[Congressional Bills 118th Congress] [From the U.S. Government Publishing Office] [S. 4495 Introduced in Senate (IS)] <DOC> 118th CONGRESS 2d Session S. 4495 To enable safe, responsible, and agile procurement, development, and use of artificial intelligence by the Federal Government, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES June 11, 2024 Mr. Peters (for himself and Mr. Tillis) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs _______________________________________________________________________ A BILL To enable safe, responsible, and agile procurement, development, and use of artificial intelligence by the Federal Government, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Promoting Responsible Evaluation and Procurement to Advance Readiness for Enterprise-wide Deployment for Artificial Intelligence Act'' or the ``PREPARED for AI Act''. SEC. 2. DEFINITIONS. In this Act: (1) Adverse incident.--The term ``adverse incident'' means any incident or malfunction of artificial intelligence that directly or indirectly leads to-- (A) harm impacting rights or safety, as described in section 7(a)(2)(D); (B) the death of an individual or damage to the health of an individual; (C) material or irreversible disruption of the management and operation of critical infrastructure, as described in section 7(a)(2)(D)(i)(II)(cc); (D) material damage to property or the environment; (E) loss of a mission-critical system or equipment; (F) failure of the mission of an agency; (G) the denial of a benefit, payment, or other service to an individual or group of individuals who would have otherwise been eligible; (H) the denial of an employment, contract, grant, or similar opportunity that would have otherwise been offered; or (I) another consequence, as determined by the Director with public notice. (2) Agency.--The term ``agency''-- (A) has the meaning given that term in section 3502(1) of title 44, United States Code; and (B) includes each of the independent regulatory agencies described in section 3502(5) of title 44, United States Code. (3) Artificial intelligence.--The term ``artificial intelligence''-- (A) has the meaning given that term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401); and (B) includes the artificial systems and techniques described in paragraphs (1) through (5) of section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115- 232; 10 U.S.C. 4061 note prec.). (4) Biometric data.--The term ``biometric data'' means data resulting from specific technical processing relating to the unique physical, physiological, or behavioral characteristics of an individual, including facial images, dactyloscopic data, physical movement and gait, breath, voice, DNA, blood type, and expression of emotion, thought, or feeling. (5) Commercial technology.--The term ``commercial technology''-- (A) means a technology, process, or method, including research or development; and (B) includes commercial products, commercial services, and other commercial items, as defined in the Federal Acquisition Regulation, including any addition or update thereto by the Federal Acquisition Regulatory Council. (6) Council.--The term ``Council'' means the Chief Artificial Intelligence Officers Council established under section 5(a). (7) Deployer.--The term ``deployer'' means an entity that operates or provides artificial intelligence, whether developed internally or by a third-party developer. (8) Developer.--The term ``developer'' means an entity that designs, codes, produces, or owns artificial intelligence. (9) Director.--The term ``Director'' means the Director of the Office of Management and Budget. (10) Impact assessment.--The term ``impact assessment'' means a structured process for considering the implications of a proposed artificial intelligence use case. (11) Operational design domain.--The term ``operational design domain'' means a set of operating conditions for an automated system. (12) Procure or obtain.--The term ``procure or obtain'' means-- (A) to acquire through contract actions awarded pursuant to the Federal Acquisition Regulation, including through interagency agreements, multi-agency use, and purchase card transactions; (B) to acquire through contracts and agreements awarded through other special procurement authorities, including through other transactions and commercial solutions opening authorities; or (C) to obtain through other means, including through open source platforms or freeware. (13) Relevant congressional committees.--The term ``relevant congressional committees'' means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Accountability of the House of Representatives. (14) Risk.--The term ``risk'' means the combination of the probability of an occurrence of harm and the potential severity of that harm. (15) Use case.--The term ``use case'' means the ways and context in which artificial intelligence is operated to perform a specific function. SEC. 3. IMPLEMENTATION OF REQUIREMENTS. (a) Agency Implementation.--Not later than 1 year after the date of enactment of this Act, the Director shall ensure that agencies have implemented the requirements of this Act. (b) Annual Briefing.--Not later than 180 days after the date of enactment of this Act, and annually thereafter, the Director shall brief the appropriate Congressional committees on implementation of this Act and related considerations. SEC. 4. PROCUREMENT OF ARTIFICIAL INTELLIGENCE. (a) Government-Wide Requirements.-- (1) In general.