Scope and obligations

Operational PMO guidance for agencies acquiring AI / generative-AI cloud services within the existing FedRAMP authorisation framework. Key operational themes that recur across the published surface: (1) AI cloud services that process federal data require a FedRAMP ATO (Low / Moderate / High baseline) per the standard FedRAMP scope; (2) GenAI-specific control tailoring — agencies + JAB consider model-specific risks (training-data exposure, prompt-injection, output disclosure) when scoping the SSP + selecting NIST SP 800-53 control overlays; (3) cross-walk to OMB M-24-10 minimum practices for safety- + rights-impacting AI; (4) supply-chain risk-management considerations for model + dataset provenance; (5) agency authorising-official discretion remains the operative gate — FedRAMP authorisation enables but does not by itself approve a specific AI use case (M-24-10 governance applies separately). Editorial note: limited public detail on this row reflects the PMO's web-page-plus-memo distribution pattern; a consolidated GenAI baseline document is the natural next milestone and would refresh this row.

FedRAMP AI Cloud Procurement Guidance addresses 1 contested AI-governance topics explicitly, 5 via general principles,.

Topics governed

• implicit
  Foundation Models / GPAI— GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
• implicit
  Compute-Threshold Reporting— FedRAMP authorisation enables ATO; agency-AI-use disclosure flows through OMB M-24-10 inventory + quarterly procurement reporting rather than through FedRAMP itself
• governs
  Transparency Obligations— FedRAMP authorisation requires System Security Plan + control documentation; GenAI guidance extends to vendor disclosure of training-data provenance, evaluation results, model documentation

  §SSP + control documentationparaphrase

  Faithful summary: FedRAMP authorisation requires a System Security Plan documenting NIST SP 800-53 controls; GenAI guidance extends disclosure to training-data provenance, evaluation results, and model documentation.

  source ↗
• implicit
  Individual Redress— Guidance cross-walks to OMB M-24-10 minimum practices including human-consideration + remedy for rights-impacting AI
• implicit
  Training-Data Rights— Supply-chain risk-management considerations include training-data + model-weight provenance disclosure within the SSP
• implicit
  National Security Carveouts in AI Regulation— FedRAMP High baseline + JAB authorisation route exists for higher-sensitivity use cases; classified systems are outside FedRAMP scope and governed by separate ICD-503 / NIST SP 800-53 IC overlay frameworks

Cross-jurisdiction comparison

How peer instruments treat the topics FedRAMP AI Cloud Procurement Guidance governs.

°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.

How to cite this article

Policy Window. (2024). FedRAMP AI Cloud Procurement Guidance [Wiki article — Instrument]. https://policywindow.org/wiki/fedramp-ai-guidance

Policy Window. 2024. "FedRAMP AI Cloud Procurement Guidance." Wiki article (Instrument). https://policywindow.org/wiki/fedramp-ai-guidance.

@misc{policywindow-fedramp-ai-guidance,
  title  = {FedRAMP AI Cloud Procurement Guidance},
  author = {Policy Window},
  year   = {2024},
  howpublished = {FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.},
  url    = {https://policywindow.org/wiki/fedramp-ai-guidance},
  note   = {Primary source: https://www.fedramp.gov/}
}

Evidence base

Academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link, no LLM summaries (charter §7). Browse the full literature index.

