Federal Secure Cloud Advisory Committee FSCAC February 15 Open Meeting

Show video

>> February 5, 2024, meeting of the Federal Secure Cloud Advisory Committee or FSCAC. My name is Michelle White, and I'm the designated federal officer, or DFO, for this Advisory Committee. I would like to thank all of our presenters, attendees, and stakeholders who are joining us today, including those who provided public comments. Public comments submitted by the FSCAC public comment form by last Wednesday, February 7, had been provided to the committee members. Before we start, there are a few things that you should know.

This meeting is being recorded via Zoom. This Advisory Committee is statutorily required under the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 and, thus, formally established under the Federal Advisory Committee Act, or FACA as of the charter's official filing date of February 28, 2023. This Committee is considered a federal Advisory Committee and is governed by the requirements under FACA. My role as the DFO is to manage the day-to-day administrative -- administrative operations of the committee, attend all committee members -- committee meetings, and ensure that the committee operates in compliance with FACA.

The duties of this committee include providing advice and recommendations to the GSA Administrator, the Federal Board, and agencies on technical, financial, programmatic and operational matters regarding secure adoption of cloud computing products and services. The majority of this -- the work of this committee will be focused around Federal -- the Federal Authorization Act of 2022 statutory -- statutory requirements and purpose. Specifically, we will examine the operations of FedRAMP and determine ways that the authorization process can be continuously improved; collect information and feedback on agency compliance with and implementation of FedRAMP requirements; and to serve as a forum that facilitates communication and collaboration among the FedRAMP stakeholder community. I will now go through a roll call for all committee members.

Please let me know you are present by stating here. Ann Lewis. >> Here. >> Daniel Pane. Michael Vacirca.

>> Here. >> John Greenstein. >> Here. >> Marci Womack. Branko Bokan. >> Present.

>> Matt Scholl. >> Here. >> Bo Berlas.

>> Here. >> La Monte Yarborough. >> Here. >> Nauman Ansari. Jackie Snouffer. Bill Hunt.

>> Here. >> And Joshua Cohen. >> Here. >> Thank you all.

It looks like we do have a quorum established, so we will move forward. Right now I will go ahead and review the purpose, outcome, and agenda for today's meeting for everyone's awareness. The purpose of today's meeting is for the FSCAC to provide their consultation to the FedRAMP's response to the Artificial Intelligence Executive Order. We're going to be shortening that to AIEO.

Specifically, we will be addressing the FedRAMP's draft framework on the prioritization of emerging technologies. The outcome of this meeting is for the FSCAC to have completed the legally required consultation on the FedRAMP response to the AIEO. Our agenda today is listed on the slide. From 1 to 1:05 we'll have our call to order, which is what we're currently having.

And then from 1:05 to 1:10 we'll have our public comment. 1:10 to 1:15 we'll have our Chair remarks. 1:15 to 1:30 we'll have the presentation from Brian Conrad on the federal response to the AIEI -- EO briefing. And from 1:30 to 2:25 we will have the committee Q&A discussion and consultation. And at 2:25, we'll have our closing remarks and adjourn.

A few housekeeping items before we start. For our committee members, we have a lot of discussion today. If you have a question during the discussion, please raise your hand using the button on the Zoom platform; and you will be called on based on your position in the queue. Again, identify yourself before speaking so those listening via the webcast or reading the minutes after the meeting will know who made which comment. And, finally, please make sure that your microphone is muted anytime you are not speaking.

If you are not a committee member, please hold all comments until our public comment period, which is now. So, moving on, we are going to be opening up our meeting for public comment. And we would like to welcome the public to unmute themselves and share their comments. For our speakers, we will have a timer that is on the Zoom platform. And it will be displayed indicating 3 minutes, and it will indicate your time remaining. The alert will indicate that you are out of time.

Each speaker is allotted 3 minutes to make their comments. We will be interrupting if needed. We will also mute speakers who exceed three minutes. So please speak succinctly, and please be respectful of the time. And, as a reminder, we have provided all public comments that were submitted by Wednesday, February 7, to the committee members prior to this meeting. And, with that, any members of the public who would like to provide comments, please raise your hand.

