Driving Efficient Acquisition of Artificial Intelligence in Government

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D .C . 20503

April 3, 2025

THE DIRECTOR

M-25-22

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

FROM:

Russell T. Vought

Director

I

SUBJECT: Driving Efficient Acquisition of Artificial Intelligence in Government

OVERVIEW

Executive Order 13960, Promoting the Use ofTrustworthy Artificial Intelligence in the

Federal Government, 1 charges Federal agencies with using safe and secure artificial intelligence (AI) in innovative ways to improve government efficiency and mission effectiveness. In carrying out this direction, agencies must procure effective and trustworthy AI capabilities in a timely and cost-effective manner. Consistent with the Advancing American AI Act,2 Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence,3 and Office of Management and Budget (0MB) Memorandum M-25-21, Accelerating Federal Use ofAI through Innovation, Governance, and Public Trust, this memorandum provides guidance to agencies to improve their ability to acquire AI responsibly. This memorandum rescinds and replaces 0MB Memorandum M-24-18, Advancing the Responsible Acquisition ofArtificial Intelligence in Government. To that end, there are three grounding themes that drive this memorandum’ s requirements:

Ensuring the Government and the Public Benefit from a Competitive American Al

Marketplace. Competition in the marketplace enables the government to acquire the best solutions at lower cost to the taxpayer. As agencies seek to accelerate the adoption of AI-enabled services, they must pay careful attention to vendor sourcing, data portability, and long-term interoperability4 to avoid significant and costly dependencies on a single vendor. The

1 Executive Order 13960, Promoting the Use of Trustworthy Artificial Intelligence. December 3, 2020, https://www.federalregister.gov/documents/2020/ 12/08/2020-27065/promoting-the-use-of-trustworthy-artificial­ intelligence-in-the-federal-govemment. 2 Pub. L. No. 117-263, div. G, title LXXII, subtitle B, § 7224(d)(l) (codified at 40 U.S.C. 11301 note), https://www.congress.gov/ l l 7/plaws/publ263/PLA W- l l 7publ263.pdf. 3 Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. January 31, 2025. https:/ /www.federalregister.gov/documents/2025/0 I /3 l /2025-02172/removing-barriers-to-american-leadership-in­ arti ficial- intelligence. 4 The term “interoperability” generally refers to the ability of two or more systems, products, or components to exchange information and use the information that has been exchanged, including to operate effectively together.

government must communicate clear and specific requirements that make it easy for vendors to offer state-of-the-art AI capabilities to support efficient and effective public services.

Safeguarding Taxpayer Dollars by Tracking AI Performance and Managing Risk. AI presents a tremendous opportunity to improve government efficiency and effectiveness. To achieve this promise, agencies must ensure that the AI systems they procure are fit for purpose and deliver consistent results that preserve public trust in the manner outlined in Executive Order 13960. 5

Promoting Effective AI Acquisition with Cross-Functional Engagement. Robust

collaboration is a foundational principle of the Executive Branch’s acquisition process and remains critical for surfacing potential issues sooner rather than later to avoid obstacles and risks in procuring new technology, such as AI. The novel challenges that AI introduces require agile engagement from agency officials with varied expertise to fully address during acquisition.

SCOPE

The Advancing American AI Act (“the Act”) directs 0MB to develop an initial means by

which to ensure that contracts for the acquisition of an AI system or service align with the guidance required by the AI in Government Act of 2020, which was updated in 0MB Memorandum M-25-21, and to advance the aims identified in section 7224(d)(l) of the Act. This memorandum does not supersede, and should be considered in concert with, other more general Federal policies that apply to the acquisition of AI. Agencies must comply with all applicable 0MB policies and coordinate compliance across their components with all appropriate officials. Agency officials retain their existing authorities and responsibilities established in other laws and policies.

a. Covered Agencies. Except as specifically noted, this memorandum applies to all agencies

defined in 44 U.S.C. § 3502(1). As noted in the relevant sections, some requirements in this memorandum apply only to Chief Financial Officers Act (CFO Act) agencies, as identified in 31 U.S.C. § 901 (b). The requirements in this memorandum do not apply to elements of the Intelligence Community, as defined in 50 U.S.C. § 3003.

b. Covered AI. This memorandum provides requirements and recommendations that, as

described in more detail below, apply to AI systems or services that are acquired by or on behalf of covered agencies.

