Feb. 15 from 1 p.m.- 2:30 p.m. Eastern time
Virtual Location: Zoom
Agenda
|
ALLOTTED TIME
|
TOPIC
|
PRESENTER
|
|
1:00-1:05 p.m.
|
Call to order
Welcome and roll call
FACA public meetings
|
Designated Federal Officer Michelle White
|
| 1:05-1:10 p.m. |
Public comment (limit of three minutes per speaker) |
Members of the public |
| 1:10-1:15 p.m. |
Chair remarks |
Federal Secure Cloud Advisory Committee Chair Ann Lewis |
| 1:15-1:30 p.m. |
FedRAMP response to AI EO briefing |
Acting Director/FedRAMP Cybersecurity Program Manager Brian Conrad |
| 1:30-2:25 p.m. |
Committee question-and-answer, discussion and consultation |
Acting Director/FedRAMP Cybersecurity Program Manager Brian Conrad and FSCAC members |
| 2:25-2:30 p.m. |
Closing remarks and adjourn |
FSCAC Chair Ann Lewis and DFO Michelle White |
Call to Order: Welcome and Roll Call
Michelle White, Designated Federal Officer (DFO)
Michelle introduced the purpose of the meeting and background information on FSCAC’s creation and scope, and then went through roll call. A quorum was established. Michelle then reviewed the purpose, outcome and agenda for the day. She reminded the members of the speaking etiquette for this meeting.
Public Comment
Michelle White, FSCAC DFO
No public comments were made. Public comment portion concluded at 1:10 PM.
Chair Remarks
Ann Lewis, FSCAC Chair
Ann Lewis, FSCAC Chair, level set and provided more background and context for the meeting today, as well as restated the overall purpose, outcome and process for this meeting.
FedRAMP Response to the AI EO Briefing
Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP and FSCAC Members
Michelle White opened up the floor for questions for Brian Conrad from FSCAC members.
Michael Vacirca had a question around the authorization boundaries and if they will change and if FedRAMP has considered something similar like NASA has on readiness levels to unlock levels of production faster. Brian reiterated that there is no authorization boundary change and encouraged him to submit public
comment because it is not something that the FedRAMP Program Management Office (PMO) has considered.
Joshua Cohen had a question around prioritization, as the AI EO is very explicit, he wanted to know if other things like medical or mission-specific tools might get prioritized first. Brian stated that the EO is specific right now, but in a future state, the FedRAMP board will be able to apply direction to the PMO. For example, if Veterans Affairs comes to the Board about a specific technology and the demand for it, the Board can direct FedRAMP to prioritize.
Branko Bokan had a question about what the queue is made of. Brian stated that the current authorization path is currently first in, first out. With this framework, FedRAMP would take the recognized demand first, but if there is a tie, the ET would win for who gets in line first. One thing FedRAMP will be working on is how
far up in the queue the Cloud Service Provider (CSP) will get placed. Marci Womack had a question around existing offerings with Significant Change Requests (SCRs), and what does the PMO anticipate in the pipeline for those specifically to ET. Brian stated that right now the SCR’s are either approved by the Joint Authorization Board (JAB) or the authorized official at the agency, so theoretically, they wouldn’t have to go through this process anymore; it would just be for the authorizing ATO, or they can bring AI capabilities into their existing boundary. Marci asked if FedRAMP includes requirements for additional information, does the PMO anticipate this being information that the CSP has to provide during their authorization process, or it would be a change in requirements. Brian stated that at this point FedRAMP is not altering our security requirements. It may be additional information that FedRAMP requires for the actual prioritization, but have not yet.
Bo Berlas had a question around SCRs and how the FedRAMP controls have not regulated anything to AI and to effectively go through and validate the outcomes, and what can be accepted in the boundary from a risk basis going forward. Brian stated that for AI tools coming through the SCRs through the JAB, the team talks to the JAB reviewers to understand what’s going on, and FedRAMP PMO reaches out to the CSPs and 3PAOs.
Jackie Snouffer stated her team was concerned about boundaries, where the data is stored, how the data is reused, and that this is something to consider in FedRAMP for how we’re generating the output and how our data is stored when it comes to AI generators and ChatGPT. Brian replied back that the PMO is aware of this, and as they get ready to update the version of the Boundary Guidance, FedRAMP will need to address this. Responsibility also falls to the agency with FISMA responsibilities as well. Jackie had a follow up question relating to the queue: does the agency have the authority to prioritize a capability over an AI? Or do we leave the prioritization to the EO? Brian replied back that the primary thrust is for initial authorizations. They are talking about one CSP at a time, not multiple, but FedRAMP will look into it.