And I will call on you and to unmute yourselves in the order that which you have raised your hand. It appears that we do not have any public comments. So this will go ahead and conclude our public comment section for today. Thank you all.

We will now go ahead and jump to our next agenda item, which is our Chair remarks. Ann, as the committee chair, I would like to invite you to make any remarks that you'd like to make at this time. And we'll be happy to answer any FACA-related questions should they come up. >> Thank you, Michelle. So thank you all for being here and participating today.

As you saw from the agenda, we'll be getting a briefing on FedRAMP's response and draft emerging tech framework to the AIEO. Building a stronger emerging technology framework and thinking carefully about how to do prioritization and risk management will better serve the American public, FedRAMP stakeholders, and the federal government as a whole. So I'm very much looking forward to our conversation today. But before we get started, I'd like to provide a little bit more background and context to our meeting. Next slide, please.

There we go. So, as many of you probably saw, on October 30, 2023, President Biden issued an Executive Order to promote the safe, secure, and trustworthy development and use of artificial intelligence, which you're referring to in this context as the AIEO. Under Section 10(f)ii of the AIEO, the order states that, within 90 days of this order, the administrator of the General Services in coordination with the director of OMB and in consultation with the FSCAC, this group here, and other relevant agencies as GSA may deem appropriate, shall develop and issue a framework for prioritizing critical and emerging technology offerings in the FedRAMP program authorization process, starting with generative AI offerings that have the primary purpose of providing large language model based chat interfaces, cogeneration and debugging tools, and associated API's, as well as prompt-based image generators.

This framework shall apply for no less than two years from the date of its issuance. So we're here today to learn more about FedRAMP's response to the AIEO, namely, their draft for the prioritization of emerging technology framework, will provide verbal consultation to the FedRAMP team on this framework. We won't have committee deliverables today, but we will share our feedback verbally with the FedRAMP team. And we ask that you please be prepared to participate freely; provide your questions, comments, and feedback during our discussion after Brian's presentation. With that, I'll just pause and see if there any questions. Okay. And if we don't have any questions, back to you, Michelle.

>> Great. Thank you, Ann. Now I'd like to open the floor to Brian Conrad. He is the Acting Director/Cybersecurity Program Manager of FedRAMP who has kindly joined us today to help provide some additional information on FedRAMP's response to the Artificial Intelligence Executive Order.

Brian, thank you for joining us today. Take it away. >> My pleasure. Always great to be here in front of the FSCAC. Good morning, good afternoon, good evening, everyone.

Again, Brian Conrad, Acting FedRAMP Director and Cybersecurity Program Manager. Just a little bit of background on how this -- how this was derived. We were -- we were tasked -- GSA was tasked to do this in the Executive Order.

And what we came up with is a result of some cross-government coordination, talking to professionals inside of Technology Transformation Service in our Centers of Excellence, as well as the Office of Management and Budget, to get feedback on this draft, the draft framework that's out for public comment. I'm going to go through the purpose and scope. Next slide, please. I'm going to go through the purpose and scope, talk a little bit about at a very high-level of the prioritization framework that we developed and then, of course, take your questions. So, again, the purpose of the framework is to accelerate the federal agency use of these technologies.

As you heard, it's in response to the Executive Order, and it establishes an approach to prioritize these emerging technologies for authorization. It was very specific in the Executive Order that it applies to three generative AI capabilities. And this framework that we've developed is in terms of getting the -- getting the cloud providers in line to -- with this technology in line for the authorization process. This does not absolve agencies from their authorization responsibilities. It's a framework -- and this framework covers actions, FedRAMP's actions for processing the authorizations, CSPs, 3PAOs, agencies still have their role to play. And the key thing, the key takeaway here on the slide is it's not establishing a new authorization path.

But it's an overlay that will fit into current and any future authorization paths that FedRAMP comes up with. Next slide, please. So there are four, four large framework elements that were -- that we developed and that are in there. So this is a prioritization that will allow CSPs to move near the front of the authorization process. It doesn't affect the actual authorization process. I'm going to explain this in terms of an analogy.