--Not later than 1 year after the date of enactment of this Act, the Federal Acquisition Regulatory Council shall review Federal Acquisition Regulation acquisition planning, source selection, and other requirements and update the Federal Acquisition Regulation as needed to ensure that agency procurement of artificial intelligence includes-- (A) a requirement to address the outcomes of the risk evaluation and impact assessments required under section 8(a); (B) a requirement for consultation with an interdisciplinary team of agency experts prior to, and throughout, as necessary, procuring or obtaining artificial intelligence; and (C) any other considerations determined relevant by the Federal Acquisition Regulatory Council. (2) Interdisciplinary team of experts.--The interdisciplinary team of experts described in paragraph (1)(B) may-- (A) vary depending on the use case and the risks determined to be associated with the use case; and (B) include technologists, information security personnel, domain experts, privacy officers, data officers, civil rights and civil liberties officers, contracting officials, legal counsel, customer experience professionals, and others. (3) Acquisition planning.--The acquisition planning updates described in paragraph (1) shall include considerations for, at minimum, as appropriate depending on the use case-- (A) data ownership and privacy; (B) data information security; (C) interoperability requirements; (D) data and model assessment processes; (E) scope of use; (F) ongoing monitoring techniques; (G) type and scope of artificial intelligence audits; (H) environmental impact; and (I) safety and security risk mitigation techniques, including a plan for how adverse event reporting can be incorporated, pursuant to section 5(g). (b) Requirements for High Risk Use Cases.-- (1) In general.-- (A) Establishment.--Beginning on the date that is 1 year after the date of enactment of this Act, the head of an agency may not procure or obtain artificial intelligence for a high risk use case, as defined in section 7(a)(2)(D), prior to establishing and incorporating certain terms into relevant contracts, agreements, and employee guidelines for artificial intelligence, including-- (i) a requirement that the use of the artificial intelligence be limited to its operational design domain; (ii) requirements for safety, security, and trustworthiness, including-- (I) a reporting mechanism through which agency personnel are notified by the deployer of any adverse incident; (II) a requirement, in accordance with section 5(g), that agency personnel receive from the deployer a notification of any adverse incident, an explanation of the cause of the adverse incident, and any data directly connected to the adverse incident in order to address and mitigate the harm; and (III) that the agency has the right to temporarily or permanently suspend use of the artificial intelligence if-- (aa) the risks of the artificial intelligence to rights or safety become unacceptable, as determined under the agency risk classification system pursuant to section 7; or (bb) on or after the date that is 180 days after the publication of the most recently updated version of the framework developed and updated pursuant to section 22(A)(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h-1(c)), the deployer is found not to comply with such most recent update; (iii) requirements for quality, relevance, sourcing and ownership of data, as appropriate by use case, and applicable unless the head of the agency waives such requirements in writing, including-- (I) retention of rights to Government data and any modification to the data including to protect the data from unauthorized disclosure and use to subsequently train or improve the functionality of commercial products offered by the deployer, any relevant developers, or others; and (II) a requirement that the deployer and any relevant developers or other parties isolate Government data from all other data, through physical separation, electronic separation via secure copies with strict access controls, or other computational isolation mechanisms; (iv) requirements for evaluation and testing of artificial intelligence based on use case, to be performed on an ongoing basis; and (v) requirements that the deployer and any relevant developers provide documentation, as determined necessary and requested by the agency, in accordance with section 8(b). (B) Review.--The Senior Procurement Executive, in coordination with the Chief Artificial Intelligence Officer, shall consult with technologists, information security personnel, domain experts, privacy officers, data officers, civil rights and civil liberties officers, contracting officials, legal counsel, customer experience professionals, and other relevant agency officials to review the requirements described in clauses (i) through (v) of subparagraph (A) and determine whether it may be necessary to incorporate additional requirements into relevant contracts or agreements. (C) Regulation.--The Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation as necessary to implement the requirements of this subsection. (2) Rules of construction.--This Act shall supersede any requirements that conflict with this Act under the guidance required to be produced by the Director pursuant to section 7224(d) of the Advancing American AI Act (40 U.S.C. 11301 note). SEC. 5. INTERAGENCY GOVERNANCE OF ARTIFICIAL INTELLIGENCE. (a) Chief Artificial Intelligence Officers Council.--Not later than 60 days after the date of enactment of this Act, the Director shall establish a Chief Artificial Intelligence Officers Council. (b) Duties.