritized review and approval.
+
+
This framework will initially be applied to artificial intelligence (AI), specifically the three generative AI capabilities discussed in Executive Order 14110: chat interfaces, code generators and debugging tools, image generators, and associated application program interfaces.
+
+
FedRAMP will update this document, and update the list of prioritized emerging technology as necessary to meet the goals of the executive order and agency mission needs. While this document has an initial focus on the generative AI technologies outlined in the executive order, FedRAMP anticipates the prioritized ET list to continually evolve and will publish updates to our website. Appendix B - Artificial Intelligence details the initial prioritized Generative AI capabilities, prioritization targets, and related criteria.
+
+
General information including resources, blogs, templates, and documentation for the ET prioritization process can be found on FedRAMP’s website under the resources section labeled prioritization.
+
+
The FedRAMP authorization process will validate an ET CSO against existing FedRAMP security controls. Agencies must consider their specific use, including data and privacy risks, and follow appropriate authorization and governance processes when deploying any ETs. In the case of generative AI, agencies should consult closely with their Chief AI Officer.
+
+
+
+
+
3. Framework Elements
+
+ The prioritization framework has been developed to accommodate many different types of technologies and capabilities. The initial focus is to accommodate growing demand for AI-enabled systems across the federal enterprise (an initial set of AI-specific concerns are included in
Appendix B - Artificial Intelligence but the ET prioritization framework we propose is broader than just AI):
+
+
+ - This prioritization allows a CSP to move near the front of the authorization review process. This prioritization will reduce the waiting time before the review process begins. The review itself will take a similar amount of time as it would for other similar offerings at the same level and type of authorization, as well as time spent during remediation.
+
+ - Limit access to prioritization based on type of technology and capability. By definition, a prioritization process should exclude more candidates than it includes. As a starting point, FedRAMP will evaluate no more than three of ET capabilities for prioritization at any time. Limiting impacts offerings that do not include prioritized emerging technology capabilities.
+
+ - Automatically stop prioritizing CSOs when the capability target has been reached. For each ET capability target, when the number of CSOs whose primary purpose is to offer that capability have achieved FedRAMP authorization, then prioritization for that capability will be paused. Additional CSOs that provide that capability will not be prioritized and will follow the normal authorization review process.
+
+ - Accessing the ET track should be fast. FedRAMP will keep any additional steps in the application process simple and focused on speeding agency use and adoption of the prioritized ET capability.
+
+ - Agencies maintain responsibility for evaluating system functionality. As is true for all other FedRAMP authorizations, the authorization process considers the confidentiality, integrity, and availability of system data protected by the CSP. It does not certify the nature or quality of the functionality of CSO, or that it is a best fit for an agency’s specific technology needs. Agencies drive their own acquisition, evaluation, and authorization processes using a far broader set of criteria. FedRAMP may include requirements for additional information relevant to the specific ET (such as technology requirements, performance metrics, or responsible use policies). FedRAMP is committed to giving agencies the information to protect the confidentiality, integrity, and availability of the data they process in these systems.
+
+
+
+
+
4. ET Prioritization Framework
+
+
+
+
4.1 Overview
+
The ET Prioritization Framework provides a process that is integrated across all of the program’s available authorization paths. There are two primary parts to the ET Prioritization Framework (seen in Figure 1):
+
+
Figure 1: ET Prioritization Framework
+
+
+
The Governance Process defines how up to three capabilities will be prioritized for “skip the line” access to FedRAMP at any given time, and the amount of CSOs with a given capability that will be prioritized.
+
+
The CSP Evaluation Process outlines how new cloud service providers will have their CSOs qualified to access an accelerated review.
+
+
Existing cloud service providers must work with their authorizing official and will follow the significant change request(SCR) process to include new ET CSOs in their authorization.
+
+
+
+
+
4.2 Governance Process - Establish Prioritization Capabilities
+
The goal of the governance process is to identify appropriate ETs and respective capabilities for prioritization and accelerated authorization. Agencies and Industry will be able to submit ideas for additional capabilities to be authorized for future revisions. An electronic submission form will be prepared and made available as the time approaches for new capabilities to be identified.
+
+
To maintain the benefit of prioritization, up to three ET capabilities may be identified at any given time. These may be in a singular ET category, such as generative AI, or may span multiple ET categories. These will be updated annually at minimum – regardless of whether authorizations have been completed – and can also be updated as needed, either at the request of the FedRAMP Board or based on stakeholder demand.
