FedRAMP AI Cloud Procurement Guidance — provisions explorer

A procurement officer evaluating a vendor against FedRAMP AI Cloud Procurement Guidance can use this page to walk the operative articles + paragraphs the instrument touches, anchored to the primary source. Each row groups every coverage cell that names that article so the reader sees WHICH governance topic each clause speaks to. Use it as a checklist scaffold, not as legal advice (see charter §7.4).

SSP + control documentation

1 cell

governs
Transparency Obligations
FedRAMP authorisation requires System Security Plan + control documentation; GenAI guidance extends to vendor disclosure of training-data provenance, evaluation results, model documentation
Verbatim text:
“Faithful summary: FedRAMP authorisation requires a System Security Plan documenting NIST SP 800-53 controls; GenAI guidance extends disclosure to training-data provenance, evaluation results, and model documentation.”
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance SSP + control documentation, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.

Unanchored citations

5 cells

implicit
Foundation Models / GPAI
GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
Editor rationale: FedRAMP guidance distinguishes GenAI services from non-GenAI cloud services for control-tailoring purposes; foundation-model-specific obligations flow through the agency authorising official's discretion rather than from a FedRAMP baseline rule.
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
implicit
Compute-Threshold Reporting
FedRAMP authorisation enables ATO; agency-AI-use disclosure flows through OMB M-24-10 inventory + quarterly procurement reporting rather than through FedRAMP itself
Editor rationale: FedRAMP is the cloud-security authorisation layer; M-24-10 is the AI-use-disclosure layer. Cell marked implicit because FedRAMP enables agency use but the disclosure obligation lives elsewhere in the federal-AI procurement stack.
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
- Vendor shall, on request, produce evidence of completion of any reporting, registration, or conformity-assessment obligations attaching to the offered system under FedRAMP AI Cloud Procurement Guidance, and shall notify the buyer in writing within 30 days of any material change to that compliance status.
implicit
Individual Redress
Guidance cross-walks to OMB M-24-10 minimum practices including human-consideration + remedy for rights-impacting AI
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
implicit
Training-Data Rights
Supply-chain risk-management considerations include training-data + model-weight provenance disclosure within the SSP
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
implicit
National Security Carveouts in AI Regulation
FedRAMP High baseline + JAB authorisation route exists for higher-sensitivity use cases; classified systems are outside FedRAMP scope and governed by separate ICD-503 / NIST SP 800-53 IC overlay frameworks
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.

Unanchored citations

5 cells

implicit
Foundation Models / GPAI
GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
Editor rationale: FedRAMP guidance distinguishes GenAI services from non-GenAI cloud services for control-tailoring purposes; foundation-model-specific obligations flow through the agency authorising official's discretion rather than from a FedRAMP baseline rule.
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
implicit
Compute-Threshold Reporting
FedRAMP authorisation enables ATO; agency-AI-use disclosure flows through OMB M-24-10 inventory + quarterly procurement reporting rather than through FedRAMP itself
Editor rationale: FedRAMP is the cloud-security authorisation layer; M-24-10 is the AI-use-disclosure layer. Cell marked implicit because FedRAMP enables agency use but the disclosure obligation lives elsewhere in the federal-AI procurement stack.
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
- Vendor shall, on request, produce evidence of completion of any reporting, registration, or conformity-assessment obligations attaching to the offered system under FedRAMP AI Cloud Procurement Guidance, and shall notify the buyer in writing within 30 days of any material change to that compliance status.
implicit
Individual Redress
Guidance cross-walks to OMB M-24-10 minimum practices including human-consideration + remedy for rights-impacting AI
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
implicit
Training-Data Rights
Supply-chain risk-management considerations include training-data + model-weight provenance disclosure within the SSP
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.
Contract clause language candidates
Candidate language — not legal advice (see /wiki/charter §7.4)
- Vendor shall provide documentation demonstrating compliance with the transparency / disclosure obligations identified at FedRAMP AI Cloud Procurement Guidance, including (as applicable) machine-readable provenance markers, model cards, and end-user disclosure flows.
implicit
National Security Carveouts in AI Regulation
FedRAMP High baseline + JAB authorisation route exists for higher-sensitivity use cases; classified systems are outside FedRAMP scope and governed by separate ICD-503 / NIST SP 800-53 IC overlay frameworks
Verbatim text:
Verbatim text not yet transcribed — see primary source.
Open primary source: FedRAMP Program Management Office, AI / Generative-AI cloud procurement guidance (2024); operational guidance distributed across fedramp.gov landing + PMO memos under 44 U.S.C. §3607 statutory authority. See fedramp.gov for the current consolidated state.