So think of that you're at your favorite theme park, and there's a very popular roller coaster you want to ride. You have two options. You either get in the regular line, or you have a path that gets you near the front of the line more quickly. And this is what this prioritization framework is to do. The roller coaster ride that you're on takes the same amount of time, irrespective of how you get in the car. But this -- again, this process is to get these specific capabilities near the front of the line more quickly.

And so the prioritization is limited to three capabilities at any one time and three products per capability. And the reason we derived that was we talked to some acquisition professionals to talk about ensuring that there's adequate competition across the -- in the market for agencies to potentially use this type of technology. The emerging technology track should be fast and simple.

And, again, agencies may take responsibility for evaluating the system's functionality. I want to foot stomp this one because FedRAMP is focused on the security of the data within the boundary. For example, when accounting systems come into FedRAMP, we don't check to see 1 plus 1 equals 2. We make sure that the -- that the data, that any federal data within that boundary is protected.

It's the same -- it's the same in this case, whereas the agencies are to maintain responsibility for evaluating the system's functionality. Next slide. So this graphic basically shows two different parts of the process.

On top there's the governance process where the P -- the FedRAMP PMO promote -- proposes which emerging technologies to prioritize and receives prioritization requests. And, going forward, it's going to be the FedRAMP board that will approve the emerging technologies to prioritize. The -- the idea is that the FedRAMP board will interact with the CISO and the CIO councils to get leading indicators on what type of technology is in the market, what the market is doing with regards to these, what the CIOs and CISOs of the agencies are actually have a -- have a desire for or demand for and then give direction to the FedRAMP PMO in consultation with OMB to prioritize those particular emerging technologies.

The actual evaluation process, the CSPs request prioritization by demonstrating that their primary purpose is that emerging technology and they can demonstrate market demand. Next slide. And what we did on this slide is we basically did a RACI model for, you know, exactly who's -- who's responsible for what or, you know, what actions each entity has to take with regards to that governance process in the evaluation process that were listed on the previous slide. I'm not going to read this for you. I'll let you take a look at it. Next.

So going back to what I mentioned previously about three capabilities defined in the Executive Order, those are chat interfaces, code generators, and debugging tools and image generators. And those capabilities include both human interaction and the use of API's. What was interesting and where we did a lot of work and this is where a lot of the cross-agency coordination happened was working on the industry benchmarks, which established the cloud providers for eligibility. You know, CSOs that self identify a benchmark from a known AI prominent industry benchmark, CSOs demonstrating technical performance, and that CSPs should generally select benchmarks for which they have no affiliation. Next slide.

And when we -- when we released this draft framework for public comment, we also published these feedback prompts. These are questions that we came up with, again, collaboratively to sort of, you know, nudge the thinking of those that are commenting on the emerging tech framework to think about. Are we covering the right things? Is there -- are there things in there that should be covered, et cetera and so forth. And, again, it's a pretty decent list. Again, we're anticipating a decent set of comments on this particular document.

And I know I really zoomed through that, but I'm sure you have questions. >> Great. Thank you, Brian. I would like to now invite the committee members to ask Brian any questions they may have and share any thoughts or feedback that they have on the draft framework.

At this time, please go ahead and raise your hand. And I will call on you in the order that you raise your hand. As always, please restate your name prior to speaking. And, if you're not speaking, please also make sure to mute your microphone. Michael, go ahead. >> Sure. Brian, first of all, thank you.

This is Michael from Google. Also from Orlando so I appreciate the theme park references there. I did have a question for you in regard to the emerging technologies framework specifically around, a, it sounds like it's the same authorization boundary. So this would not change authorization boundaries or need or have a separate authorization boundary than that a CSP already has. That's question 1.

And then question 2, have we considered something like similar to how NASA has like the technology readiness levels for the CSPs so that we could potentially unlock, like, levels of compliance faster. So maybe we can't do production workloads, but maybe we could do some type of like lab work with various agencies to start to prepare them for the use of these technologies as they're emerging? >> Brian, I think that you are on mute. >> Yeah. Of course.

