AI shared responsibility for federal civilian agencies
FedRAMP authorizes the cloud service provider side. The agency side of every AI
service's shared responsibility split has no schema. This vertical fills that gap:
40 controls across five SRF layers, each with a named accountable party, a measurable
threshold, an OCSF evidence pointer, and a responsibility_split value
aligned to FedRAMP Customer Responsibility Matrix categories.
Experimental schema. This vertical is a proposed
extension of the CoSAI Shared Responsibility Framework, developed independently to
demonstrate the approach. It is not part of CoSAI SRF v1.0 and has not been endorsed
by CoSAI, OMB, GSA, FedRAMP, NIST, or any federal agency. Section references to
OMB M-25-21 and M-25-22 are marked TBD pending verification against the primary PDFs
at whitehouse.gov. FedRAMP 20x KSI names are still evolving through the pilot phases;
verify at fedramp.gov before using in official agency documentation.
40
Controls
5
SRF layers
4
Federal AI lifecycle stages
Sep 22
OMB M-25-21 deadline (2026)
The M-25-21 gap. OMB M-25-21 (April 3, 2025) requires federal civilian
agencies to apply seven minimum risk management practices to every high-impact AI use case
and report compliance to OMB by September 22, 2026. Use cases that cannot meet the minimum
practices must be discontinued. The memo names the practices but provides no control catalog,
no measurable thresholds, and no evidence model.
The FedRAMP CRM gap. FedRAMP 20x is moving AI services into agencies faster
than agency-side governance can absorb them. FedRAMP authorizes the cloud service provider
side; the Customer Responsibility Matrix covers 800-53 security controls but assigns nobody
to the AI-specific obligations in M-25-21 and M-25-22. This schema fills the agency side of
that split.
COSAiS still in draft. NIST's COSAiS overlays (SP 800-53 control overlays
for securing AI systems) are the official forthcoming answer, but all overlays remain in draft
as of June 2026. Agencies facing the September deadline cannot wait. COSAiS mappings in this
schema are marked TBD with a revisit note for when final drafts publish.
The responsibility_split field. Every control in this schema carries a
responsibility_split value aligned to FedRAMP CRM categories: agency,
shared, csp, or inherited. This is the feature that
makes the schema legible to ISSOs and maps directly onto artifacts every Authorizing Official
already uses.
In this section
Schema design
Accountability plane
SRF layers and personas
Each control names one accountable persona. Five layers map to a federal AI
lifecycle: governance, data, application, platform, and model. Federal roles
(CAIO, ISSO, AO) map to personas in the how-to guide, not the JSON.
Control plane
Federal AI lifecycle stages + CRM split
Four stages: ACQ (acquisition), VAL (pre-deployment validation), MON (ongoing
monitoring), OVR (human oversight and remedy). Every control also carries a
responsibility_split value for direct CRM integration.
Evidence plane
OCSF v1.8.0 and document artifacts
Each threshold names an OCSF event class where a machine-readable signal exists.
Where evidence is a governance document (impact assessment, ATO letter, compliance
plan), the schema says so rather than forcing OCSF onto paperwork.
Coverage by layer
L1
Governance and processes
Use-case inventory and public posting, high-impact designation, CAIO and governance
board, M-25-21 compliance plan, discontinuation and waiver process, public feedback
channel, M-25-22 contract compliance, staff training, governance board review cadence.
Accountable persona: ai-system-governance.
9 controls
L2
Data and input control
Authority-to-use for training and RAG data, agency data egress block per M-25-22,
PII and CUI classification, input drift monitoring (PSI), NARA log retention,
output accuracy monitoring, disparate impact monitoring, FedRAMP authorization
for data services. Accountable personas: data-provider
(5 controls) and application-developer (3 controls).
8 controls
L3
Application and integration
Pre-deployment testing, AI impact assessment, prompt injection detection, human
oversight gate for adverse citizen decisions, remedy and appeal mechanism, agentic
task boundary enforcement, shared-service inheritance chain, plain-language
explanation for adverse decisions. Accountable personas: application-developer
(7 controls) and agentic-platform-provider (1 control).
8 controls
L4
Platform and infrastructure
FedRAMP authorization at required FIPS 199 impact level, guardrail configuration
baseline, API gateway authentication, CUI encryption and access monitoring, audit
log completeness per 20x KSIs, model serving availability SLA, ATO CRM completion,
continuous vulnerability scanning. Accountable personas: ai-platform-provider
(6 controls) and agentic-platform-provider (2 controls).
8 controls
L5
Model and supplier
Model documentation per M-25-22 transparency terms, vendor drift disclosure SLA,
artifact signing and provenance, vulnerability disclosure SLA, model portability
for lock-in avoidance, model version change re-validation trigger, supply chain
risk assessment. Accountable persona: model-provider.
7 controls
GovRAMP crosswalk is on the roadmap; controls will gain GovRAMP marketplace authorization IDs once the program publishes its AI-specific requirements.