Matthew Scholl referenced how the EO scopes FedRAMP into 4 use cases for prioritization. It will be important to have discerning criteria for understanding who really has a use case for the government versus who is going to claim it just because there is a queuing change. Brian replied that this is why the PMO puts time into the benchmarks that are in the document. FedRAMP realizes that’s going to happen because we’re creating an incentive for creating that to happen, so we want to make sure that what is coming into the queue is in fact what should be prioritized.
Michael Vacirca mentioned the three technologies and asked if that was per CSP or in the pipeline and how did FedRAMP arrive at that number. Brian replied that the acquisition professionals stated that is the number across the government. It gives the government a broader opportunity to have competition to find
the system that works for them. Marci Womack had a follow up to Michaels question around that three technologies number. If a CSP has an existing offering, would it affect those three? Brian stated no, as FedRAMP has written it as only initial authorizations.
Joshua Cohen stated that there is a huge difference between 3 CSPs and 3 in the pipeline and wanted to know if there is a timeline for distinguishing particular parts of that. Brian replied that is very hard to predict at this point, as there are not any leading indicators on demand right now.
Closing Remarks & Adjourn
Michelle White, FSCAC DFO and Acting FSCAC Chair
Ann Lewis provided her closing comments and thanked the Committee for their participation. Having no further agenda items to discuss, Michelle White adjourned the meeting at 1:48 PM.
Committee Members in Attendance
- Ann Lewis (Chair)
- Michael Vacirca
- John Greenstein
- Marci Womack
- Branko Bokan
- Matt Scholl
- Bo Berlas
- LaMonte Yarborough
- Jackie Snouffer
- Bill Hunt
- Joshua Cohen
Guest Speakers and Presenters
FSCAC Support Staff Present
- Michelle White, Designated Federal Officer
- D’Arcy Steiner, FSCAC Support Team
- Taylor Juneau, FSCAC Support Team
- Megan Gallo, FSCAC Support Team
- Clifton Johnson, FSCAC Support Team
- Cristina Brydges, FSCAC Support Team
Full Attendees
- Musharaf Rashid, Wintrio
- Andrew Lins, FedRAMP
- Neeraj Desai, Phantom Fed
- Rylan Crosby, Elevatega
- MacKenzie Robertson, GSA
- Tyler Hardy, Elevatega
- Angela Maddux, Captioner
- Sanjiev Chatopadhya, Broadcom
- Todd Fredericks, FedRAMP
- Eric Mill, GSA
- John Gallagher, Microsoft
- Saidul Islam, ResTech AI
- Laura Navaratnam, CSP-AB
- Lee Szilagyi, Mitre
- Eddie Baez, Sentinelone
- David Eddy, Articulate
- Madison Cevallos, Gordian
- Karen Fox, Gordian
- Jeff Headley, Terida
- Anupam Gupta, AKG Advisors
- Shawnte Singletary, CMS
- Tom Ruff, DSP Associates
- Jomori Campbell, Wasabi
- Townsend Bourne, Sheppard Mullin
- Matt Hungate, Shellman
- Daniel Alvarado, Sheppard Mullin
- Wyn Elder, Box
- Crystal McLaughlin, Treasury
- Jeannette Cockrell, CISA
- Christian Baer, Schellman
- Richard Verrill, Excentium
- Scott Anderson, Hyland
- Arun Natarajan, Iron Mountain
- Joe Chrisinger, Info First
- Michael Hunt, DOC
- Sudebi Roy, IRS
- Chris Harrell, DOE
- Chris Baugh, Highpoint Digital
- Carmen Larsen, Aquas Inc
- Shalina Gera
- Jessica Salmoiraghi, BSA
- Valerie McFarland, SES Corporation
- Takera Gholson, CPSC
- Kelly Rice, DHS
- Grant Malmberg
- Rae Boyd-Awa, US Courts
- Vimarsh Patel
- Christian Zambrano, L3 Harris
- John Oduro, Excentium
- Pradeep Devarakonda, TPGSI
- Antonio Redding, Intelligent Waves
- Jose Sosa, DOL
- Aftab Bukhari, DOC
- Alan Boutueira, DOL
- Michael Morro, Noblis
- Preethy Manohar, OHM LLC
- Malachi Robinson, CMS
- Mirghani Mohamed, DHS
- Sandeep Dhameja, NASA
- Milica Lijeskic, Kyberstorm
- Innocent Eleazu
- Paul Caron, Microsoft
- Lucia Gamboa, Credo.AI
- Troy Doller, Hyland
U.S. General Services Administration