The term AI system, as used in the Act and this memorandum, includes data systems, software, applications, tools, or utilities "established primarily for the purpose of researching,

This includes ensuring that open and standard data formats and application programming interfaces (APis) are used so that foundational components can be used, including to build for new use cases, without obscure proprietary technologies or licensing. 5 Section 2 of Executive Order 13960 states that “[i]t is the policy of the United States to promote the innovation and use of AI, where appropriate, to improve Government operations and services in a manner that fosters public trust, builds confidence in AI, protects our Nation’s values, and remains consistent with all applicable laws, including those related to privacy, civil rights, and civil liberties.”

2

developing, or implementing artificial intelligence technology,"6 as well as data systems, software, applications, tools, or utilities where an AI capability "is integrated into another system or agency business process, operational activity, or technology system."7 The term excludes, however, "any common commercial product within which artificial intelligence is embedded, such as a word processor or map navigation system."8

In determining whether a product that integrates AI functionality is excepted under this provision, agencies should assess both (1) whether the product is widely available to the public for commercial use, as opposed to products that are not readily available to the general public or are specialized or customized for agency use, and (2) whether the AI is embedded in a product that has substantial non-AI purposes or functionalities, as opposed to products for which AI is a primary purpose or functionality. For example, word processing software that is primarily used for its AI functionality likely would be covered by this memorandum. On the other hand, common commercial word processing software that has substantial non-AI purposes or functionalities, but for which AI is embedded for functions like suggesting text or correcting spelling and grammar, would likely fall within the exception and thus would not be covered by the requirements of this memorandum.

This memorandum does not govern:

1. Agencies’ regulatory actions designed to prescribe law or policy regarding non­

agency uses of AI;9 Agencies’ assessments of particular AI applications because the AI provider is the target or potential target of a regulatory enforcement, law enforcement, or national security action; or the agency is evaluating the AI application because it was used by a criminal suspect; 10

111. Agencies’ development of metrics, methods, and standards to test and measure AI, where such metrics, methods, and standards are for use by the general public or the government as a whole, rather than to test AI for a particular agency application; 11 1v. Agencies’ acquisition of AI to carry out basic, applied, or experimental research 12 except where the purpose of such research is to develop particular AI applications within the agency; or

6 Pub. L. No. 117-263, div. G, title LXXII, subtitle B, § 7223(4) (codified at 40 U.S.C. 11301 note), https://www.congress.gov/l 17/p1aws/publ263/PLA W-117publ263.pdf. 7 Id. 8 Id 9 For guidance on regulatory and non-regulatory approaches to AI applications developed and deployed outside of the Federal government and best practices to reduce barriers to the development and adoption of AI technologies, agencies should consult 0MB Memorandum M-21-06, Guidance for Regulation of Artificial Intelligence Applications (Nov. 17, 2020), https://trumpwhitehouse.archives.gov/wp-content/uploads/2020/11/M-21-06.pdf. 10 AI is not in scope when it is the target or potential target of such an action, but it is in scope when the AI is used to carry out an enforcement action. For example, when evaluating an AI tool to determine whether it violates the law, the AI would not be in scope; if an agency was using that same AI tool to assess a different target, then the AI would be in scope. 11 Examples include agency actions to develop, for general use, standards or testing methodologies for evaluating or red-teaming AI capabilities. 12 For more information about basic, applied, or experimental research, reference the National Science

3

v. AI used incidentally by a contractor during performance of a contract ( e.g., AI used at the option of a contractor when not directed or required to fulfill requirements).