--The duties of the Council shall include-- (1) coordinating agency development and use of artificial intelligence in agency programs and operations, including practices relating to the design, operation, risk management, and performance of artificial intelligence; (2) sharing experiences, ideas, best practices, and innovative approaches relating to artificial intelligence; and (3) assisting the Director, as necessary, with respect to-- (A) the identification, development, and coordination of multi-agency projects and other initiatives, including initiatives to improve Government performance; (B) the management of risks relating to developing, obtaining, or using artificial intelligence, including by developing a common template to guide agency Chief Artificial Intelligence Officers in implementing a risk classification system that may incorporate best practices, such as those from-- (i) the most recently updated version of the framework developed and updated pursuant to section 22A(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h- 1(c)); and (ii) the report published by the Government Accountability Office entitled ``Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities'' (GAO-21- 519SP), published on June 30, 2021; (C) promoting the development and use of efficient, effective, common, shared, or other approaches to key processes that improve the delivery of services for the public; and (D) soliciting and providing perspectives on matters of concern, including from and to-- (i) interagency councils; (ii) Federal Government entities; (iii) private sector, public sector, nonprofit, and academic experts; (iv) State, local, Tribal, territorial, and international governments; and (v) other individuals and entities, as determined relevant by the Council. (c) Membership of the Council.-- (1) Co-chairs.--The Council shall have 2 co-chairs, which shall be-- (A) the Director; and (B) an individual selected by a majority of the members of the Council. (2) Members.--Other members of the Council shall include-- (A) the Chief Artificial Intelligence Officer of each agency; and (B) the senior official for artificial intelligence of the Office of Management and Budget. (d) Standing Committees; Working Groups.--The Council shall have the authority to establish standing committees, including an executive committee, and working groups. (e) Council Staff.--The Council may enter into an interagency agreement with the Administrator of General Services for shared services for the purpose of staffing the Council. (f) Development, Adaptation, and Documentation.-- (1) Guidance.--Not later than 90 days after the date of enactment of this Act, the Director, in consultation with the Council, shall issue guidance relating to-- (A) developments in artificial intelligence and implications for management of agency programs; (B) the agency impact assessments described in section 8(a) and other relevant impact assessments as determined appropriate by the Director, including the appropriateness of substituting pre-existing assessments, including privacy impact assessments, for purposes of an artificial intelligence impact assessment; (C) documentation for agencies to require from deployers of artificial intelligence; (D) a model template for the explanations for use case risk classifications that each agency must provide under section 8(a)(4); and (E) other matters, as determined relevant by the Director. (2) Annual review.--The Director, in consultation with the Council, shall periodically, but not less frequently than annually, review and update, as needed, the guidelines issued under paragraph (1). (g) Incident Reporting.-- (1) In general.--Not later than 180 days after the date of enactment of this Act, the Director, in consultation with the Council, shall develop procedures for ensuring that-- (A) adverse incidents involving artificial intelligence procured, obtained, or used by agencies are reported promptly to the agency by the developer or deployer, or to the developer or deployer by the agency, whichever first becomes aware of the adverse incident; and (B) information relating to an adverse incident described in subparagraph (A) is appropriately shared among agencies. (2) Single report.--Adverse incidents also qualifying for incident reporting under section 3554 of title 44, United States Code, or other relevant laws or policies, may be reported under such other reporting requirement and are not required to be additionally reported under this subsection. (3) Notice to deployer.-- (A) In general.--If an adverse incident is discovered by an agency, the agency shall report the adverse incident to the deployer and the deployer, in consultation with any relevant developers, shall take immediate action to resolve the adverse incident and mitigate the potential for future adverse incidents. (B) Waiver.-- (i) In general.--Unless otherwise required by law, the head of an agency may issue a written waiver that waives the applicability of some or all of the requirements under subparagraph (A), with respect to a specific adverse incident. (ii) Written waiver contents.--A written waiver under clause (i) shall include justification for the waiver. (iii) Notice.--The head of an agency shall forward advance notice of any waiver under this subparagraph to the Director, or the designee of the Director. SEC. 6. AGENCY GOVERNANCE OF ARTIFICIAL INTELLIGENCE. (a) In General.