AI tool usage
We embrace emerging technology when it is helpful to further our customers' missions, is mature and stable enough to support government processes, and provides the security controls necessary to protect sensitive information.
Key concepts
Understand security requirements
Check FISMA compliance: All AI tools must be approved for use at or above the FISMA rating of the customer's system(s). If you don't know your system's FISMA rating, ask your tech lead.
Know data restrictions: Your ability to use AI tools depends on both the customer's security policies and the FISMA ratings of the systems and tools involved.
Default restrictions (unless specified otherwise in writing):
- Prior to allowing AI access to any code, scan the code for secrets, PII, or other sensitive data.
- Use AI tools that do not train models on sensitive information and do not retain data for longer than needed. Source code is often considered sensitive information.
Know what features you can use: Some tools may have limited features approved for use (for example, chat but not IDE usage).
What to do on your government-furnished equipment (GFE) vs. your Pluribus computer
Tasks involving customer code and data must be limited to the customer's environment (GFE), and you must maintain strict boundaries around environments that contain sensitive data. (Source code is often considered sensitive data.)
But you may use AI tools on your Pluribus computer for tasks that don't involve customer data, for example, researching general approaches to problems, evaluating tools and their capabilities, and writing general documentation.
Pluribus expectations
Get written permission to use AI with customer data
- Obtain explicit written permission from the customer
- Explain your intended use case for AI
- Specify what data the AI tools will access
When it makes sense to do so, request approval for features or capabilities rather than specific tools, because the customer may already have an approved tool that meets your needs.
Request pre-approved tools whenever possible. You can request tools that aren't pre-approved, but expect a lengthy approval process with no guarantee of success.
Check these sources first:
- Your customer's approved tool list
- The FedRAMP Marketplace (available starting January 2026)
Maintain quality standards
You are ultimately responsible for all code you produce with AI assistance. AI-assisted work must meet the same quality standards as work created without AI assistance.
- You should be able to walk a colleague through your code and answer questions about the decisions and tradeoffs made.
- Keep pull requests/merge requests small. Large PRs are harder to review and double-check.
- Follow patterns and conventions previously established in the rest of the codebase.
- Code should have thorough test coverage.
- Code must pass all checks and meet acceptance criteria before merging into the repo.
Document your decisions
Record all the decisions above in a central project location so future team members can easily reference them.