The most wonderful thing I said is, of course, begin to dare. No. Thank you for the questions, Michael. On your first -- the second part of your question is I think that is something that you should provide in public comment. That is something that we haven't really considered. So please make sure that, you know, FedRAMP gets our hands on that.

I think that is something worthy of consideration. And if you could remind me on the first part of your question, your first question. >> Oh, yeah. Just the first part would be it sounds like this is going to use the same -- >> Yes. >> -- authorization boundaries.

There's no separate authorization boundary for this work. >> No separate authorization boundary. That's correct. >> Okay. Perfect. Thank you.

>> Great. Joshua, you're next. I think we may have lost him. >> Oh, sorry. I'm hear. >> You were on mute. >> It's a disease that's spreading.

This is Josh Cohen from VA. Sorry. That I'll start over. I had two quick questions.

The first was on prioritization. I realized that the areas that it's called out are far from the EO. So I know those were kind of provided to you all as the areas. But, for instance, the EO requires agencies to start pilots in certain high-impact areas. And like, for instance, at VA, they're specifically, maybe more healthcare minded applications for AI that we would be interested in over something like, I don't know, chat interfaces, for instance, which they already have.

Is there any -- is it fair to say that since the EO is so explicit on what those areas were, something like an AI tool that would take notes in a physician's meeting or something like that, that is it's kind of emerging would be something that would be not prioritized and that those will stay the four technologies for the near future, at least in terms of what does or doesn't get prioritized? Or is there some opening for an agency like ours that has like a medical specific mission to request a tool be prioritized outside of this board? >> No. That's -- that's a great question. And so yes. The EO is very specific on what technology is right now.

But if you recall from the governance, the cartoon that shows the governance, in a future state when the FedRAMP board will be able to provide direction to the FedRAMP PMO. So if -- if VA comes to the board and says, Look. We were getting -- this technology is becoming more and more prevalent.

There's a leading indicator that we're going to have demand for this. Then the board is -- that is something that the board can direct FedRAMP to work to prioritize. So there -- to answer your question, there is a method for, you know, an agency. And if you, you know, if -- for example, if you were to work with other agencies that have a similar mission, business mission function that is potentially looking at the same technology, that's a stronger demand signal, which will help move the board, potentially, in having FedRAMP prioritize that -- that material. Does that make sense? >> It does. Thank you.

That's what I thought the answer -- >> Yeah. >> Second question. Maybe I misheard. So three to four categories of technologies. I appreciate the three products for technology and the competition indication there.

Who would pick those three specific, let's say, brands? That I get within the categories you have multiple, but is that something that's driven by the acquisition at a particular agency? Is that something that GSA would determine on its own? Was there any -- >> No. Great question. So based on -- based on the authorization paths that we have presently, it would be as agencies bring that -- bring those systems into FedRAMP for authorization. >> So, basically, first in line.

Three, three first, generally. That would be [inaudible]. >> Yes. >> Thank you. That ends the question. >> Oh, great.

Thank you. >> Great. Branko, you're next. >> Thank you. Hey, Brian.

Good to see you again. Thank you for the brief. One thing that maybe I missed. It's still not clear to me what this queue is made off. Is it just that JAB is limited resources? Or, I'm sorry, the PMO has limited resources to process all APOs at the same time, and this is the -- this is what -- this is the queue that these CSPs would be put in front of, or are there other limitations that constitute the queue? >> Great question. Good to see you, as well, Branko.

Yes. So the current authorization path is we have a flow in. It's a first in, first authorized model. With this framework, we would take this recognized demand for one of these technologies. If there were a tie, if two systems were coming in at the same time, the -- this emerging technology would win in terms of who's -- who's getting placed in line first.

But, typically, one of the things that we're going to work on operationalizing is, you know, around the thought processes of, you know, how they get placed specifically in the queue. We know that they're going to get prioritized. How far up in the queue they're going to get placed is something that we're going to work on. >> Thank you, Brian. >> Yep. >> And Marci, you're next.