--The head of an agency shall-- (1) ensure the responsible adoption of artificial intelligence, including by-- (A) articulating a clear vision of what the head of the agency wants to achieve by developing, procuring or obtaining, or using artificial intelligence; (B) ensuring the agency develops, procures, obtains, or uses artificial intelligence that follows the principles of trustworthy artificial intelligence in government set forth under Executive Order 13960 (85 Fed. Reg. 78939; relating to promoting the use of trustworthy artificial intelligence in Federal Government) and the principles for safe, secure, and trustworthy artificial intelligence in government set forth under section 2 of Executive Order 14110 (88 Fed. Reg. 75191; relating to the safe, secure, and trustworthy development and use of artificial intelligence); (C) testing, validating, and monitoring artificial intelligence and the use case-specific performance of artificial intelligence, among others, to-- (i) ensure all use of artificial intelligence is appropriate to and improves the effectiveness of the mission of the agency; (ii) guard against bias in data collection, use, and dissemination; (iii) ensure reliability, fairness, and transparency; and (iv) protect against impermissible discrimination; (D) developing, adopting, and applying a suitable enterprise risk management framework approach to artificial intelligence, incorporating the requirements under this Act; (E) continuing to develop a workforce that-- (i) understands the strengths and weaknesses of artificial intelligence, including artificial intelligence embedded in agency data systems and operations; (ii) is aware of the benefits and risk of artificial intelligence; (iii) is able to provide human oversight for the design, implementation, and end uses of artificial intelligence; and (iv) is able to review and provide redress for erroneous decisions made in the course of artificial intelligence-assisted processes; and (F) ensuring implementation of the requirements under section 8(a) for the identification and evaluation of risks posed by the deployment of artificial intelligence in agency use cases; (2) designate a Chief Artificial Intelligence Officer, whose duties shall include-- (A) ensuring appropriate use of artificial intelligence; (B) coordinating agency use of artificial intelligence; (C) promoting artificial intelligence innovation; (D) managing the risks of use of artificial intelligence; (E) supporting the head of the agency with developing the risk classification system required under section 7(a) and complying with other requirements of this Act; and (F) supporting agency personnel leading the procurement and deployment of artificial intelligence to comply with the requirements under this Act; and (3) form and convene an Artificial Intelligence Governance Board, as described in subsection (b), which shall coordinate and govern artificial intelligence issues across the agency. (b) Artificial Intelligence Governance Board.-- (1) Leadership.--Each Artificial Intelligence Governance Board (referred to in this subsection as ``Board'') of an agency shall be chaired by the Deputy Secretary of the agency or equivalent official and vice-chaired by the Chief Artificial Intelligence Officer of the agency. Neither the chair nor the vice-chair may assign or delegate these roles to other officials. (2) Representation.--The Board shall, at a minimum, include representatives comprised of senior agency officials from operational components, if relevant, program officials responsible for implementing artificial intelligence, and officials responsible for information technology, data, privacy, civil rights and civil liberties, human capital, procurement, finance, legal counsel, and customer experience. (3) Existing bodies.--An agency may rely on an existing governance body to fulfill the requirements of this subsection if the body satisfies or is adjusted to satisfy the leadership and representation requirements of paragraphs (1) and (2). (c) Designation of Chief Artificial Intelligence Officer.--The head of an agency may designate as Chief Artificial Intelligence Officer an existing official within the agency, including the Chief Technology Officer, Chief Data Officer, Chief Information Officer, or other official with relevant or complementary authorities and responsibilities, if such existing official has expertise in artificial intelligence and meets the requirements of this section. (d) Effective Date.--Beginning on the date that is 120 days after the date of enactment of this Act, an agency shall not develop or procure or obtain artificial intelligence prior to completing the requirements under paragraphs (2) and (3) of subsection (a). SEC. 7. AGENCY RISK CLASSIFICATION OF ARTIFICIAL INTELLIGENCE USE CASES FOR PROCUREMENT AND USE. (a) Risk Classification System.-- (1) Development.--The head of each agency shall be responsible for developing, not later than 1 year after the date of enactment of this Act, a risk classification system for agency use cases of artificial intelligence, without respect to whether artificial intelligence is embedded in a commercial product. (2) Requirements.-- (A) Risk classifications.--The risk classification system under paragraph (1) shall, at a minimum, include unacceptable, high, medium, and low risk classifications. (B) Factors for risk classifications.--In developing the risk classifications under subparagraph (A), the head of the agency shall consider the following: (i) Mission and operation.--The mission and operations of the agency. (ii) Scale.--The seriousness and probability of adverse impacts. (iii) Scope.--The breadth of application, such as the number of individuals affected. (iv) Optionality.--The degree of choice that an individual, group, or entity has as to whether to be subject to the effects of artificial intelligence. (v) Standards and frameworks.--Standards and frameworks for risk classification of use cases that support democratic values, such as the standards and frameworks developed by the National Institute of Standards and Technology, the International Standards Organization, and the Institute of Electrical and Electronics Engineers. (C) Classification variance.-- (i) Certain lower risk use cases.--The risk classification system may allow for an operational use case to be categorized under a lower risk classification, even if the use case is a part of a larger area of the mission of the agency that is categorized under a higher risk classification. (ii) Changes based on testing or new information.