c. Future Contracts for AI. This memorandum shall apply to any contract awarded pursuant

to a solicitation issued on or after the date that is 180 days after issuance of this memorandum, as well as to any option to renew or extend the period of performance exercised on an existing contract after the date that is 180 days after the issuance of this memorandum.

d. Applicability to National Security Systems. This memorandum does not apply to AI

acquired for use as a component of a National Security System. 13

AGENCY-LEVEL REQUIREMENTS

In addition to the actions described in Section 4 below, this memorandum directs

agencies to:

b. Update Agency Policies. Within 270 days of the issuance of this memorandum, agencies must revisit, and update where necessary, existing internal procedures on acquisition to comply with the requirements of this memorandum and ensure the agency’s use of the acquired AI will conform to 0MB Memorandum M-25-21. At a minimum, agencies must update internal procedures on acquisition to enable relevant agency officials to:

m.

Review planned acquisitions involving an AI system or service and provide any feedback on AI performance and risk management practices as necessary, consistent with guidance in Section 4 of this memorandum; Convene a cross-functional team ofrelevant agency officials 14 to include in the coordination and decision-making processes associated with the acquisition, as discussed in Section 4(a)(i) of this memorandum; Ensure use of appropriate contract terms for intellectual property (IP) rights, in alignment with paragraph ( d) below.

c. Maximize the Use of American-Made AI. Executive Order 14179 recognizes the importance of American AI development to promote human flourishing, economic competitiveness, and national security. Consistent with applicable law, it is the policy of the United States to buy American and to maximize the use of AI products and services that are developed and produced in the United States. 15

Foundation’s Frascati Manual. The full Frascati Manual and current and upcoming online Annexes are available at http://oe.cd/frascati. 13 The term “National Security System” has the meaning provided in 44 U.S.C. § 3552(b)(6). 14 Examples of officials with relevant equities will likely include those with expertise in acquisition (including competition advocates), IT, cybersecurity, privacy, confidentiality, civil rights, civil liberties, budgeting, data, legal, program evaluation, and other areas as necessary. 15 Executive Order 14179.

4

d. Protect Privacy. Consistent with 0MB Circular No. A-130, 16 agencies shall establish

policies and processes, including contractual terms and conditions, that ensure compliance with privacy requirements in law and policy whenever agencies acquire an AI system or service, or an agency contractor uses an AI system or service, that will create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Federal information containing personally identifiable information (PII). Agencies shall ensure that Senior Agency Officials for Privacy 17 have early and ongoing involvement in agency acquisition or contractor use of AI involving PII, including during pre-solicitation acquisition planning and when defining requirements, to manage privacy risks and ensure compliance with law and policy related to pnvacy.

e. Protect IP Rights and Use of Government Data. Consistent with applicable laws and

government-wide policy, 18 agencies must have appropriate processes for addressing use of government data and include appropriate contractual terms that clearly delineate the respective ownership and IP rights of the government and the contractor. Careful consideration of respective IP licensing rights is even more important when an agency procures an AI system or service, including where agency information is used to train, fine­ tune, and develop the AI system. Each agency must revisit, and update where necessary, its process for the treatment of data ownership and IP rights in procurements for AI systems or services. Agencies should prioritize standardization across contracts where possible. The Chief AI Officer Council will periodically review agency processes to encourage best practices and interagency harmonization. Agency processes should address the following:

Scope. Scoping licensing and other IP rights appropriately, based on the intended use of AI, to avoid vendor lock-in;

Timeline. Ensuring components necessary to operate and monitor the AI system or service remain available for the acquiring agency to access and use for as long as it may be necessary;

Data Handling. Providing clear guidance on handling, access, and use of agency data or information to ensure, among other purposes, that such information must only be collected and retained by a vendor when reasonably necessary to serve the intended purposes of the contract;

