| 1 | 01/30/24 1:49 PM | Susan | | susan.m.hardee@hud.gov | US Dept. of HUD - OCIO - ACIO IOO | Agency | Section 5.10 - Needs to be brought into Section 508 Standards i.e. Chart colors | Section 5.10 |
| 2 | 01/30/24 2:33 PM | Susan | | susan.m.hardee@hud.gov | US Dept. of HUD - OCIO - ACIO IOO | Agency | Question 1(A) Will this requirement help ensure the prioritized offerings meet agency needs? - No as the benchmarks aren't set to the level of conferring whether the CSO ET meets the specified requirements within an RTM for the CSO ET. Benchmarks are currently set to the ten foot level which only indicates its overarching capability and whether it should be invited to the table for a bake off consideration. If you're looking to get to the level of agency needs, then you need to have the agencies involved in helping you determine what a general agency benchmark(s) would look like. | Appendix A |
| 3 | 01/30/24 3:12 PM | Susan | | susan.m.hardee@hud.gov | US Dept. of HUD - OCIO - ACIO IOO | Agency | Question 1(B) How should the benchmarking process be structured to keep the process focused on eligibility and avoid agencies or CSPs interpreting it as setting a more general bar of quality? - Remove the "benchmarking" terminology and replace it with "entrance criteria" terminology. This should be based on agency demand and federal mandates. Most agencies assume if a particular product/capability is FedRamp'd or on the CDM APL for CISA/DHS its meets the overarching security mandates of the federal government, shortens ATO time, provides the ability to expedite the capability into the enterprise environment, and the agency gives it preferential treatment as such. If the policy is not intending to accomplish that then why have it under FedRamp process control? | Appendix A and Section 3.5 |
| 4 | 01/30/24 3:17 PM | Susan | | susan.m.hardee@hud.gov | US Dept. of HUD - OCIO - ACIO IOO | Agency | Question 1(C) Are the specific benchmarks provided sufficient? Are they too constraining? Are they too flexible? - Too generic | Appendix A1.1 and A1.2 |
| 5 | 01/30/24 3:23 PM | Susan | | susan.m.hardee@hud.gov | US Dept. of HUD - OCIO - ACIO IOO | Agency | Question 1(D) Which entity should determine which benchmark to use: the agency sponsor, or the CSP? - This would greatly depend on the agency's requirements for CSO ET. A case could be made for both. | Appendix A |
| 6 | 02/01/24 10:47 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 2. How can FedRAMP best assess whether providing a relevant emerging technology is the “primary purpose” of the cloud service offering? - Is there a demand for it by the federal agencies? If so, what are the requirements for the capability? What is the capabilities TRL of the capability? Is the capability being provided as a bundled product or standalone? If a bundled product what is the overarching purpose of the capability? | Appendix A |
| 7 | 02/01/24 10:52 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 3. Is there any other information FedRAMP should consider before allowing a specific CSO to be prioritized in the queue? - There should be significant agency demand for the capability to be queued. The three CSO ET selected should also be on three separate platforms (Microsoft/AWS/Google, Oracle, etc.). The three selected should not be Microsoft, AWS, and Google CSO. | Appendix A |
| 8 | 02/01/24 10:54 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 4. Is the process outlined in this prioritization framework reasonable for CSPs to work with? Yes | Appendix A |
| 9 | 02/01/24 11:01 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 5. Is there relevant information that could be collected from CSPs to facilitate quicker adoption by agencies? - Product roadmap, cybersecurity products should be reviewed and approved by CISA and on the APL, how does the product align with federal agency missions (ie business case), is the product 508 compliant with a VPAT, product TAA and Section 889 compliant, where is the data held (ie US, etc.), what is the ROI for the investment, etc. | Appendix A |
| 10 | 02/01/24 11:03 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 6. Should GSA publish more information about how different benchmarks better apply to specific AI use cases? - Yes and how the benchmarks apply to agency's requirements for prioritization for implementation. | Appendix A |
