GSA to prioritize select AI models for FedRAMP approval
Briefly

The General Services Administration will prioritize authorization of cloud services that include conversational AI engines for routine use, allowing AI products to jump the FedRAMP approval line. AI vendors will use FedRAMP 20x, a Biden-era program that standardizes documentation, automates security verification, initiates continuous rolling validation, and deploys industry security standards. GSA aims to streamline adoption of advanced AI capabilities across the federal government by accelerating approval of chatbot offerings. Prioritization requires meeting five strict criteria including enterprise-grade security, guaranteed data protection, demonstrated demand from multiple agencies, availability via a Multiple Award Schedule, and ability to meet FedRAMP 20x within two months. The criteria may advantage large AI companies over smaller vendors.
The General Services Administration is going to begin prioritizing authorization of cloud services that include "conversational AI engines designed for routine and repeated use," according to an announcement on Monday. AI products get to jump the approval line for FedRAMP, the US government's cloud software security certification program. Instead, AI companies will use GSA's FedRAMP 20x, a Biden-era program designed to streamline the government's cloud software approval process.
FedRAMP 20x's goals include the automation of FedRAMP security verification by standardizing required documentation, initiating a rolling validation program that continuously monitors application changes, and deploying industry security standards. The GSA hopes to "streamline the adoption of advanced AI capabilities across the federal government" by accelerating approval of AI offerings that include chatbots under FedRAMP 20x, the agency said. But while AI chatbot firms might get to skip the FedRAMP line, getting approval still won't be easy.
According to the FedRAMP AI prioritization page, criteria to meet the bar for prioritization is steep, and one must meet each of five requirements: Enterprise-grade security (SSO, real-time analytics, SCIM provisioning, etc.) Guaranteed protection of data, including an agreement that training data won't leave the customer's environment Established demand from at least five CFO Act agencies or be recommended by the CIO Council Be "available for government use via" a Multiple Award Schedule (MAS) Be able to meet FedRAMP 20x standards within two months of acceptance
Read at Theregister
[
|
]