GSA’s emerging tech framework is a priority setter for AI
Eric Mill, director of cloud strategy at GSA, said comments on the draft Emerging Technology Framework are key to ensuring their decision process is correct.
When it comes to adopting secure artificial intelligence capabilities, the General Services Administration is doing all it can to make sure the government isn’t late to the game.
The draft Emerging Technology Framework from the cloud security program known as FedRAMP could be a key piece to that effort, especially if industry and agencies help drive the new approach.
Eric Mill, director of cloud strategy in the Technology Transformation Service in GSA, said the draft framework, for which comments are due March 11, is helping to ensure agencies get the expected benefits of using secure AI and large language models.
“This is strategically important for the program because what we’re doing here is FedRAMP is prioritizing its work around the strategic goals that the government has. It’s not just a first in, first out program. We are breaking a little bit of ground for the program,” Mill said on Ask the CIO. “It is that something we think is a good thing. As we engage in a prioritization process where FedRAMP is really important for what FedRAMP does, we have to make sure it’s well understood, that we are transparent to stakeholders, that it is fair and clear. That’s the foundation we’re trying to lay with this framework.”
GSA released the draft framework in late January as part of its effort to meet the requirements of the AI executive order President Joe Biden signed in October. In the document, GSA says it’s initially focused on emerging technology capabilities that use large language models (LLMs) and include chat interfaces, code-generation and debugging tools and prompt-based image generators.
Mill said the framework will help prioritize and manage the excitement around AI and LLMs.
“How do we strike the right balance? And, then, how do we operationalize that? How is it that we are prioritizing this thing in effect and that means having to come up with things like limits?” he said. “So part of what you see in the framework is the proposal that we stop at three. When we have three services that are based around chatbots, for example, using generative AI, and we’ve prioritized three of those things, we’re going to stop prioritizing that until we come back around and think again about what the priorities of FedRAMP should be. That is making sure that when we say prioritize, we’re actually prioritizing, and we’re not just focusing on AI as a program. FedRAMP is a program for the entire cloud market. But we want to be able to support this initiative so this is important strategically for figuring out how we answer those kinds of questions that are not at all totally AI specific.”
GSA to manage concerns over backlogs
That prioritization and limits to the number of cloud services is exactly why Mill said GSA is pushing vendors and others to comment on the draft framework.
He acknowledged the limitations, especially around AI, could cause some heartburn for vendors. FedRAMP already is seeing a lot of interest from vendors and agencies alike around AI and LLM services in the cloud.
“We definitely are seeing some services that are have already been in the marketplace that have added AI capabilities. We’re seeing things come in through the agency review process. We’re expecting that to go up,” Mill said. “We’re not responding to an abstract thing, but the things that we actually see coming in front of us.”
One of the big issues GSA still must address is what are the metrics or benchmarks it should use to determine if a technology fits into one of the three priority categories.
Mill said GSA is aware of possible backlogs building of vendors asking for their AI capability to go through the review process, and then that creating a bigger backlog for more typical cloud services.
“We very much are intent on making sure that the urgency that we see around accelerating the government’s use of emerging technologies doesn’t compete with those other things. That it doesn’t worsen the problem,” he said. “That is part of what we mean when we talk about the prioritization process and some of the limits associated. That’s how we’re ultimately going to make sure that the program stays responsive. We’re very engaged on short and long term structural changes to make sure that the program is operating at the pace that it should. We are treating speed as the security property that we know that cloud providers and agencies all believe in as well. That’s the spirit that you should see from us. And we’ll have a lot more to say later this year.”
More on tap for FedRAMP
Mill said he couldn’t speak to the timeline to get the version 1 of the framework out. He said he doesn’t expect GSA to sit on the comments and any updates from those comments for a long time. But, he said, it also will depend on what people say about the framework and how much GSA got correct already.
“I think we’re very much expecting for this to be an iterative process. This is not going to be the only bite at the apple for engaging with the FedRAMP team about this framework. Folks should feel absolutely feel free to reach out and suggest how we can do better on that,” he said. “We did put we put a lot of effort into that [blog] post to sharpen those questions. We absolutely encourage folks to go read the announcement and on this questions. Chief among them is, this question of are we are we measuring this right? I think the concept of prioritization means making some kind of hard choice somewhere, so when the agency does that, we want to know that, at the very least, everybody understood why we would make that decision and what factors went into that.”
Mill said beyond the finalizing the framework in the coming months, other priorities for FedRAMP center on improving the customer experience, both agency and industry users, and understanding the costs involved in obtaining approval.
Mill said GSA is trying to make sure it is on the same page with vendors about the time and cost to get through the security process.
“What we think it takes, is it the same as what the cloud providers think is one of the exercises that we’re going to be engaged on this year. We are updating what some of the key metrics are around that and talking pretty directly with stakeholders before we finalize those things. We will be keeping a feedback loop so that we are really orienting ourselves formally as a customer oriented program in that way,” he said. “I think you’ll see us engaging in that in a more in a pretty public way, maybe in a more tangible, mechanical sense. We’re definitely focused on speed as a security property. We’re definitely very interested in in identifying cloud providers that want to want to pilot different ways of working. There’s never been a more open mind to looking at process changes and piloting different approaches that don’t lower the bar for security, but allow us to focus the review energy on the process and on the items that we all understand are the most closely tied to security.”
Of course, Mill said once the draft memo from the Office of Management and Budget is finalized, a whole new set of priorities will open up.
“I hope folks see there is a sense of energy and responsiveness where the program wants to hear where it can change and where it can do a better job of threading that eternal needle of speed, security and everything else people want from the system,” he said. “It is not trivial, but it is the whole job of the program. I think there’s going to be not just this Emerging Technology Framework, but a pretty good series of feedback opportunities over the course of the year. I really encourage folks who come at that with the spirit of improving these processes, and feel please bring up things that maybe died on the vine a few years ago. But let’s not let the past foreclose the future. There’s not been a more open minded period of time in the program than I think what’s there right now.”
Weekly interviews with federal agency chief information officers about the latest directives, challenges and successes. Follow Jason on Twitter. Subscribe on Apple Podcasts or Podcast One.