Trump administration scraps AI-focused framework for FedRAMP

The FedRAMP Emerging Technology Prioritization Framework, which was established last year to accelerate the use of systems like artificial intelligence in the federal cloud, has been eliminated as part of President Donald Trump’s rescission of the Biden administration’s AI executive order.

A person with direct knowledge of the matter confirmed the program no longer existed.

The Emerging Technology Prioritization Framework, which recently switched to a rolling application process, aimed to allow cloud service providers to request prioritization of cloud services associated with emerging technology in the FedRAMP authorization process. The framework’s final draft was issued last summer, requiring interested cloud providers to apply for prioritization by the end of August 2024. The General Services Administration, which operates the FedRAMP program, said initial determinations would be announced the following month. 

A spokesperson for GSA did not respond to a request for comment by the time of publication. 

The framework, which had highlighted generative AI as a focus, comes as AI companies have increasingly encountered FedRAMP, short for the Federal Risk and Authorization Management program. 

Created in 2011, FedRAMP serves as the federal government’s central clearinghouse for cloud security authorizations. The program creates a government-wide cybersecurity review process that’s mutually intelligible across agencies for cloud services. 

Since the program’s inception, cloud service providers typically have sought those authorizations in one of two ways: Either by partnering with a federal agency that leads the company through the process of earning an accreditation that can then be reused by other agencies, or by earning an accreditation from the Joint Authorization Board, a streamlined governance organization that prioritized authorizing high-demand cloud technologies. Many companies and stakeholders have criticized the path to authorization as costly in terms of time and resources. A recent Government Accountability Office report found that the program faced a series of challenges, including a lack of understanding by cloud service providers and “issues with receiving timely responses from stakeholders.” 

That led to a recent FedRAMP policy overhaul from the Biden administration, which among other things replaced the JAB with what’s now known as the FedRAMP Board and ordered the program to transition to a single approach for cloud authorizations.

Despite the elimination of the emerging technology framework, several cloud service providers with prior FedRAMP authorization have been cleared by the program to provide their AI tools to the federal government, including tools that use the Azure OpenAI’s service, which is hosted in Microsoft’s cloud. 

It’s not clear what work the Trump administration might pursue to advance artificial intelligence services through FedRAMP, though coming work related to Trump’s latest AI executive order could be clarifying. Without the prioritization framework, companies with AI services will need to proceed with engaging the FedRAMP process as any other cloud provider would or partner with a CSP that’s already authorized. 

“As AI companies apply for FedRAMP authorization, it’s helpful for cloud service providers to understand that FedRAMP provides a standardized security framework for all cloud products and services that is recognized by all executive branch federal agencies,” a GSA spokesperson told FedScoop earlier this month. “The FedRAMP Program Management Office provides training, guidance, and advisory support to cloud service providers, helping them navigate the FedRAMP process and understand the requirements.”

The GSA spokesperson continued: “Government security, including FedRAMP, is focused on understanding and protecting risks to the confidentiality, integrity, and availability of the federal information itself, which includes federal information that has been tokenized, quantized, or otherwise processed algorithmically (unless the risk is negligible).”

For now, many AI companies have pursued relationships with existing cloud providers authorized through FedRAMP. OpenAI, for instance, has made its technology available through Microsoft, while Anthropic is working with both Palantir and Amazon Web Services. At the same time, the companies are considering pursuing their own authorizations, which would allow them to sell their AI to the government without going through a cloud giant. 

Neither OpenAI nor Anthropic provided an update by publication time as to where they stood on FedRAMP. 

Importantly, the FedRAMP process doesn’t look at the functionality of the systems under review.

“If an accounting system comes through FedRAMP, FedRAMP is not evaluating if one plus one equals two,” Brian Conrad, FedRAMP’s former acting director, told FedScoop earlier this month. “It’s looking to make sure that the federal data inside the drawn boundary — the presented technical boundary — is secure.”