| 11 | 02/01/24 11:07 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | 7. In the future, are there factors that would merit prioritization other than emerging technologies? - Yes, federal mandates and agency demand for products/capabilities which support the agency's mission. | Appendix A |
| 12 | 02/01/24 11:41 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | Section 4.1 - Figure 1 - Needs to be brought into Section 508 Standards (i.e. chart colors) | Section 4.1 |
| 13 | 02/01/24 11:50 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | Section 5 - Figure No Number - Needs to be brought into Section 508 Standards (i.e. colors) | Section 5 |
| 14 | 02/01/24 11:51 AM | Susan | | susan.m.hardee@hud.gov | US Dept of HUD | Agency | Section 5.1 - "TAG" is not defined. | Section 5.1 |
| 15 | 02/07/24 11:44 PM | Kasey | | youandeye78@gmail.com | Person/human/citizen//victim | Public Sector - Other | Ai needs to be available for use to people in environments/computers/framework/infrastructure/devices in real time and real//ife | (K)-1 |
| 16 | 02/14/24 8:27 AM | Edward | | edward.l.mclarney@nasa.gov | NASA | Agency | The scope for initial AI capabilities mentions covering LLM chat-based interfaces. Although this may be implied, 'recommend including the actual underlying LLM text / natural language capabilities explicitly in the scope. Interfaces and underlying technologies both need to be assessed, not just the interfaces. | Multiple |
| 17 | 02/28/24 2:18 PM | William | | William.Cahillane@certara.com | Certara USA Incorporated | Private Sector - Other | Certara's foci is helping solve challenges with A.I. with specialized GPT applications and secure and private data connectivity. Let me know if your team has begun experimenting with GPT technology? If Yes, allow Certara.AI to brief your team about services to accelerate said initiatives? 😀 | 1 |
| 18 | 02/29/24 9:08 AM | | | | | | Just wanted to thank the FedRAMP team for publishing this clear and smart framework. This clearly fits the intent of the EO. Thank you for your work on this! | |
| 19 | 03/05/24 1:19 PM | Craig | | craig.b.brindle.civ@mail.mil | Morale, Welfare, Recreation (MWR), and Resale Policy Office DoD, Military Community and Family Policy | Agency | Noted that agencies have the opportunity to provide 3PAOs from vendors- is there a listing of approved 3PAOs available?
When submitting, is there a requirement for the 3PAO to have addressed the ET elements of their assessment specifically to meet prioritization?
If so, I would anticipate that the simple addition of a chatbot function into a product may prompt a significant workload requirement in the race for vendors to compete for future prioritizations. | 5.9 Third Party Assessment Organizations |
| 20 | 03/08/24 12:02 PM | Max | | max@ignyteplatform.com | Ignyte Platform Inc. | 3PAO | Requesting 1 clarification on 3PAO role in creation of SAP that includes AI capabilities. Requesting additional feature capability for Voice Data as ET Criteria for Prioritization (See attached document). | Section 4.3 and Section A.1 |
| 21 | 03/10/24 4:50 PM | Colin | | colinpmacarthur@fastmail.fm | Bocconi University | Public Sector - Other | The way these priorities are separated is confusing. A “chat interface” is not a *use* of generative AI (like code or image generation); it’s one way of interacting with a model for many different possible uses. (Many image and code generators also use a chat-like interface.) I think it’s easy to fix this - you could change “chat interfaces” to the particular uses those interfaces generally enable, which are relevant to government priorities. For example, is it about automated knowledge retrieval, text summarization, sentence completion or writing? I think the benchmarks listed under A.1.1. offer hints about the *use* you actually intend to enable under the heading of “chat interface”. | Appendix A |
| 22 | 03/10/24 4:50 PM | Colin | | colinpmacarthur@fastmail.fm | Bocconi University | Public Sector - Other | The wording of your first sentence implies that you want to exclude prompt-based image generators that with LLM components. Is that right? I believe most modern image generators incorporate language models that might be difficult to differentiate from an LLM. | Appendix A |
| 23 | 03/10/24 4:50 PM | Colin | | colinpmacarthur@fastmail.fm | Bocconi University | Public Sector - Other | Could you further clarify the purpose of submitting data about a system’s performance against your benchmarks? If the purpose is not to assess quality (as you say), what is it?