+
+
4.2.1 Nominate ETs for Prioritization
+
+
Responsible: Chief Information Officer (CIO) Council and Federal Councils including (Federal Chief Information Security Officer (CISO) Council, Chief AI Officer, Chief Data Officer or others)
+
+
Accountable: FedRAMP PMO
+
+
Consult: FSCAC, NIST, TAG, 3PAOs, Agencies, CSPs
+
+
Informed: FedRAMP Board
+
+
What: The FedRAMP PMO will coordinate nominations for new emerging technologies from Agencies and Industry partners including CSPs and 3PAOs. FedRAMP PMO will consult with NIST and the TAG to help define definitions and technical characteristics for the nominated ET. Nominations will be validated with and confirmed by the CIO Council, in coordination with other councils or bodies (such as Federal CISO Council, Chief AI Officer Council or Chief Data Officer and others as appropriate). Nominations will include emerging technologies and capabilities that address agencies mission needs.
+
+
Output: Recommendation from federal CIOs or CISOs to the FedRAMP PMO regarding their ET needs.
+
+
Estimated Duration: Variable depending on inputs from CIO and federal councils, Agencies, and Industry.
+
+
4.2.2 Propose ET List
+
Responsible / Accountable: FedRAMP PMO
+
+
Consult: Office of Management and Budget (OMB)
+
+
Informed: CIO and CISO Federal Councils, FSCAC
+
+
What: The FedRAMP PMO proposes an updated list of up to three ET capabilities for prioritization for the Board’s approval. This will include an analysis of the PMO’s ability to process authorizations for these capabilities, including:
+
+
+ - Maturity of global understanding (including understanding of the technology industry, 3PAO community, and current security best practices) for the ET
+
+ - The target number of CSOs for the prioritized review process for each emerging technology capability, (generally three)
+
+ - Resources and expertise necessary to support the target number of prioritized capabilities
+
+
+
Insights from the analysis will be discussed with OMB. They will be compiled into a briefing that provides an estimate of FedRAMPs ability to authorize and communicate a given area of ET services, considering maturity across PMO staff, Agencies, 3PAOs, CSPs, and the broader technology and cybersecurity community. The briefing will outline potential activities necessary to support the prioritized authorization of a given ET if approved.
+
+
Input: Nominations from the Federal CIO and CISO Councils, Agencies, and Industry to the FedRAMP PMO, as described above.
+
+
Output: Proposed ET List, FedRAMP ET Impact Assessment
+
+
Service Level Agreement Target: 1 Month
+
Service Level Agreement Threshold: 2 Months
+
+
4.2.3 FedRAMP Board Decision on the ET List
+
+
Responsible / Accountable: FedRAMP Board
+
+
Consult: FedRAMP PMO, OMB
+
+
Informed: CIO and CISO Federal Councils
+
+
What: The FedRAMP PMO will brief the FedRAMP Board on its ET prioritization recommendation. The FedRAMP PMO will send all materials in advance of the Board meeting when the ET is on the agenda. The FedRAMP Board will approve a final list of ET capabilities.
+
+
EO 14110 specifies the high-level capabilities for the initial list of ETs. This initial list of capabilities is considered adopted once this framework is finalized. Future capabilities will receive review and approval by the FedRAMP Board.
+
+
Input: Proposed ET List, FedRAMP ET Impact Assessment
+
+
Outputs: Approved ET capability list
+
+
Estimated Duration: Variable depending on Board discussion and feedback to the PMO.
+
+
4.2.4 Update ET Capability List and Criteria
+
+
Responsible / Accountable: FedRAMP PMO
+
+
Consult: Agency Partners and Liaisons, CSPs
+
+
Informed: None
+
+
What: The FedRAMP PMO will update its process documentation, website, and all necessary systems to align changes to the approved ET list. Updated criteria and resources will be developed and published on the Resources Prioritization page on the FedRAMP website and communicated to stakeholders. The FedRAMP blog and email notification will be used to communicate prioritization application windows.
+
+
Input: Approved ET List
+
+
Outputs: ET Criteria for Prioritization, ET capability targets, ET CSO Request Form , ET Demand Form
+
+
Service Level Agreement Target: 2 weeks
+
Service Level Agreement Threshold: 4 weeks
+
+
4.2.5
+
+
Responsible / Accountable: FedRAMP PMO
+
+
Consult: FedRAMP Board, CIO Council and Federal CISO Council, Agency Partners and Liaisons
+
+
Informed: None
+
+
What: When the PMO authorizes the defined target of CSOs in a given ET capability, the ET will be automatically removed from the prioritization list. The FedRAMP PMO will repeat step 4.2.4 (Update ET Capability List and Criteria) to reflect the removal. These updates will not impact any CSOs who have already been prioritized for another ET capability. The FedRAMP PMO will notify the FedRAMP Board and other relevant stakeholders that the target CSO count has been achieved and may begin step 4.2.1 (Nominate ETs for Prioritization)
+
+
Input: Metrics Report on # of CSPs Prioritized for ET Capabilities
+
+
Output: Updated ET List
+
+
Service Level Agreement Target: 2 week
+
Service Level Agreement Threshold: 4 weeks
+
+
+
+
4.3 Evaluation Process - CSP Submissions and Review
+
The Evaluation Process determines if a CSO meets the ET definition and qualifying criteria. Once identified and verified, then the CSP will be placed in an accelerated position in the FedRAMP authorization queue. These steps take place during the current Preparation phase of the FedRAMP authorization process.