16 See, for example, 0MB Circular No. A-130, Main Body§ 5(a)(l)(b)(ii) and Appendix I§ 4G)(l), https://bidenwhitehouse.archives. gov /wp-content/uploads/legacy drupal files/omb/circulars/ A 130/a l 30revised.pdf. 17 Per 0MB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy (September 15, 2016): “At the discretion of the SAOP and consistent with applicable law, other qualified agency personnel may perform particular privacy functions that are assigned to the SAOP,” https://bidenwhitehouse.archives.gov/wp­ content/uploads/legacy drupal files/omb/memoranda/2016/m 16 24 0.pdf. 18 See, for example: 0MB Circular No. A-130 and 0MB Memorandum M-25-05, Phase 2 Implementation ofthe Foundations for Evidence-Based Policymaking Act o/2018: Open Government Data Access and Management Guidance, https :/ /www. wh iteh ouse. gov /wp-content/up loads/202 5/0 l /M-25-0 5-Phase-2-Implementation-of-the- F oundations-for-Evidence-Based-Po Iicymaking-Act-of-20 18-Open-Government-Data-Access-and-Management­ Guidance.pdf

5

1v. Use of Government Data. Ensuring contracts permanently prohibit the use of non­ public inputted agency data and outputted results to further train publicly or commercially available AI algorithms, consistent with applicable law, absent explicit agency consent; and

v. Documentation, Transparency, and Accessibility. As noted in 0MB Memorandum M-25-21, agencies, are encouraged, where appropriate, to prioritize obtaining documentation that facilitates transparency and explainability, 19 and that ensures an adequate means of tracking performance and effectiveness for procured AI.

f. Spotlight AI Acquisition Authorities, Approaches, and Vehicles. Within 100 days of the issuance of this memorandum, GSA, in collaboration with 0MB and relevant interagency councils, will develop a plan to release publicly available guide(s) to assist the acquisition workforce with the procurement of AI systems, addressing potential acquisition authorities, approaches, and vehicles as well as their potential benefits and drawbacks, and any other resources that agencies can immediately leverage for AI procurement.

g. Contribute to a Shared Repository of Best Practices. Within 200 days of the issuance of this memorandum, GSA, in coordination with 0MB, will develop a web-based repository, available only to Executive Branch agencies, to facilitate the sharing of information, knowledge, and resources about AI acquisition. Agencies should contribute tools, resources, and data-sharing best practices developed for improved AI acquisition, which may include language for standard contract clauses and negotiated costs for common AI systems and other relevant artifacts. 20

h. Determine Necessary Disclosures of AI Use in the Fulfillment of a Government

Contract. While this memorandum primarily concerns the deliberate acquisition of AI systems, vendors will likely increasingly utilize AI as part of contract performance in situations where the government may not anticipate the use of that AI. Agencies must be cognizant of the risks posed by the unsolicited use of AI systems by vendors and determine whether there are circumstances that merit including a provision in a solicitation requiring disclosure of AI use as part of any given contract’s performance.

AI ACQUISITION LIFECYCLE GUIDANCE

The below subsections delineate requirements and recommendations for agencies as part of their AI acquisition practices. As noted above, this guidance should be considered in concert with any other relevant laws or policy that may apply to such a procurement. Throughout the AI acquisition lifecycle, agencies shall consider and mitigate, as appropriate, risks to privacy, civil liberties, and civil rights.

19 In this context, explainability refers to an agency’s ability to provide evidence or reasons for system output. A significant enabler of explainability is clear documentation that is meaningful or understandable to individual users and reflects the process for model-driven development. 20 Examples of other relevant artifacts might include negotiated costs for common AI systems, best practices for performance-based acquisition, and approaches for structuring and including provisions related to data and model documentation, availability, and transparency to support ongoing performance monitoring, testing and evaluation, and program evaluation to ensure effective and efficient deployment and service delivery.

6

a. Identification of Requirements.