>> Brian, my question, I've got a couple. But I'm going to start with SCR so for existing offerings that are SCR and essentially AI capabilities, what do you anticipate or perhaps those that are in, like, the eight month queue right now, do want to -- do you want to SCR those in? What do you anticipate to be kind of like the pipeline to authorization for those significant changes specific to like the emerging technology that's selected? >> So great question. So right now the SCRs are either approved by the joint authorization board or by the authorizing official at the agency if there's an agency authorized cloud service.

So, theoretically, SCRs wouldn't have to go through this process. That would be -- that would be just the work of the particular agency AO for that -- you know, for the agency authorized cloud. Or we've -- actually have a couple use cases with the joint authorization board where existing providers have brought some AI capability into their existing boundary. >> Okay. Yeah.

Thank you for that. There's a section -- it's on page 2 of the document, but it talks about FedRAMP may include additional activity. FedRAMP may include requirements for additional information relevant to the specific ETs such as technology requirements, performance metrics, etc. Do you anticipate this being,

like, information that the CSP would need to provide as part of the prioritization process? Or do you anticipate this would alter, like, FedRAMP requirements like control requirements, parameters, FedRAMP guidance, or standards? >> At this point, we're not altering our FedRAMP security requirements. It may be additional information that we require for the actual prioritization. But we haven't adjusted our -- you know, our baselines are our baselines. And applying those controls to those particular services are -- you know, it would be treated as any other service. Okay. The -- I believe NIST was tasked in the EO to address that.

But we -- again, we have a catalog and a FedRAMP baseline to address the security of that and making sure that we're applying that. And, you know, to your point, we're also doing outreach to our third-party assessor community who have worked with cloud providers who have -- specifically on the JAB side who put these in for significant changes to understand what controls were evaluated. What -- were there any peculiarities that were noticed, anything like that in order to grow our own -- you know, our own institutional knowledge on how these are affected. >> Okay, great. Thank you for that.

I don't have any further questions. >> Thanks, Marci. Bo, you're next. >> Hey, Brian.

Thanks. Thanks for taking this question. You know, really relates to just the follow on of Marci, Marci's last question and specifically in that the FedRAMP controls have not effectively contemplated anything relative to AI and just making sure that we're effectively going through and taking the opportunity to really validate that the outcomes, which is, you know, what we need to be focused on is secure, you know, cloud is that the corresponding usage of these new technologies and the related set of existing controls that are part of the FedRAMP baseline are actually commensurate with the risks that AI effectively presents. I think that's a really important action.

I know that NIST is working on the AI RMF. It's at the category subcategory level. Hasn't effectively gone down into the controls level at this point.

But that would be -- that would seem to be a really important action just to make sure that we're -- we're effectively going through and addressing all the risk considerations as part of these authorizations. Secondary thing, you know, we've been working with a number of providers just anecdotally to share some experience. In some cases, be it existing vendors or new vendors that are FedRAMP authorized, they don't effectively provide all of the underlying AI tech exclusive to their boundary. So what we're seeing typically is that some elements of their AI offering are FedRAMP authorized; other components are not FedRAMP authorized, which essentially brings the FedRAMP boundary scope document that was worked on a couple of years ago back into scope because I'm guessing you're probably going to end up seeing architectures that not -- where not all of the underlying technology is within the FedRAMP ATO scope and which is going to essentially put to question what risk considerations can there be for a FedRAMP JAB-based ATO vis-à-vis a FedRAMP agency ATO so some guidance around boundary scope around what's permissible within the ATO boundary and what can essentially be kept out on a risk basis I think would be really important. So really not questions just as much as there are observations just to make sure you're tracking. >> No. I appreciate that.

That's -- that's good info. And, again, you know, just to reiterate, on your first point, when we started seeing these AI or AI tools coming through the significant change process through the joint authorization board, I asked the team to go talk to the reviewers, the JAB reviewers and get an -- get an idea of what's going on. And then for, you know, at subsequent time, we actually reached out to the cloud provider and the 3PAO to have a conversation with them. Yeah. Totally tracking on your point about, you know, the boundary guidance.