--The risk classification system may allow for changes to the risk classification of an artificial intelligence use case based on the results from procurement process testing or other information that becomes available. (D) High risk use cases.-- (i) In general.--High risk classification shall, at a minimum, apply to use cases for which the outputs of the system-- (I) are presumed to serve as a principal basis for a decision or action that has a legal, material, binding, or similarly significant effect, with respect to an individual or community, on-- (aa) civil rights, civil liberties, or privacy; (bb) equal opportunities, including in access to education, housing, insurance, credit, employment, and other programs where civil rights and equal opportunity protections apply; or (cc) access to or the ability to apply for critical government resources or services, including healthcare, financial services, public housing, social services, transportation, and essential goods and services; or (II) are presumed to serve as a principal basis for a decision that substantially impacts the safety of, or has the potential to substantially impact the safety of-- (aa) the well-being of an individual or community, including loss of life, serious injury, bodily harm, biological or chemical harms, occupational hazards, harassment or abuse, or mental health; (bb) the environment, including irreversible or significant environmental damage; (cc) critical infrastructure, including the critical infrastructure sectors defined in Presidential Policy Directive 21, entitled ``Critical Infrastructure Security and Resilience'' (dated February 12, 2013) (or any successor directive) and the infrastructure for voting and protecting the integrity of elections; or (dd) strategic assets or resources, including high-value property and information marked as sensitive or classified by the Federal Government and controlled unclassified information. (ii) Additions.--The head of each agency shall add other use cases to the high risk category, as appropriate. (E) Medium and low risk use cases.--If a use case is not high risk, as described in subparagraph (D), the head of an agency shall have the discretion to define the risk classification. (F) Unacceptable risk.--If an agency identifies, through testing, adverse incident, or other means or information available to the agency, that a use or outcome of an artificial intelligence use case is a clear threat to human safety or rights that cannot be adequately or practicably mitigated, the agency shall identify the risk classification of that use case as unacceptable risk. (3) Transparency.--The risk classification system under paragraph (1) shall be published on a public-facing website, with the methodology used to determine different risk levels and examples of particular use cases for each category in language that is easy to understand to the people affected by the decisions and outcomes of artificial intelligence. (b) Effective Date.--This section shall take effect on the date that is 180 days after the date of enactment of this Act, on and after which an agency that has not complied with the requirements of this section may not develop, procure or obtain, or use artificial intelligence until the agency complies with such requirements. SEC. 8. AGENCY REQUIREMENTS FOR USE OF ARTIFICIAL INTELLIGENCE. (a) Risk Evaluation Process.-- (1) In general.--Not later than 180 days after the effective date in section 7(b), the Chief Artificial Intelligence Officer of each agency, in coordination with the Artificial Intelligence Governance Board of the agency, shall develop and implement a process for the identification and evaluation of risks posed by the deployment of artificial intelligence in agency use cases to ensure an interdisciplinary and comprehensive evaluation of potential risks and determination of risk classifications under such section. (2) Process requirements.--The risk evaluation process described in paragraph (1), shall include, for each artificial intelligence use case-- (A) identification of the risks and benefits of the artificial intelligence use case; (B) a plan to periodically review the artificial intelligence use case to examine whether risks have changed or evolved and to update the corresponding risk classification as necessary; (C) a determination of the need for targeted impact assessments to further evaluate specific risks of the artificial intelligence use case within certain impact areas, which shall include privacy, security, civil rights and civil liberties, accessibility, environmental impact, health and safety, and any other impact area relating to high risk classification under section 7(a)(2)(D) as determined appropriate by the Chief Artificial Intelligence Officer; and (D) if appropriate, consultation with and feedback from affected communities and the public on the design, development, and use of the artificial intelligence use case. (3) Review.-- (A) Existing use cases.--With respect to each use case that an agency is planning, developing, or using on the date of enactment of this Act, not later than 1 year after such date, the Chief Artificial Intelligence Officer of the agency shall identify and review the use case to determine the risk classification of the use case, pursuant to the risk evaluation process under paragraphs (1) and (2). (B) New use cases.-- (i) In general.--Beginning on the date of enactment of this Act, the Chief Artificial Intelligence Officer of an agency shall identify and review any artificial intelligence use case that the agency will plan, develop, or use and determine the risk classification of the use case, pursuant to the risk evaluation process under paragraphs (1) and (2), before procuring or obtaining, developing, or using the use case. (ii) Development.