Convening a Cross-Functional Team. Based on the nature of the requirements involved in the procurement, agencies should follow their designated process for convening an internal cross-functional team, as required by Section 3(a). 21 This team should then work to inform the procurement of AI systems or services in a streamlined manner that apportions time and resources according to the requirements of the procurement, including associated complexity and risk, to support effective, efficient, and responsible development and execution of ongoing performance monitoring. The team should assist in creating an initial list of potential risks that should be evaluated based on the type of AI system or service under consid~ration. In particular, the team must identify potential risks to the agency’s implementation of the nine principles for use of AI in government articulated in Executive Order 13960.22

Determining the Use of High-Impact AI. During this phase, agencies must identify reasonably foreseeable use cases arising from the use of an AI system or service, and to the greatest extent practicable, make an initial determination of whether a system is likely to host high-impact AI use cases, as defined by 0MB Memorandum M-25- 21.23 This initial determination will assist in developing key questions to investigate as part of market research.

b. Market Research & Planning.

Broad Market Research. Agencies should take advantage of the dynamic evolution of the AI market to seek state-of-the-art AI capabilities by conducting thorough market research. As part of this work, agencies should seek to leverage existing interagency knowledge sharing and acquisition platforms across the Executive Branch. They should also, when appropriate, seek out novel AI capabilities from new entrants that have not previously considered working with the Executive Branch. To support market research, 0MB will develop additional “play books” specific to various types of AI (e.g., AI-based biometrics, specialized computing infrastructure, and generative AI), designed to highlight the particular considerations and nuances inherent in these specialized areas.

21 Refer to the list identified in Footnote 13 regarding the potential makeup of such teams. 22 Executive Order 13960, Promoting the Use ofTrustworthy Artificial Intelligence. December 3, 2020, https :/ /www. federalregister. gov/ documents/2020/ 12/08/2020-2 7 065/promoting-the-use-of-trustworthy-artificial­ inte l ligence-in-the-federal-govemment. 23 The term “high-impact AI” has the meaning provided in 0MB Memorandum M-25-21, as AI with an output that serves as the primary basis for decisions or actions with legal, material, binding, or significant effect on: an individual or entity’s civil rights, civil liberties, or privacy; or an individual or entity’s access to education, housing, insurance, credit, employment, and other programs; or an individual or entity’ s access to critical government resources or services; or human life, well-being; or critical infrastructure or public safety; or strategic assets or resources, including high-value property and information marked as sensitive or classified by the Federal Government.

7

11.

Product Demonstration. Where practicable, agencies should seek detailed demonstrations and tests of potentially useful AI systems or services in scenarios that closely reflect the intended real-world operating environment, including the specific characteristics of agency networks. These demonstrations should be used to help interrogate capabilities and limitations of a given provider. This phase should also serve as an opportunity to identify any obstacles to long-term cost-effectiveness with regard to vendor lock-in.24

Performance-Based Acquisition Techniques. Agencies are strongly encouraged to use performance-based techniques, as outlined below, to identify requirements and contract terms. Resulting performance-based requirements allow agencies to understand and assess vendor claims about their proposed use of AI systems or services prior to contract award, acquire AI capabilities that address their needs, and perform post-award monitoring. Focusing acquisition on achieving desired performance outcomes directly facilitates an agency’s ability to ensure its needs are met by defining metrics to maintain and improve performance of the AI system or service. Performance-based techniques include:

A. Statements ofObjectives (SOO) and Performance Work Statements (PWS). SOO

and PWS provide agencies with more flexibility to acquire AI systems or services that meet agencies’ outcome-based needs, but may not meet unnecessary or overly-limiting requirements in Statements of Work (SOW).

B. Quality Assurance Surveillance Plans (QASP). QASPs can help agencies

overcome challenges in defining relevant performance metrics pre-solicitation and can enable a more collaborative process for negotiating a QASP that meets agency needs and objects. Government personnel should be prepared to assume a more active role in performance monitoring.

C. Contract incentives. Contract incentives can be used to improve the performance and interoperability of AI systems and services. Incentives can be based on metrics and provisions in QASPs. When determining whether to include performance-based incentives, agencies must carefully consider whether the established metrics are correctly tied to desired business and mission outcomes, and whether they can adequately measure baseline performance of the AI systems or services.

c. Solicitation Development.