+
+
The evaluation process kicks off after a CSP has:
+
+ - Completed the CSP Information Form
+ - Reached an agreement with the FedRAMP PMO on the appropriate authorization path
+ - Completed their 3PAO security assessment and has a security authorization package, including (SSP, SAP, SAR, and POA&M) and is ready for PMO review
+ - Prepared and submitted their security package and business case for a CSO, following FedRAMP’s regular authorization processes
+
+
+
+
CSPs can submit their ET CSO Request Form at any point in this process, though as described above, a CSP will not be evaluated for prioritization until completing their 3PAO security assessment. As part of the intake process, the FedRAMP PMO will review the ET criteria for prioritization with the CSP. Initially, there will be two open prioritization application windows during each fiscal year. ET CSO Request Forms submitted outside these active windows will be held until the next application window opens and then evaluated with other CSPs submitting in the application window.
+
+
4.3.1 Submit the ET CSO Request Form & ET Demand Forms
+
+
Responsible / Accountable: CSP
+
+
Consult: Agency Partner and Liaison
+
+
Informed: None
+
+
What: CSPs in consultation with their agency partner will submit the ET CSO Request Form and ET Demand Form which includes demand justification and attestation to the ET prioritization qualifying criteria for FedRAMP PMO review. Detailed instructions on how to fill out the forms can be found in the Emerging Technologies Prioritization Criteria and Guidance document.
+
+
Input: Justification of how CSP meets ET criteria, and a decision to complete the ET prioritization process with FedRAMP PMO
+
+
Outputs: Completed ET CSO Request and Demand Forms submitted to the FedRAMP PMO for consideration.
+
+
Estimated Duration: Variable depending on type of ET, complexity of CSO and qualifying criteria, availability of demand data.
+
+
4.3.2 Qualification Determination and Queue Placement
+
+
Responsible/Accountable: FedRAMP PMO
+
+
Consult: Agency Partner and Liaison, CSP
+
+
Informed: None
+
+
What: The FedRAMP PMO determines if the CSO meets the ET prioritization qualifying criteria in consultation with the agency partner. If the criteria are met, the FedRAMP PMO will review the ET demand forms and calculate the total demand score. The PMO will select qualifying CSOs based on their demand score up to the ET category target.
+
+
If the criteria are not met, or if other offerings have the demand score, the CSO will still be placed in queue to be reviewed following the standard process.
+
+
Input: ET CSO Request Form, ET Demand Forms
+
+
Outputs: Approve or deny that the CSO meets the ET criteria, ET CSO Prioritization Decision Justification, Process CSO accordingly
+
+
Service Level Agreement Target: 2 weeks
+
Service Level Agreement Threshold: 4 weeks
+
+
Monitor ET Approvals
+
+
Responsible/Accountable: FedRAMP PMO
+
+
Consult: FedRAMP Board
+
+
Informed: CIO Federal and CISO council
+
+
What: The FedRAMP PMO will monitor the prioritized CSOs throughout the lifecycle of the ET prioritization process. FedRAMP PMO Security Review Team regularly tracks and communicates the progress of prioritized CSOs towards authorization.
+
+
Notification will be sent to the FedRAMP Board and the CIO and Federal Councils when the ET capability target is reached. Subsequently, the FedRAMP Board may initiate a request to do an off-cycle round of the ET governance process.
+
+
Input: Authorization Packages
+
+
Outputs: Metrics Dashboard and Reports, Report on Prioritized and Non-Prioritized CSOs
+
+
Service Level Agreement Target: 2 weeks
+
Service Level Agreement Threshold: 4 weeks
+
+
+
+
+
+
5. Supporting Documents
+
All documents and forms below are authored by the FedRAMP PMO, and will be published on the FedRAMP.gov website.
+
+
+
+
+
5.1 ET List
+
The 1-2 page list of ETs will be updated annually at a minimum and on-demand based on stakeholder feedback. This list is further refined by the FedRAMP PMO after inputs from the CIO Council, the Federal CISO Council, and other industry inputs as described by the process in Section 4.2 on the governance process. The updated list must be approved by the FedRAMP Board.
+
+
+
+
+
+
+
+
+
+