--For any use case described in clause (i) that is developed by the agency, the agency shall perform an additional risk evaluation prior to deployment in a production or operational environment. (4) Rationale for risk classification.--Risk classification of an artificial intelligence use case shall be accompanied by an explanation from the agency of how the risk classification was determined, which shall be included in the artificial intelligence use case inventory of the agency, and written referencing the model template developed by the Director under section 5(f)(1)(D). (b) Model Card Documentation Requirements.-- (1) In general.--Beginning on the date that is 180 days after the date of enactment of this Act, any time during developing, procuring or obtaining, or using artificial intelligence, an agency shall require, as determined necessary by the Chief Artificial Intelligence Officer, that the deployer and any relevant developer submit documentation about the artificial intelligence, including-- (A) a description of the architecture of the artificial intelligence, highlighting key parameters, design choices, and the machine learning techniques employed; (B) information on the training of the artificial intelligence, including computational resources utilized; (C) an account of the source of the data, size of the data, any licenses under which the data is used, collection methods and dates of the data, and any preprocessing of the data undertaken, including human or automated refinement, review, or feedback; (D) information on the management and collection of personal data, outlining data protection and privacy measures adhered to in compliance with applicable laws; (E) a description of the methodologies used to evaluate the performance of the artificial intelligence, including key metrics and outcomes; and (F) an estimate of the energy consumed by the artificial intelligence during training and inference. (2) Additional documentation for medium and high risk use cases.--Beginning on the date that is 270 days after the date of enactment of this Act, with respect to use cases categorized as medium risk or higher, an agency shall require that the deployer of artificial intelligence, in consultation with any relevant developers, submit (including proactively, as material updates of the artificial intelligence occur) the following documentation: (A) Model architecture.--Detailed information on the model or models used in the artificial intelligence, including model date, model version, model type, key parameters (including number of parameters), interpretability measures, and maintenance and updating policies. (B) Advanced training details.--A detailed description of training algorithms, methodologies, optimization techniques, computational resources, and the environmental impact of the training process. (C) Data provenance and integrity.--A detailed description of the training and testing data, including the origins, collection methods, preprocessing steps, and demographic distribution of the data, and known discriminatory impacts and mitigation measures with respect to the data. (D) Privacy and data protection.--Detailed information on data handling practices, including compliance with legal standards, anonymization techniques, data security measures, and whether and how permission for use of data is obtained. (E) Rigorous testing and oversight.--A comprehensive disclosure of performance evaluation metrics, including accuracy, precision, recall, and fairness metrics, and test dataset results. (F) NIST artificial intelligence risk management framework.--Documentation demonstrating compliance with the most recently updated version of the framework developed and updated pursuant to section 22A(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h-1(c)). (3) Review of requirements.--Not later than 1 year after the date of enactment of this Act, the Comptroller General shall conduct a review of the documentation requirements under paragraphs (1) and (2) to-- (A) examine whether agencies and deployers are complying with the requirements under those paragraphs; and (B) make findings and recommendations to further assist in ensuring safe, responsible, and efficient artificial intelligence. (4) Security of provided documentation.--The head of each agency shall ensure that appropriate security measures and access controls are in place to protect documentation provided pursuant to this section. (c) Information and Use Protections.--Information provided to an agency under subsection (b)(3) is exempt from disclosure under section 552 of title 5, United States Code (commonly known as the ``Freedom of Information Act'') and may be used by the agency, consistent with otherwise applicable provisions of Federal law, solely for-- (1) assessing the ability of artificial intelligence to achieve the requirements and objectives of the agency and the requirements of this Act; and (2) identifying-- (A) adverse effects of artificial intelligence on the rights or safety factors identified in section 7(a)(2)(D); (B) cyber threats, including the sources of the cyber threats; and (C) security vulnerabilities. (d) Pre-Deployment Requirements for High Risk Use Cases.