I worry the required benchmark comparisons may become low-value compliance exercises. These benchmarks all test particular and narrow model behavior. These are generally NOT the same ways normal people, or government agencies, will use these systems. So top quartile benchmark performance doesn’t mean a tool is safe or useful - so why demand that documentation? I think it would be helpful to further explain your thinking, and how you will avoid agencies mistaking this benchmark performance for “quality.” | Appendix A |
| 24 | 03/10/24 4:51 PM | Colin | | colinpmacarthur@fastmail.fm | Bocconi University | Public Sector - Other | Perhaps you could avoid some confusion by removing “neural networks” from the technical characteristics here? Neural networks could also be a component of A.1.1 and A.1.2., so folks may wonder why it appears here and not there. I suggest focusing the “technical characteristics” on the actions the product supports, not on the particularly technology it uses, like you do for the other uses. | A.1.3. |
| 25 | 03/11/24 9:50 AM | Ben | | ben.diliberto@wiz.io | Wiz, Inc. | Cloud Service Provider (CSP) | Regarding question 1.a., The Prioritization Framework must not only expedite new CSOs that provide new ETs to the front of the authorization process, but also expedite applications seeking to increase such in-demand products’ authorization to higher FIPS 199 risk levels (e.g., increasing its authorization from federal information systems with moderate risk to those with high risk). This will ensure ETs are available for a wider set of use cases. | |
| 26 | 03/11/24 12:38 PM | Bobby | | Bobby.Flanders@hhs.gov | HHS/OCIO | Agency | See attached. | |
| 27 | 03/11/24 1:03 PM | Jessica | | jessicas@bsa.org | BSA | Private Sector - Other | Please see the attached letter. | |
| 28 | 03/11/24 1:26 PM | Omid | | oghaffari@google.com | Google | Cloud Service Provider (CSP) | Prioritize uplifting the standard prioritization process
It will be important to ensure an AI-focused boundary – or any new boundary – is not created, but rather, incorporated into the existing process. This will ensure that when the fourth or other future CSOs are moving through the process, the standard prioritization process can proceed as intended without the need for any work-arounds or one-off requirements that are applicable only to the emerging technology component(s). | Sec. 1, paragraph 4; page 1. |
| 29 | 03/11/24 1:28 PM | Omid | | oghaffari@google.com | Google | Cloud Service Provider (CSP) | Clarify how CSOs that are on the ET track but fail to achieve authorization before the first three are managed
Clearer guidance on how a CSO that is on the ET track but does not achieve authorization before the first three will be important for both those on the ET track and those pushed down the list by the CSOs on the ET track. The framework elements currently call for an end to “prioritizing CSOs when the product limit has been reached,” defining reaching the product limit as “that capability hav[ing] achieved FedRAMP authorization.” This seems to allow for more than three CSOs to enter the ET track but is silent on what happens to those who have started on the ET track but didn’t finish the authorization process on time. The language stating “[a]ll CSOs in process at the time of the decision [to remove a capability from the ET list] will complete the course of action and activities relative to their current/designated authorization path” could be interpreted as meaning that those on the ET track will remain on the fast track or that they will end up on some other track, but greater clarity on this will be helpful. | Sec. 3, Subsec. 3; page 2 & Sec. 4.2.5; page 5-6. |
| 30 | 03/11/24 1:29 PM | Omid | | oghaffari@google.com | Google | Cloud Service Provider (CSP) | Prioritize interoperability, portability, and compatibility when choosing the CSOs for the ET track
While three CSOs provides an opportunity to create the type of choice that will ensure agencies are able to obtain the best-of-breed solutions that industry leaders rely on for innovation, it will be essential to ensure that the CSOs that are prioritized do not incentivize vendor lock via proprietary or otherwise non-open and non-standards based approaches to cloud computing. The ability to switch vendors or use multiple solutions within one tech stack is substantially dependent on the ability of a customer or user to quickly, easily, and painlessly move from one CSP to another. | Sec. 4.2.2; page 4. |
| 31 | 03/11/24 1:53 PM | Zack | | zroyster@itic.org | Information Technology Industry Council | Private Sector - Other | Establish an equitable authorization process for CSPs.
