January 29, 2024

Bills in US Congress Would Require Federal Agencies and Vendors to Implement NIST AI Framework


Bipartisan, bicameral legislation in the US Congress would mandate the use of the National Institute of Standards and Technology’s (“NIST”) Artificial Intelligence Risk Management Framework (“Framework”) by federal agencies. H.R. 6936, the Federal Artificial Intelligence Risk Management Act of 2024, was introduced in the House earlier this month by Representatives Ted Lieu (D-CA-36), Zachary Nunn (R-IA-3), Donald Beyer (D-VA-08), and Marcus Molinaro (R-NY-19). Companion legislation, S. 3205, was introduced in the US Senate late last year by Senators Jerry Moran (R-KS) and Mark Warner (D-VA).

Legislative Language

Within one year of enactment, the bills would require the NIST Director to issue guidance for federal agencies to incorporate the Framework into their artificial intelligence risk management efforts. Of note, the bills would require the NIST guidance to include standards by which a supplier would have to attest compliance in order to be eligible for a federal artificial intelligence contract award. Within six months, the Office of Management and Budget would have to require the implementation of the Framework by federal agencies.

Under the bills, “artificial intelligence” is defined as:

… a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine and human-based inputs to-

(A) perceive real and virtual environments;

(B) abstract such perceptions into models through analysis in an automated manner; and

(C) use model inference to formulate options for information or action.

Impacts on Federal Vendors

Importantly, the bills would require vendors to federal agencies to adhere to the Framework. Specifically, the Administrator of Federal Procurement Policy would be required to issue draft contract language to federal agencies for use in procurement with suppliers of artificial intelligence. This language would require suppliers to adhere to specified actions that are “consistent with the Framework” (although the bills do not specify what these actions will be) and provide “appropriate access to data, models, and parameters…to enable sufficient test and evaluation, verification, and validation.”

Additionally, within a year of enactment, the Federal Acquisition Regulatory (“FAR”) Council would be required to issue regulations establishing requirements for the acquisition of artificial intelligence products, services, tools, and systems. Within this timeframe, the FAR Council would also be required to issue regulations creating standard solicitation provisions and contract clauses applicable to artificial intelligence acquisitions. These regulations would provide for risk-based compliance with the Framework.

Considerations for the Private Sector

The Framework, which was issued in January 2023, provides a set of voluntary best practices to the private sector for the development and use of artificial intelligence systems. It provides guidelines to identify risk stemming from artificial intelligence activities, as well as suggested processes to assess and manage that risk.

If enacted, the legislation would mark a significant shift by requiring the use of aspects of the Framework by private sector vendors to the federal government. Should the bills become law, federal vendors in the artificial intelligence space will need to rapidly develop adequate policies and procedures to ensure compliance with the Framework. A failure to do so could render the vendor ineligible to receive artificial intelligence-related contract awards. Private sector parties should pay close attention to any action on the bills by either the House of Representatives or the Senate. As evidenced by the bipartisan nature of the legislation in both chambers, congressional support exists for implementing artificial intelligence requirements on the private sector, and these bills may provide the basis to do so.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.