--Beginning on the date that is 1 year after the date of enactment of this Act, the head of an agency shall not deploy or use artificial intelligence for a high risk use case prior to-- (1) collecting documentation of the artificial intelligence, source, and use case in agency software and use case inventories; (2) testing of the artificial intelligence in an operational, real-world setting with privacy, civil rights, and civil liberty safeguards to ensure the artificial intelligence is capable of meeting its objectives; (3) establishing appropriate agency rules of behavior for the use case, including required human involvement in, and user-facing explainability of, decisions made in whole or part by the artificial intelligence, as determined by the Chief Artificial Intelligence Officer in coordination with the program manager or equivalent agency personnel; and (4) establishing appropriate agency training programs, including documentation of completion of training prior to use of artificial intelligence, that educate agency personnel involved with the application of artificial intelligence in high risk use cases on the capacities and limitations of artificial intelligence, including training on-- (A) monitoring the operation of artificial intelligence in high risk use cases to detect and address anomalies, dysfunctions, and unexpected performance in a timely manner to mitigate harm; (B) lessening reliance or over-reliance on the output produced by artificial intelligence in a high risk use case, particularly if artificial intelligence is used to make decisions impacting individuals; (C) accurately interpreting the output of artificial intelligence, particularly considering the characteristics of the system and the interpretation tools and methods available; (D) when to not use, disregard, override, or reverse the output of artificial intelligence; (E) how to intervene or interrupt the operation of artificial intelligence; (F) limiting the use of artificial intelligence to its operational design domain; and (G) procedures for reporting incidents involving misuse, faulty results, safety and security issues, and other problems with use of artificial intelligence that does not function as intended. (e) Ongoing Monitoring of Artificial Intelligence in High Risk Use Cases.--The Chief Artificial Intelligence Officer of each agency shall-- (1) establish a reporting system, consistent with section 5(g), and suspension and shut-down protocols for defects or adverse impacts of artificial intelligence, and conduct ongoing monitoring, as determined necessary by use case; (2) oversee the development and implementation of ongoing testing and evaluation processes for artificial intelligence in high risk use cases to ensure continued mitigation of the potential risks identified in the risk evaluation process; (3) implement a process to ensure that risk mitigation efforts for artificial intelligence are reviewed not less than annually and updated as necessary to account for the development of new versions of artificial intelligence and changes to the risk profile; and (4) adhere to pre-deployment requirements under subsection (d) in each case in which a low or medium risk artificial intelligence use case becomes a high risk artificial intelligence use case. (f) Exemption From Requirements for Select Use Cases.--The Chief Artificial Intelligence Officer of each agency-- (1) may designate select, low risk use cases, including current and future use cases, that do not have to comply with all or some of the requirements in this Act; and (2) shall publicly disclose all use cases exempted under paragraph (1) with a justification for each exempted use case. (g) Exception.--The requirements under subsections (a) and (b) shall not apply to an algorithm software update, enhancement, derivative, correction, defect, or fix for artificial intelligence that does not materially change the compliance of the deployer with the requirements of those subsections, unless determined otherwise by the agency Chief Artificial Intelligence Officer. (h) Waivers.-- (1) In general.--The head of an agency, on a case by case basis, may waive 1 or more requirements under subsection (d) for a specific use case after making a written determination, based upon a risk assessment conducted by a human with respect to the specific use case, that fulfilling the requirement or requirements prior to procuring or obtaining, developing, or using artificial intelligence would increase risks to safety or rights overall or would create an unacceptable impediment to critical agency operations. (2) Requirements; limitations.--A waiver under this subsection shall be-- (A) in the national security interests of the United States, as determined by the head of the agency; (B) submitted to the relevant congressional committees not later than 15 days after the head of the agency grants the waiver; and (C) limited to a duration of 1 year, at which time the head of the agency may renew the waiver and submit the renewed waiver to the relevant congressional committees. (i) Infrastructure Security.--The head of an agency, in consultation with the agency Chief Artificial Intelligence Officer, Chief Information Officer, Chief Data Officer, and other relevant agency officials, shall reevaluate infrastructure security protocols based on the artificial intelligence use cases and associated risks to infrastructure security of the agency. (j) Compliance Deadline.--Not later than 270 days after the date of enactment of this Act, the requirements of subsections (a) through (i) of this section shall apply with respect to artificial intelligence that is already in use on the date of enactment of this Act. SEC. 9. PROHIBITION ON SELECT ARTIFICIAL INTELLIGENCE USE CASES. No agency may develop, procure or obtain, or use artificial intelligence for-- (1) mapping facial biometric features of an individual to assign corresponding emotion and potentially take action against the individual; (2) categorizing and taking action against an individual based on biometric data of the individual to deduce or infer race, political opinion, religious or philosophical beliefs, trade union status, sexual orientation, or other personal trait; (3) evaluating, classifying, rating, or scoring the trustworthiness or social standing of an individual based on multiple data points and time occurrences related to the social behavior of the individual in multiple contexts or known or predicted personal or personality characteristics in a manner that may lead to discriminatory outcomes; or (4) any other use found by the agency to pose an unacceptable risk under the risk classification system of the agency, pursuant to section 7. SEC. 10. AGENCY PROCUREMENT INNOVATION LABS. (a) In General.