ITI shares GSA’s desire for reforming FedRAMP so that specific Cloud Service Offerings (CSOs) providing innovative critical and emerging technology capabilities (ETs) can be authorized for agency use securely and in a timely manner. We understand the urgent need for modernizing the federal government’s technology infrastructure and agree that ETs, like AI, have significant potential to advance automation goals and enhance operational efficiency. At the same time, it is important that FedRAMP balance the need to accelerate authorization of emerging technology capabilities with capabilities that are already in high demand.
We caution that the draft framework, as it is currently designed, would simply exacerbate existing administrative challenges to the FedRAMP authorization process, such as the significant backlog of Cloud Service Providers (CSPs) waiting for their turn in the authorization queue. ITI recognizes the importance of federal agencies’ ability to access the most important capabilities offered by the market, but it is important that FedRAMP balances the need for expediting the authorization of ET capabilities with the need to maintain an equitable authorization process for non-ET CSPs seeking authorization, particularly those with an existing place in the authorization queue. We encourage GSA to ensure that reforms to the FedRAMP process do not further delay the authorization of mission critical capabilities that a sponsoring agency may be awaiting. Prioritizing ET CSOs without increasing FedRAMP throughput will likely result in the deprioritization of non-ET CSOs with strong demand signals from the federal government that are currently in the FedRAMP backlog. We recommend that the FedRAMP PMO establish and publish metrics to objectively ensure that resources are appropriately managed and the backlog of requests isn’t further increased.
It is important to recognize the significant investment of time, effort, and resources that CSPs have already devoted to the existing authorization process. Proposed reforms to FedRAMP should refrain from employing a “skip the line” mentality and instead maintain a vendor-agnostic environment that ensures one CSP is not favored over another. Instead, we recommend expediting plans for standing up alternative authorization pathways designed for quicker and more effective adoption of ETs critical to satisfying the needs of an agency’s mission. We encourage GSA to expand the full suite of resources across the Technology Transformation Services organization to both encourage ET authorization and ensure the current queue of CSPs is not deprioritized simply because their services do not contain AI. | |
| 32 | 03/11/24 1:58 PM | Michael | | mmagrath@easydynamics.com | Easy Dynamics Corporation | Private Sector - Other | Is there any other information FedRAMP should consider before allowing a specific CSO to be prioritized in the queue?
Prioritize technology vendors that have implemented and practice highly matured DevSecOps practices that can readily support automated compliance efforts, by building compliance related APIs directly into their product suite/services foundational layers. This will help support automation and machine-readable compliance, along with security related artifacts production for Continuous ATO maintenance. | 3 |
| 33 | 03/11/24 1:59 PM | Zack | | zroyster@itic.org | Information Technology Industry Council | Private Sector - Other | FedRAMP authorization processes need to strike the right balance between innovation and fair competition.
ITI supports FedRAMP’s goal of offering new ET capabilities for agency use more quickly and more efficiently. However, given FedRAMP’s role as a de facto gate keeper for many procurements, we encourage GSA to modify this draft framework to support a robust environment of competition and innovation. Considering the current rate at which CSOs are authorized for inclusion on the FedRAMP marketplace, and that only three CSOs per capability will be prioritized, there are concerns that this could create a state of limited competition within the FedRAMP marketplace and inadvertently entrench incumbents. This approach lacks the necessary agility to capture new technologies as they are made available and could impede FedRAMP’s mission of delivering cutting-edge capabilities .