1. AI Use Transparency Requirements. When practicable, agencies must disclose in solicitations whether a planned use of an AI system meets the threshold of a high­ impact use case or ifthere is a reasonable likelihood for such a high-impact use case to

24 This recommendation generally refers to approaches to storing and representing data and models in a manner that allows for them to be easily reused without an agency, or another vendor, having to spend additional money to perform burdensome data conversions, build an entirely separate or redundant storage system, or otherwise duplicative work that is not a cost-effective use of taxpayer dollars.

8

occur during the life of the contract. Additionally, for AI systems with potential or expected high-impact use cases, agencies must inform vendors of reasonable transparency and documentation requirements that will be placed on the vendor to enable agency compliance with the requirements in 0MB Memorandum M-25-21. For example, agencies should require sufficient descriptive information from vendors to complete the required AI Impact Assessment for high-impact use cases.

11. Protections Against Vendor Lock-In. In general, agencies should include provisions in the solicitation reflecting the agency’s interest in AI proposals that reduce the risk of vendor lock-in, such as requirements regarding knowledge transfer, clear data and model portability practices, clear licensing terms, and pricing transparency. 25

IP Rights and Use of Government Data. Consistent with the processes developed pursuant to section 3( d) above, agencies must include appropriate terms related to IP rights and lawful use of government data.

d. Selection and Award

Testing and Evaluation. When evaluating proposals agencies must, to the greatest extent practicable, test proposed solutions to understand the capabilities and limitations of any offered AI system or service. As part of this work, agencies should consider whether it is appropriate to create a testing environment in agency networks specifically to enable testing of proposed solutions on government-owned systems.

Opportunity and Risk Re-Evaluation. Prior to selection, agencies should assess proposals for potential new AI-related risks that were not previously identified and should review proposals for any challenges that might arise with compliance requirements identified in 0MB Memorandum M-25-21.

Contract Terms. Consistent with law and government-wide policy, where applicable, agencies must include terms that address the following in contracts for AI systems and services:

25 To promote cost-effectiveness and foster competition, there are several vendor practices agencies can seek to leverage as evaluation criteria. Some examples include the use of well-defined application programming interfaces (APis), particularly within acquired architectures, that promote interoperability with other elements of the technical stack; robust documentation regarding decisions related to foundational model development, coding languages used, testing scripts and protocols, and other decisions related to the development of AI tools in a developer experience framework that facilitates the transition of AI tools from one vendor to the next; open-source licenses to vendor’s products, including AI models, AI systems, AI services, and datasets; and transparent and non-discriminatory pricing practices. Examples of the latter practices include offering products without bulk pricing arrangements, tying arrangements, steering arrangements, minimum spend requirements, or other agreements that encourage consolidation of spending with one vendor or one group of vendors through fixed contract lengths, exclusive discounts, or other incentives; offering systems or services at uniform and publicly available prices and not engaging in self-preferencing; providing equal access on comparable terms to downstream businesses, such as by refraining from self-preferencing vertically integrated systems or services; and providing information about which subcontractors, including system integrators, were engaged, how they were selected, and how their involvement impacts price.

9

A. IP Rights and Use ofGovernment Data. Terms on this subject must be consistent

with the processes adopted by the agency per Section 3( d) above.

B. Privacy. Privacy considerations are described in Section 3© of this

memorandum.

C. Vendor Lock-In Protections. As described identified during solicitation

development, terms on this subject are necessary to reduce the risk that switching vendors could become cost-prohibitive. Protections against vendor lock-in can vary, but include requirements for vendor knowledge transfers, data and model portability, providing agencies with rights to code and models produced in performance of a contract, and transparency in licensing and pricing.

D. 0MB Memorandum M-25-21 Compliance Requirements. Contracts must ensure compliance with minimum risk management practices for high-impact use cases as required under M-25-21.

