The Federal Government’s Treatment of Government Contractors’ Emerging Technologies – Including Chat Interfaces and Code Generator

The federal government’s cybersecurity treatment of “chat interfaces,” “code generators,” and other emerging technologies is evolving, as these technologies introduce unique challenges related to privacy, security, and compliance for federal government agencies. The certification process for such emerging technologies depends on the specific framework under which the technology will be used. These frameworks include the Federal Risk and Authorization Management Program (“FedRAMP”), a government program that standardizes the security of cloud services used by the federal government; the Cybersecurity Maturity Model Certification (“CMMC”), a program that evaluates the ability of organizations to protect sensitive data for the Department of Defense (“DoD”); or agency-specific guidelines.

Emerging technologies like chat interfaces (e.g., artificial intelligence (“AI”)-powered tools) and code generators are classified based on their risk and impact. These tools must address potential vulnerabilities, such as data leakage, unauthorized access, and misuse. The federal government will assess risk under the framework of the National Institute of Standards and Technology (“NIST”) guidelines, especially NIST SP 800-53 (for security controls) or NIST SP 800-171 (for protecting controlled unclassified information).

The federal government’s key challenges include:

• Privacy Risks: If these emerging technologies process sensitive or personal information, federal agencies must ensure compliance with regulations like the Federal Information Security Modernization Act (“FISMA”) and applicable privacy standards.
• AI/Machine Learning (“ML”) Security: Chat interfaces and AI-powered systems require transparency and accountability for decision-making processes. The AI Risk Management Framework (AI RMF) developed by NIST provides specific guidance.
• Supply Chain Risks: If the emerging technology relies on third-party tools or libraries, it must demonstrate supply chain integrity under frameworks like CMMC, discussed above.

FedRAMP for Cloud-Based Emerging Technologies Certification Guidelines and Submission Process

Technologies offered as cloud-based services must undergo FedRAMP certification if used by federal agencies.

Steps

1. Categorize Service: Determine the impact level (low, moderate, high).
2. Documentation: Prepare a System Security Plan (SSP) and other required documentation.
3. Audit: Engage a Third-Party Assessment Organization (3PAO) for a security assessment.
4. Submission: Submit assessment reports to the Joint Authorization Board (JAB) or a federal agency for review.

NOTE: The JAB, composed of representatives from the DoD, the Department of Homeland Security (DHS), and the General Services Administration (GSA), reviews the security package and grants a Provisional Authority to Operate. This path is more rigorous and suitable for cloud services widely used across the government.

5. Authorization: Obtain either a Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO).

Timing

The timing for FedRAMP approval depends on the type of authorization path selected and the complexity of the system being assessed. Thus, submission to a federal agency that is acting as a sponsor to complete the FedRAMP authorization process or a cloud service provider with a FedRAMP complaint security package using a 3PAO to validate its implementation will typically take six to 12 months, whereas submission to the JAB typically takes 12 to 18 months. FedRAMP approval might also take longer if the systems require higher levels of security or if there are “resource constraints” (such as a limited availability of agency sponsors, JAB reviewers, or 3PAO capacity). Therefore, these timeframes are averages and it could take longer to obtain FedRAMP approval than the estimates listed here.

CMMC for Defense-Related Technologies Certification Guidelines and Submission Process

The DoD plans to include CMMC requirements in contracts starting in mid-2025, with a phased rollout extending into 2028. For tools handling Controlled Unclassified Information (CUI) within the Department of Defense ecosystem, the CMMC process requires hiring a Certified Third-Party Assessment Organization (C3PAO) for evaluation. The CMMC is a framework established by the DoD to enhance cybersecurity practices within the Defense Industrial Base.

Process and Timeline to Obtain CMMC Authorization

1. Preparation Phase:
   • Assessment of Current Practices: Evaluate existing cybersecurity measures against the required CMMC level.
   • Implementation of Controls: Address any gaps by implementing necessary security controls.
   • Documentation: Develop comprehensive policies, procedures, and system security plans.

2. Assessment Phase:
   • Third-Party Assessment: Engage a C3PAO to conduct a formal evaluation.
   • Remediation: Address any identified deficiencies and update documentation accordingly.

3. Certification Phase:
   • Submission: Provide assessment results to the DoD for review.
   • Approval: Await official certification, which is valid for three years.

Timing

The preparation phase is typically six to 18 months, depending on organizational size and current cybersecurity posture. The assessment phase is typically two to four months for Level 1 and 10 to 18 months for Level 2, though this can vary based on organizational complexity. The Certification Phase depends on DoD’s review and approval process. Thus, the total estimate time for CMMC approval is six to 12 months or more.

Conclusion

The federal government’s evolving approach to government contractors’ emerging technologies, including chat interfaces and code generators, highlights both the immense potential and the complex challenges these innovations bring to the defense and broader public sectors. As technologies like artificial intelligence, machine learning, and automation continue to shape the landscape, contractors are faced with navigating a regulatory environment that seeks to ensure security, ethical standards, and compliance with federal requirements.

For contractors, this presents a dual challenge: the need to innovate and leverage new technologies for operational efficiency, while also meeting stringent cybersecurity and regulatory demands, such as those outlined in frameworks like FedRAMP and CMMC. The government’s increasing reliance on these technologies requires contractors to maintain a delicate balance between technological advancement and the protection of sensitive data.

As these technologies become integrated into federal contracts starting in 2025, it will be crucial for contractors to stay ahead of regulatory changes, invest in robust cybersecurity practices, and proactively engage with evolving compliance standards. While the federal government’s treatment of emerging technologies presents challenges, it also offers contractors the opportunity to be at the forefront of innovation. By aligning technological advancements with security and regulatory requirements, contractors can not only contribute to the nation’s defense and technological advancement but also secure a competitive edge in the rapidly evolving market.

About the Author

Tenley A. Carp is a partner at Arnall Golden Gregory LLP and the chair of the firm’s Government Contracts practice. She can be reached at [email protected].