GSA should consider that some important capabilities will be offered by ETs that are not or will not be cloud-based. With that in mind, how is GSA going to ensure that non-cloud-based solutions are not at a disadvantage in the ET marketplace? Industry would appreciate guidance on how FedRAMP looks at its mission in cloud authorization versus authorizing ETs that may not involve the cloud, and how this comports with FedRAMP’s statutory authorities. Is FedRAMP considering expanding its scope to cover other, non-cloud-based technologies? If so, this would necessitate further expansion of resources for a FedRAMP program that has struggled to keep pace with the scale of certification demands and would likely drive-up costs for non-cloud ETs as well. It is critical for new entrants and competitors to be able to compete fairly to serve agencies, otherwise this could risk distorting the innovation ecosystem.
The FedRAMP PMO should also consider how the limited number of CSOs receiving authorization for each capability will impact the “preparation” portion of the authorization process. CSPs that offer ET capabilities are likely to move quickly to file to avoid losing out on the advantage of being one of the first, and only, authorized CSOs in the FedRAMP marketplace. There are concerns that the goal of expediting the authorization process could come at the expense of quality submissions or risk delivering products that do not meet the necessary technical and procedural adjustments that FedRAMP requires to address federal security. GSA should require the FedRAMP Board to select at least three different CSPs for each of the three CSOs to prevent a first-mover from monopolizing the market for that capability. This would bolster competition in the ET marketplace and help maintain the necessary rigor in the preparation process to ensure CSOs are secure.
Importantly, this draft framework must strike the right balance between speed and fairness. As the framework is currently written, there is not sufficient clarity on how the PMO will evaluate CSOs and what criteria is considered most important for sequencing in the authorization queue. While this draft framework does note that the FedRAMP PMO will “compare the demand score to other CSOs approved for prioritization”, there is significant ambiguity on how the demand score is determined. What is the process for evaluating the demand for CSOs filing for prioritization? How are CSOs scored? Will certain criteria be weighted more heavily? GSA should clarify Section 4.3.2 “Qualification Determination and Queue Placement” by detailing the process for how the FedRAMP PMO will compare demand scores and determine the proper sequencing of CSOs in the authorization queue. We recommend that GSA publish this guidance for industry feedback, whether through an RFI or another format. | Section 3, Section 4.3 |
| 34 | 03/11/24 1:59 PM | Michael | | mmagrath@easydynamics.com | Easy Dynamics Corporation | Private Sector - Other | Is there relevant information that could be collected from CSPs to facilitate quicker adoption by agencies?
Through adoption of Agile concepts most Development shops fail to produce enough documentation right from the seeding of the concept to develop specific services and creates technical debt in later phases to build security into the services. We recommend that FedRAMP make it a requirement for vendors to provide enough documentation to support appropriate and effective threat modeling, cyber risk management throughout the lifecycle of the products and services offerings. | 5 |
| 35 | 03/11/24 2:01 PM | Michael | | mmagrath@easydynamics.com | Easy Dynamics Corporation | Private Sector - Other | Should GSA publish more information about how different benchmarks better apply to specific AI use cases?
AI use cases are diverse and apply to a wide spectrum of services within the government. We would like NIST (or other agencies / organizations) to publish specific use case-based benchmarks based on citizen services they are targeted against. | 6 |
| 36 | 03/11/24 2:01 PM | Zack | | zroyster@itic.org | Information Technology Industry Council | Private Sector - Other | Enhance transparency in the governance process.
