Former CISA CIO presses FITARA 2.0 for AI metrics

Epperson’s central point is the part FITARA watchers should take seriously: a scorecard built around process maturity and reported compliance status will not say enough about whether agency cyber risk is falling, and it will say even less about whether federal AI systems can be trusted for a specific mission. His proposed FITARA 2.0 would push the scorecard toward evidence-based validation, measurable control performance and continuous monitoring, with AI categories covering accuracy, drift, bias and explainability.

The FedRAMP angle is narrower than the headline suggests. Epperson argues that outside AI validators may handle sensitive federal data, so the tools they use will often need FedRAMP Moderate or High authorization or certification at the appropriate impact level. That is plausible procurement hygiene. It does not by itself define how an AI validator should test bias, drift or explainability, or who accredits that validator for those tests.

For practitioners, the immediate change is zero. This is a MeriTalk column from a former federal CIO and current Knox Systems advisory board member, not an Office of Management and Budget memo or House text. The signal is still useful: if Congress refreshes the Federal Information Technology Acquisition Reform Act scorecard, the fight will not just be over adding AI and FedRAMP boxes. It will be over whether those boxes measure operational risk, or merely create better-looking documentation for the next hearing.