That is something that we're getting cleaned up. And as we -- as this -- as we see comments come in on this, that is something that -- that we will probably talk about before we -- before we launch that. >> Thank you.

>> Great. Jackie, you're next. >> Hey, Brian. Thank you for being here today. Jackie Snouffer from DoD. And I'm not really sure how best to phrase this.

I've got two different conversations or two different questions to pose to you. And a lot of it I'm going to start with the boundary discussion. As we've been looking at AI technologies in the department, you know, we have concerns over use of some of the AI generators in the ChatGPT area that we are going to end up with CUI spills. And as our data is stored and our data is used FO CUI that we will potentially end up with data spills, based on how it's used.

And I know you prefaced some of your comments by saying that the data really is up to the, you know, authorizing official of the user or the mission owner. And so I just wanted you to comment on that. I'm -- we're concerned about boundaries, where the data is stored, how the data is reused. And, again, is this a control issue and a boundary issue that we've got to consider in FedRAMP for how we're generating the output and how our data is stored. Over.

>> No. That's a good point. And I -- and I actually fired off an IM to my team as these questions were coming in, that as we get ready to, you know, update or massage the existing version of the boundary guidance that we have is making sure that we address this, that we're aware of that. And that's a -- that's an excellent comment. What I talked about earlier is ensuring that it's on the -- it's also on the agency's one too. You know, you have your FISMA responsibilities, but also, again, FedRAMP isn't looking at the functionality of this, of the system. So totally tracking on your -- on your boundary comment.

And so, actually, my team is listening right now, some for my team. So they're taking notes feverishly as well. Yeah. Thank you. >> My -- yeah. My other question really was again on this queueing thought, which is -- you know, we have at the JAB a lot of SCRs that have been in for quite some time.

We've got for DoD specifically, and I -- we've got a lot of companies that have spent a lot of money to be in this process. And, you know, how -- how do we treat AI-based technology? So if I've got 10 in the queue, is an AI technology number 11? And do they wait, or do they go to the front of the line? You know, and so I think this is a real concern I have that, you know, new to the ball game, due to this, they bump to the front of the line. And people who have spent a lot of money and time, our cloud service providers and their offerings, especially in the CR area, as well, how -- how does this work? And I think we're going to have to be very, very clear because this is going to have a ripple effect and a monetary effect for the cloud providers that have spent time and money to be in this process. Over. >> No. Clearly, good point. The primary thrust of this prioritization framework was for initial authorizations.

That's something in terms of, you know, post authorization activities and significant changes that we can look at in terms of how those are prioritized. As the -- as the joint authorization board does that, you know, we'll obviously, you know, rope, the TRs into the conversation around that. And, you know, again, the agency authorizing officials who have authorized these systems in there, if there's more than one in that collaborative, continuous monitoring, figuring out how to -- how to address that with regards. And, again, if we're talking collaborative -- on the agency authorization side, we're talking collaborative, continuous monitoring, you know, there's -- they're talking about one instance, one cloud provider at a time, not multiple.

But I see your point, and we'll look into that as well. >> Yeah. For us, you know, we -- for our -- even for our initial authorizations, I think we've got 10, 11, 12 in the queue. And so, as we move those through, so we're queuing these at quite a rapid pace at this juncture. But it's -- it's a concern of how we go through even on initial authorizations and prioritizing.

And I understand it's the Executive Order. And, you know, does -- does an agency have the authority to in their CISO community prioritize, for instance, a warfighter capability over an AI capability? Or is it -- do we -- do we leave the prioritization to the Executive Order? >> Yeah. I totally see your point. And I see that as a particular DoD issue.

You know, what we're dealing with, with the rest of Fed Civ are, you know, not -- not national security systems or classified systems. So I think that question is going to be a little easier for us to answer. >> Thanks.

>> Yep. >> All right. Great. Matt, you're next. >> All right.

Thanks. Hi, Brian. Yeah. So I apologize if any of my questions come from a position of ignorance, but that's kind of what I'm known for here. The -- so I think you're right.