ITI urges GSA to enhance transparency measures throughout the “governance” process of this draft framework. Specifically, Section 4.2.1. and 4.2.2. direct the CIO and/or CISO Council, at least annually, to nominate a list of ETs that the FedRAMP PMO would then analyze and submit for recommendation to the FedRAMP Board. We encourage the CIO and/or CISO Council to publish this nomination list for industry and interagency feedback prior to the FedRAMP PMO conducting their assessment. How does the process that the CIO and/or CISO Council conduct throughout the ET nomination phase work? For example, the FedRAMP PMO could publish quarterly notices that detail how and why certain ETs are being prioritized for authorization. Ideally, these notices could forecast what the FedRAMP PMO believes are the most in-demand capabilities for the foreseeable future (i.e., 12 – 24 months) and solicit industry feedback on whether this is the correct approach.
If the federal government is looking to leverage the most innovative capabilities offered by the current market, it would benefit FedRAMP to continue to foster consistent and open lines of dialogue throughout each nomination process rather than simply publishing the ET list (as referenced in Section 4.2.4.) after the FedRAMP board has already approved it. Greater transparency is mutually beneficial for both the government and the government’s trusted industry partners. Industry would gain a greater understanding of the agency-specific needs from CSPs, while providing necessary insight into this rapidly evolving technology marketplace, which would ensure that the government is prioritizing the newest and best commercial capabilities available. | Section 4.2 |
| 37 | 03/11/24 2:02 PM | Michael | | mmagrath@easydynamics.com | Easy Dynamics Corporation | Private Sector - Other | In the future, are there factors that would merit prioritization other than emerging technologies?
Any technology requires evaluation factors such as trustability, security, scalability, reliability, integrity, costs of ownership, operational returns/value based on both qualitative and quantitative measures and supportability. These should be considered for prioritization. | 7 |
| 38 | 03/11/24 2:05 PM | Zack | | zroyster@itic.org | Information Technology Industry Council | Private Sector - Other | Ensure this draft framework is appropriately resourced.
FedRAMP is notoriously and chronically underfunded. By expanding the scope and scale of FedRAMP to include critical and emerging technologies (ET), this draft framework is likely to increase the number of authorization requests. GSA should consider the opportunity cost related to authorizing these additional capabilities. Capacity for the authorization of new ETs should not come at the expense of established processes.
Currently, the FedRAMP marketplace has listed just over 350 authorized offerings with multiple 10,000 CSOs that exist in the commercial marketplace. Considering that this draft framework would apply to both current and future authorization pathways, and that this draft framework would essentially establish vendor preference, the expanded scope and scale of FedRAMP would undoubtedly exacerbate the uncertainty vendors face on the timeline to receive an Authorization to Operate (ATO). We urge GSA to ensure resourcing is commensurate with scope expansion and can meet the throughput in demand.
We encourage GSA to take full advantage of its authorized ability to receive funding from other agencies and carry over unspent funds from prior years in order to fund FedRAMP ET activities. The FY23 authorized funding levels and authorities for the Federal Citizen Services Fund (FCSF) allow new flexibilities for the FedRAMP budget that have not yet been exercised. AI EO implementation and ET workstreams would make great first use cases for leveraging this new budgetary flexibility to ensure that interagency stakeholders are able to contribute to ET approvals.
Moreover, the need to accelerate the time to market for ET capabilities should be balanced with the program's capacity. FedRAMP is currently authorizing over 75 CSOs per year. If the goal of this framework is to expedite FedRAMP authorization for up to nine new CSOs offering the specified ET capabilities, how will the FedRAMP PMO ensure that this does not come at the expense of other critical capabilities that would have otherwise been authorized?
This expanded scope of the FedRAMP process to include ETs also means that agencies conducting FedRAMP authorizations will need to elevate technology training, regulatory awareness, and generally upskill their workforce quickly and appropriately to understand each new ET. If agencies are not properly funded to hire, train, and retain a skilled workforce with the right technical expertise, we anticipate that these challenges will only be perpetuated. | Section 2, Section 3 |
| 39 | 03/11/24 2:09 PM | Zack | | zroyster@itic.org | Information Technology Industry Council | Private Sector - Other | Align the draft framework with ongoing efforts to restructure the FedRAMP process.
