The Federal Risk and Authorization Management Program (FedRAMP) is a critical cloud technology security program that aims to reduce acquisition processing times, inconsistencies, and duplications across federal agencies. Recently, the General Services Administration (GSA) released a draft framework to reform FedRAMP that is designed to fast track authorization of critical and emerging technologies if they offer specific capabilities, such as a chat interface powered by generative artificial intelligence (AI). Incorporating AI and other transformative tools as part of FedRAMP can help to reduce lag times in the commercial delivery of services by automating the largely manual review process for authorization packages.
While new and innovative capabilities will play an integral role in modernizing government, this draft framework overlooks existing administrative challenges to FedRAMP that could undermine its successful implementation. The framework must balance the need to harness newer technologies while also safeguarding institutional tools that are important for government operations. With that in mind, ITI offered the following recommendations for GSA to consider as they look to offer a quick and secure path for critical and emerging technology capabilities to be deployed government-wide:
1. The federal government should prioritize proper alignment with ongoing FedRAMP reform efforts.
While expanding the U.S. government’s use of emerging technologies, like AI, is important, it must be done in a manner that is sustainable, reduces administrative burdens, and accelerates the authorization process for both existing and emerging technologies. GSA should coordinate with the Office of Management and Budget (OMB) and other relevant agency stakeholders to ensure their FedRAMP reform efforts are aligned. Incorporating a collaborative, forward-thinking strategy will yield better results and increase the likelihood that the authorization process will stand the test of time.
2. Process reform must strike the right balance between innovation and competition.
New entrants to the FedRAMP marketplace must be able to compete fairly to serve agencies. A lack of fair competition risks distorting the innovation ecosystem. The framework—as it is currently proposed—would limit the total number of emerging technology authorizations to three per identified capability. This will create a state of limited competition and could result in the unintentional monopolization of the market Reforms should provide the necessary agility for agencies to capture new technologies that deliver cutting-edge capabilities to the federal workforce. If the U.S. government does not strike the right balance between innovation and competition, vendors might prioritize speed over security and deliver products that fail to meet the robust technical and security adjustments expected to address federal security.
3. Resourcing for FedRAMP must be commensurate with scope expansion to meet the growing demand for security authorizations.
FedRAMP has experienced challenges meeting the significant demand for security authorizations needed to permit use of the numerous cloud-service offerings currently in the market. Increasing the demand signal for new and innovative capabilities is likely to further scale the volume of authorization requests and create greater uncertainty on the timeline for a vendor to receive an authorization if they are not the provider of an emerging technology. Building additional workforce capacity can help FedRAMP meet this growing demand for emerging technology without delaying authorizations for other technologies that do not contain those specified capabilities.
Stakeholders should also consider what evaluating the security of new technologies means for agencies conducting FedRAMP authorizations. Agencies will need to elevate technology training, regulatory awareness, and generally upskill their workforce quickly and appropriately. This will help them understand the capabilities that these emerging technologies offer. If the relevant stakeholders are not properly funded to hire, train, and retain a skilled workforce with the right technical expertise, these administrative challenges will only be perpetuated.
4. Expanding the suite of innovative capabilities available to the federal government should not impact access to capabilities already in high demand.
GSA’s framework does not establish new authorization pathways for emerging technologies. Instead, this framework simply allows technologies with specific capabilities to “skip the line” and be placed at the top of the authorization queue. Speed is important for leveraging the benefits these emerging technologies offer. But this framework should avoid delaying the delivery of mission critical capabilities from non-emerging technologies that an agency may be awaiting. There are many non-emerging technology capabilities with a strong demand signal throughout the federal workforce. GSA should maintain a vendor-agnostic environment that does not deprioritize a technology simply because the product or service does not contain a specific capability.
5. Collaboration and transparency are important when evaluating the demand for emerging technologies.
The federal government must work with industry on a consistent basis to effectively leverage the most innovative capabilities offered by the market. Greater transparency is mutually beneficial for both parties. The government should forecast and publish what they view as the most-in demand capabilities prior to accelerating plans for adoption of these technologies. Industry expertise can help the government evaluate if the products or services identified can offer the desired capabilities for satisfying an agency’s mission or whether there is a tool better suited to the task. This will help industry gain a greater understanding of agency-specific needs, while providing necessary insight into this rapidly evolving technology marketplace.
For more than a decade, FedRAMP has been a vital program helping federal agencies safely and securely adopt cutting-edge technologies and ITI looks forward to being a continued advocate for government-wide modernization efforts. GSA’s draft framework lays an important foundation for advancing the secure use of emerging technologies, but more must be done to safeguard innovation and competition. We look forward to continuing to help our trusted government partners realize the immense benefits that technology has to offer.