The NIST AI risk management framework is very much currently focused on non cyber issues that the use or integration of AI tech can have. So it's looking at many of the other things initially while we still try to wrap our heads around what might be effective controls specific to this type of technology or not. So -- so all of that was correct.

What everybody else said, I will also say. Boundaries, scope, data. Yeah. My question was also mostly Marci's question. But something else just to think about, the EO kind of scopes you into, I guess, what are those for AI use cases for prioritization for emerging technology.

When I've done or had to do prioritization in government approval queues, suddenly everyone is that technology, you know, kind of whether they are or not. So some potential discerning criteria for understanding, you know, who really is -- who really has a use case for the government versus who's going to claim it just because now there's a queueing change that's going to happen or not happen. So that was just my thought. >> No. Excellent point. That's why we did put a lot of work into the benchmarks that are in the -- into the -- in the document.

We realize that that's going to happen, too, because there's a -- we're creating an incentive for -- you know, for that to happen. And so we want to make sure that what's coming into the queue is, in fact, what is to be prioritized. Great point. Thank you, Matt.

>> Thanks, Brian. >> Great. Do we have any other comments and/or questions for Brian? Michael, go ahead. >> Hey, Brian.

I just had one question on how -- I think you mentioned it near the top, but that three technologies, three products, is that per CSP? Or is that just overall in the whole pipeline? And just curious how we arrived at that number. >> No. Good question is -- that is we arrived at that number because the acquisition professionals that we talked to is -- that is the magic number for competition across the government to -- so that gives the government a broader -- a broader view of, you know, or broader opportunities for having competition to find the system that works for them. And the first part of your question was help me out here.

>> It is three products per CSP, or is it three products in the overall accreditation pipeline? >> I don't think we split the hair that -- that closely, Michael. That's something that we'll have to go back and discuss. >> Okay. Sounds good.

>> Thank you. >> Okay. Marci, go ahead. >> Just to tag onto that, Marci with Schellman.

Brian, so that three number, let's say an SESP, you know, SCR is a service into an existing offering. That would not affect that overall number. Like this -- this three is really for, like, standalone cloud service offerings going through initial authorization. >> Is we've written this -- this, and this addresses initial authorizations.

Yes. >> Perfect. Thank you. >> Great. Any other comments? Josh, go ahead. >> I just want to follow up on one of the things, Brian, you just said around -- so there's just a huge difference between three per CSP and a first three line.

Is there any like timeframe within which that might be unclear, just, you know, the first three in line, regardless of three -- you know, three per CSP means every CSP. But eventually, if you hit three per, those -- those three products will be deeply products in that category that most agencies will drive towards, right? Because the FedRAMP approval would be so much quicker than the rest of them. I was just interested in, you know, you guys have a timeline on how long it will be for that particular part of effect to find I think that'll be something agencies that are looking at these three areas would want to know, >> No. I -- that's very hard to predict at this point. We don't have any -- like any leading indicators on demand right now, so we don't know at this point. >> Okay. Good.

Thank you. >> Any other comments from our committee members? Great. Well, thank you all. We will now go ahead and move on to our final topic in our agenda today. And would you like to provide any closing remarks? >> Thanks, Michelle. I'd just like to thank the membership for the productive discussion and for engaging in the FedRAMP's draft of the emerging technology framework here. And so thank you for being available to consult with the FedRAMP Team.

I hope, FedRAMP team, that you find this information helpful, especially some of the open questions here. We know that we have some do ops to go and answer those for the team. And the FedRAMP team will continue to work on refining this draft framework over the next few weeks here. So all the feedback we get is extremely helpful. I wanted to thank the FSCAC for engaging at this level in this forum today. And just wanted to say also I look forward to seeing all of us in the committee in person at our next meeting on March 28, where we will further refine and finalize our initial recommendations memo to the GSA administrator.

So thank you all. Back to you, Michelle. >> Great. Thank you so much. Thank everyone for joining today. And, with that, I will go ahead and adjourn today's meeting.

Thank you. >> Thank you.

2024-03-02

Show video