Since OMB’s efforts to modernize FedRAMP’s structure are not yet finalized, it is challenging to fully assess the strengths and weaknesses of this draft framework and the impact it may have on the FedRAMP process. It has taken over a decade for federal stakeholders to advance FedRAMP reform, and while ITI is generally supportive of FedRAMP’s goal to proliferate emerging technology capabilities across federal agencies, there are some concerns regarding FedRAMP’s ability to effectively implement additional reforms to the authorization process prior to OMB completing its work. If OMB is considering eliminating the FedFRAMP board and creating a new authorization structure, it can slow down both regular approvals and the ET process outlined in this proposal.
Furthermore, as various efforts to reform FedRAMP begin to converge, we encourage stakeholders to be mindful of how this draft framework may hold up in the long-term, particularly as ETs, like quantum information science, mature. GSA should be mindful to keep the framework technology agnostic to preserve the government’s access to innovative technologies. It would be prudent for GSA to coordinate with OMB, and other relevant stakeholders, to ensure that efforts to reform FedRAMP are fully aligned and further the goal of reducing administrative burdens and accelerating the authorization process for both existing and emerging technologies. | Section 2, Section 3 |
| 40 | 03/11/24 2:56 PM | Vanessa | | vkhunt@us.ibm.com | IBM Corporation | Cloud Service Provider (CSP) | Please see attachment. | Multiple |
| 41 | 03/11/24 3:04 PM | Travis | | travis.rosiek@rubrik.com | Rubrik | Private Sector - Other | Propose for consideration and/or addition of:
Securing Proposed Emerging Technologies (ETs)
It is important that for ETs to be rapidly leveraged by USG organizations. However, it is also important to build security in and ensure that the ETs are implemented in the most secure manner. Therefore it is important to provide complementary and foundational security capabilities alongside the ET list to ensure the security and success of the ETs being prioritized. It is imperative for government organizations follow a shared security responsibility model when leveraging ETs and cloud solutions. Trying to add on security after an ET is implemented is always harder and more costly while leaving a prolonged attack vector for cyber threat actors to leave. | 4.2.2 |
| 42 | 03/11/24 4:19 PM | Hanan | | hanan.abulebdeh@ed.gov | Department of Education | Agency | See attached Excel file | |
| 43 | 03/11/24 4:59 PM | Ross | | RNodurft@alliance4digitalinnovation.org | Alliance for Digital Innovation | Private Sector - Other | Thank you for the opportunity to submit comments. | |
| 44 | 03/11/24 5:08 PM | Gaurav | | gpal@stackArmor.com | stackArmor, Inc | Private Sector - Other | We appreciate the opportunity to provide comments in the attachment. | Answers to posed questions by GSA |
| 45 | 03/11/24 9:37 PM | Claudio | | cbelloli@cisco.com | Cisco | Cloud Service Provider (CSP) | Section 4: The framework seems reasonable, appears to be a somewhat modified FedRAMP Connect/JAB prioritization process for ET. This should be an open and transparent framework and selection process.
Section 4:There are multiple references to demand in section reference to using the JAB Demand WorkSheet. Would like to see a definition of demand criteria and/or number or points assigned for demand from federal agencies. By referring to JAB demand sheet Is the PMO proposing to keep the same demand criteria for ET currently required for a JAB business cases
How will demand and ET innovation/capabilities be weighed or scored. Propose that there be a formula set for so CSPs know how their business case will be scored. For example, in a scenario where a CSP has an innovative offer in demand at 10 Agencies and another CSP has a more highly innovative offer, in demand at six agencies? How would that play out?
Section 4.2.1: Nominations. How will the nominating process be executed? Would like to propose a regular, periodic process where a call for nominations is publicly announced/published so that CSPs have adequate time to prepare the authorization packages and business cases. A process similar to how the PMO would announce the next date where CSPs could submit their JAB business cases.
