The following is required from the company using a provisionally authorized vendor service:

* organization required to perform a Risk Assessment (is this standardized?)

* organization must issue an Authority to Operate (ATO) (example? to whom?) to use it for CUI as the data owner.

* organization must ensure data is encrypted properly both at rest and in transit (is plain text typed into a chat window encrypted at rest?).

* organization must ensure the system is documented in a System Security Plan (SSP) (example?).

* organization must get approval from government sponsor of each project to use CUI with AI tools

I am the one pushing for adoption, but don't have the time or FedRAMP/DISA expertise, and our FSO/CISO would rather we just not.