E. Ongoing Testing and Monitoring. Contractual terms must provide the contracting

agency the ability to regularly monitor and evaluate ( e.g., on a quarterly or biannual basis, based on the needs of the program) performance, risks, and effectiveness of an AI system or service. To achieve that outcome:

I. Agencies must use data they have defined ( e.g., agency validation and

testing datasets) when conducting any independent evaluations to ensure the AI system or service is fit for purpose. The data used when conducting independent evaluations should not be accessible to the vendor, and should be as similar as possible to the data used when the system is deployed;

II. Vendors must provide the access and time necessary for agencies to complete independent evaluation. Alternatively, agencies may allow vendors to complete that testing when most appropriate, but must closely monitor such instances and require testing results detailed enough for the testing to be independently verified or reproduced, if practicable; and Contracts must detail the examination, testing, and validation procedures of the vendor and must not prohibit agencies from internally disclosing how the vendor conducts testing or the results of testing.

III.

F. Vendor Performance Requirements. Federal agencies are encouraged to require vendors to regularly monitor an AI system’s performance and rectify behavior defined as unacceptable, require vendors to meet performance standards before deploying a new version of an AI system or service or to roll-back to a previous version if a new version fails to meet performance standards, and incentivize model satisfactory performance through performance-based contracting.

G. New Feature Notification. As required by Section 3(g), agencies should consider, where relevant, requiring vendors to provide a notification to relevant agency stakeholders prior to the integration of new AI enhancements, features, or

10

components into systems and services being delivered under contract. Vendor notification to agencies should follow existing processes, where practicable, and should be determined by the relevant agency stakeholders. Agencies should also ensure, prior to release, that compliance requirements will be followed, consistent with 0MB Memorandum M-25-21.

e. Contract Administration

Authorization To Operate Compliance. Consistent with the requirements of 0MB Circular No. A-130 and other policies established pursuant to the Federal Information Security Modernization Act, any AI systems and services operated as an information system by or on behalf of an agency must receive an authorization to operate from an appropriate agency official prior to deployment. 26

Contractual Oversight. Agencies must perform effective system oversight consistent with the terms of the contract. This includes monitoring system performance to ensure that any emerging risks to privacy, civil rights, and civil liberties are identified and mitigated as appropriate.

Performance and Cost Justification. As part of contract administration, agencies should, to the extent practicable, arrange for periodic evaluation of the AI system or service’s value to the government. Such an evaluation should take into account comparative system effectiveness and efficiency for purpose, the risk associated with use, and any ongoing operation and maintenance costs. Where practicable, agencies should consider terms to solicit and incorporate feedback from end users, program managers, and other relevant stakeholders to inform modifications that continuously improve performance of the AI system or service in the context of the agency’s m1ss10n.

1v.

Sunset Criteria. Where practicable, agencies should determine criteria for sunsetting the use of an AI system. Changes in costs, agency needs, vendor-proposed requirements, or model performance may signal that an agency should reconsider continued use.

f. Contract Closeout

Vendor Lock-In Protection. As soon as a decision is made not to extend a contract for an AI system or service, agencies should work with the vendor to implement any contractual terms related to ongoing rights and access to any data or derived products resulting from the services provided under the contract. This includes ensuring a mutual understanding of format and usability of any data, and any circumstances that

26 See 44 U.S.C. § 3554 (making agency heads responsible for providing appropriate information security protections for Federal information and information systems); see also 0MB Circular No. A-130, Appendix I§ (4)(d) (requiring senior Federal officials at agencies to complete authorizations to operate for each information system).

11

could result in expiration of access, as well as a plan for conducting any transfers of data or other derived assets necessary per the terms of the contract.

12

Appendix I: Consolidated Table of Required Actions

GSA, in coordination with 0MB Each agency

Each agency

GSA, in coordination with 0MB

Develop a plan to release a publicly available guide on their website to assist a encies with AI rocurement. Achieve full compliance with the uidance of this memorandum. Include the process by which the agency will standardize the treatment of data ownership and IP rights in procurements for AI systems or services as part of policy and process u dates. Develop a web-based repository of tools and resources to enable AI

rocurement.

3(e)

100 days

2©

180 days

3(d)

200 days

3(f)

200 days

13