-Please define what the last bullet of reached on a “an appropriate authorization path” in agreement with the PMO would mean. Currently, it’s JAB or Agency, path, but with JAB path closing and proposed changes found in the FedRAMP OMB memo, will the paths detailed there be the options available to CSPs? Would be helpful to provide the list of authorization paths available to a CSP. | 4 |
| 46 | 03/11/24 9:45 PM | Alla | | awsalla@amazon | Amazon Web Services | Cloud Service Provider (CSP) | Thank you for the opportunity to comment on the draft Emerging Technology Prioritization Framework. At Amazon Web Services (AWS), we are excited to see the Biden Administration’s continued support for cloud adoption across the Federal Government and focus on the evolution of this essential program as it pertains to Artificial Intelligence (AI). The Federal Risk and Authorization Management Program (FedRAMP) provides a scalable mechanism to accelerate agency cloud adoption by creating processes for security authorizations and allowing agencies to leverage security authorizations at scale.
We request additional clarity regarding the impact of the new Emerging Technology (ET) prioritization framework envisioned in the draft memorandum. By prioritizing ET, we are concerned that FedRAMP may be taking resources away from processing Cloud Service Offerings (CSOs) proposed for authorization that are already in high demand but do not meet the criteria of the ET. The framework speaks to who will inform the technology capabilities that are most important to meeting agency needs, but not the methodology by which those capabilities will be identified by those organizations. Without insight into this methodology, it is difficult to assess whether this requirement will ensure the prioritized offerings meet agency needs. We recommend additional clarity in the appendices regarding the way in which agencies will forecast demand.
For example, Amazon is investing in generative AI and the responsible development and deployment of foundation models across all of our businesses, and we support and provide resources for our customers to do the same. Through our Amazon Bedrock service, Amazon expands the opportunities and resources available to customers and provides them with an opportunity to use and develop a broad variety of foundation models, all within the safety and security of AWS. There is a strong demand signal from federal government agencies to leverage Bedrock, but it may not match the technical characteristics of the currently selected ET. If FedRAMP resources are prioritizing other Cloud Service Offerings that match the technical characteristics of the selected ET over a CSO with existing USG demand, it may slow the adoption of a service for which the USG has expressed a greater need.
We recommend allocating dedicated resources to implementing and operationalizing the prioritization process such that the timeline to authorization for non-ET Cloud Service Offerings is not negatively impacted. | 4.2 |
| 47 | 03/11/24 9:49 PM | Alla | | awsalla@amazon | Amazon Web Services | Cloud Service Provider (CSP) | OMB’s work to update the FedRAMP’s structure is not yet finalized. It is therefore challenging to fully assess the strengths and weaknesses of this draft framework and the impact it may have on the FedRAMP process for CSPs who are already part of the FedRAMP program. As we expressed to OMB in December as part of our comments on the draft memorandum, there are concerns regarding FedRAMP’s ability to effectively implement additional reforms to the authorization process prior to OMB completing its restructuring. If OMB is considering eliminating the FedRAMP board and creating a new authorization structure, it can slow down both regular approvals and the ET process outlined in this proposal.
If the federal government is looking to leverage the most innovative capabilities offered by the current market, it would benefit FedRAMP to continue to foster consistent and open lines of dialogue throughout each nomination process rather than simply publishing the ET list (as referenced in Section 4.2.4) after the FedRAMP board has already approved it. Greater transparency is mutually beneficial for both the government and the government’s trusted industry partners. Industry would gain a greater understanding of the agency-specific needs from CSPs, while providing necessary insight into this rapidly evolving technology marketplace, which would ensure that the government is prioritizing the newest and best commercial capabilities available. | 4.2.4 |
| 48 | 03/11/24 10:38 PM | Max | | max.fenkell@scale.com | Scale AI | Private Sector - Other | Please see the attached for Scale AI's Comment. | |