• Model Card ↗PreprintMitchell et al. (2019), 'Model Cards for Model Reporting,' FAccT '19
• Deceptive Alignment ↗PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
• Mesa-Optimization ↗PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
• Scalable Oversight ↗PreprintChristiano, P., Shlegeris, B., Amodei, D. (2018), 'Supervising Strong Learners by Amplifying Weak Experts.'
• Capability Elicitation ↗PreprintQi, X., Zeng, Y., Xie, T., Chen, P.-Y., Jia, R., Mittal, P., Henderson, P. (2023), 'Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!'
• Dual-Use Research Norms (DURC for AI) ↗PreprintSolaiman, I., et al. (2019), 'Release Strategies and the Social Impacts of Language Models' — the canonical articulation of structured-access norms for foundation models.
• Policy Instrument ↗Peer-reviewedLascoumes, P. & Le Galès, P. (2007). Introduction: Understanding Public Policy through Its Instruments — From the Nature of Instruments to the Sociology of Public Policy Instrumentation. Governance 20(1): 1-21. See also Hood (1983) The Tools of Government, ch. 1-2; Salamon (2002) The Tools of Government: A Guide to the New Governance, pp. 1-47; Howlett (2011) Designing Public Policies, ch. 3-5.
• Training-Data Attribution ↗PreprintGrosse, R., et al. (2023), 'Studying Large Language Model Generalization with Influence Functions' (Anthropic) — the canonical articulation of scalable influence-function-based attribution for foundation models.
• Prompt Injection ↗PreprintGreshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. (2023), 'Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.'
• Agentic AI System ↗PreprintYao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.'
• Tool-Use Safety ↗PreprintWallace, E., et al. (2024), 'The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions' (OpenAI) — the canonical industry articulation of instruction-channel hierarchy as a tool-use-safety defence.
• Multi-Turn Evaluation ↗PreprintZheng, L., et al. (2023), 'Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena' — operationalises the multi-turn evaluation protocol for foundation models.
• Data Poisoning ↗PreprintCarlini, N., et al. (2024), 'Poisoning Web-Scale Training Datasets is Practical' — establishes practical feasibility of poisoning frontier-model training corpora.
• Model Distillation Risk ↗PreprintHinton, G., Vinyals, O., Dean, J. (2015), 'Distilling the Knowledge in a Neural Network' — the foundational distillation paper; the governance-relevant adaptation runs through Alpaca/Vicuna (2023) and DeepSeek-R1 (2025).
• Jailbreak Resistance ↗PreprintZou, A., Wang, Z., Kolter, J. Z., Fredrikson, M. (2023), 'Universal and Transferable Adversarial Attacks on Aligned Language Models' — the canonical demonstration that gradient-based suffix attacks transfer across aligned LLMs.
• Model-Merging Risk ↗PreprintBhardwaj, R., et al. (2024), 'Language Models are Homer Simpson! Safety Re-Alignment of Fine-tuned Language Models through Task Arithmetic' — canonical demonstration that safety training is not preserved under task arithmetic / merging.
• Inference-Time Compute ↗PreprintSnell, C., Lee, J., Xu, K., Kumar, A. (2024), 'Scaling LLM Test-Time Compute Optimally can be More Effective than Scaling Model Parameters' — establishes inference-time-compute scaling as a first-class capability lever.
• Sandbagging ↗Preprintvan der Weij, T., Hofstätter, F., Jaffe, O., Brown, S., Ward, F. (2024), 'AI Sandbagging: Language Models can Strategically Underperform on Evaluations.'
• Hallucination ↗PreprintJi, Z., et al. (2023), 'Survey of Hallucination in Natural Language Generation,' ACM Computing Surveys 55(12): 1-38.
• In-Context Learning ↗PreprintBrown, T., et al. (2020), 'Language Models are Few-Shot Learners' (GPT-3 paper) — the canonical articulation of in-context learning as an emergent capability.
• Retrieval-Augmented Generation (RAG) ↗PreprintLewis, P., et al. (2020), 'Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,' NeurIPS — the canonical articulation of RAG.
• AI Risk Management Framework | NIST ↗Standards body✦ AIUS voluntary AI risk-management framework (Govern/Map/Measure/Manage).
• ISO/IEC JTC 1/SC 42 - Artificial intelligence ↗Standards body✦ AIInternational committee developing AI standards.
• ISO - Security, safety and risk ↗Standards body✦ AIISO security, safety & risk standards portal.
• OECD AI Incidents Monitor, an evidence base for trustworthy AI - OECD.AI ↗Incident database✦ AIOECD tracker of real-world AI incidents and hazards.
• AI Index | Stanford HAI ↗Research institute✦ AIStanford HAI's annual data report on the state of AI.
• Regulation, Policy, Governance | Stanford HAI ↗Research institute✦ AIStanford HAI's regulation & governance research hub.
• Papers & Reports | Epoch AI ↗Research institute✦ AIEpoch AI research on compute, scaling trends & frontier models.
• Artificial Intelligence ↗Research institute✦ AIUS National Academies' AI consensus-study hub.
• Capturing the Potential of Generative AI’s Use in Health and Medicine Requires Collaboration and Oversight, Consideration of Risks, Says NAM Special Publication ↗Research institute✦ AINAM special publication on generative AI in health & medicine.
• One Hundred Year Study on Artificial Intelligence (AI100) ↗Research institute✦ AIStanford's standing century-long study of AI's societal impact.
• National Bureau of Economic Research | NBER ↗Working paper✦ AIUS National Bureau of Economic Research.
• Featured Working Papers Archive | NBER ↗Working paper✦ AINBER featured economics working papers (incl. AI & labor).
• Measuring up | Ada Lovelace Institute ↗Civil society✦ AIAda Lovelace Institute policy briefing.
• Publications - AlgorithmWatch ↗Civil society✦ AIReports on automated decision-making and its societal impact.
• Anthropomorphic AI terms create gaps in accountability | Brookings ↗Think tank✦ AICommentary on how anthropomorphic AI language obscures accountability.

References

1. FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
2. GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
3. FedRAMP authorisation enables ATO; agency-AI-use disclosure flows through OMB M-24-10 inventory + quarterly procurement reporting rather than through FedRAMP itself
4. FedRAMP authorisation requires System Security Plan + control documentation; GenAI guidance extends to vendor disclosure of training-data provenance, evaluation results, model documentation
5. Guidance cross-walks to OMB M-24-10 minimum practices including human-consideration + remedy for rights-impacting AI
6. Supply-chain risk-management considerations include training-data + model-weight provenance disclosure within the SSP
7. FedRAMP High baseline + JAB authorisation route exists for higher-sensitivity use cases; classified systems are outside FedRAMP scope and governed by separate ICD-503 / NIST SP 800-53 IC overlay frameworks