--An agency subject to the Chief Financial Officers Act of 1990 (31 U.S.C. 901 note; Public Law 101-576) that does not have a Procurement Innovation Lab on the date of enactment of this Act should consider establishing a lab or similar mechanism to test new approaches, share lessons learned, and promote best practices in procurement, including for commercial technology, such as artificial intelligence, that is trustworthy and best-suited for the needs of the agency. (b) Functions.--The functions of the Procurement Innovation Lab or similar mechanism should include-- (1) providing leadership support as well as capability and capacity to test, document, and help agency programs adopt new and better practices through all stages of the acquisition lifecycle, beginning with project definition and requirements development; (2) providing the workforce of the agency with a clear pathway to test and document new acquisition practices and facilitate fresh perspectives on existing practices; (3) helping programs and integrated project teams successfully execute emerging and well-established acquisition practices to achieve better results; and (4) promoting meaningful collaboration among offices that are responsible for requirements development, contracting officers, and others, including financial and legal experts, that share in the responsibility for making a successful procurement. (c) Structure.--An agency should consider placing the Procurement Innovation Lab or similar mechanism as a supporting arm of the Chief Acquisition Officer or Senior Procurement Executive of the agency and shall have wide latitude in structuring the Procurement Innovation Lab or similar mechanism and in addressing associated personnel staffing issues. SEC. 11. MULTI-PHASE COMMERCIAL TECHNOLOGY TEST PROGRAM. (a) Test Program.--The head of an agency may procure commercial technology through a multi-phase test program of contracts in accordance with this section. (b) Purpose.--A test program established under this section shall-- (1) provide a means by which an agency may post a solicitation, including for a general need or area of interest, for which the agency intends to explore commercial technology solutions and for which an offeror may submit a bid based on existing commercial capabilities of the offeror with minimal modifications or a technology that the offeror is developing for commercial purposes; and (2) use phases, as described in subsection (c), to minimize government risk and incentivize competition. (c) Contracting Procedures.--Under a test program established under this section, the head of an agency may acquire commercial technology through a competitive evaluation of proposals resulting from general solicitation in the following phases: (1) Phase 1 (viability of potential solution).--Selectees may be awarded a portion of the total contract award and have a period of performance of not longer than 1 year to prove the merits, feasibility, and technological benefit the proposal would achieve for the agency. (2) Phase 2 (major details and scaled test).--Selectees may be awarded a portion of the total contract award and have a period of performance of not longer than 1 year to create a detailed timeline, establish an agreeable intellectual property ownership agreement, and implement the proposal on a small scale. (3) Phase 3 (implementation or recycle).-- (A) In general.--Following successful performance on phase 1 and 2, selectees may be awarded up to the full remainder of the total contract award to implement the proposal, depending on the agreed upon costs and the number of contractors selected. (B) Failure to find suitable selectees.--If no selectees are found suitable for phase 3, the agency head may determine not to make any selections for phase 3, terminate the solicitation and utilize any remaining funds to issue a modified general solicitation for the same area of interest. (d) Treatment as Competitive Procedures.--The use of general solicitation competitive procedures for a test program under this section shall be considered to be use of competitive procedures as defined in section 152 of title 41, United States Code. (e) Limitation.--The head of an agency shall not enter into a contract under the test program for an amount in excess of $25,000,000. (f) Guidance.-- (1) Federal acquisition regulatory council.--The Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation as necessary to implement this section, including requirements for each general solicitation under a test program to be made publicly available through a means that provides access to the notice of the general solicitation through the System for Award Management or subsequent government-wide point of entry, with classified solicitations posted to the appropriate government portal. (2) Agency procedures.--The head of an agency may not award contracts under a test program until the agency issues guidance with procedures for use of the authority. The guidance shall be issued in consultation with the relevant Acquisition Regulatory Council and shall be publicly available. (g) Sunset.--The authority for a test program under this section shall terminate on the date that is 5 years after the date the Federal Acquisition Regulation is revised pursuant to subsection (f)(1) to implement the program. SEC. 12. RESEARCH AND DEVELOPMENT PROJECT PILOT PROGRAM. (a) Pilot Program.--The head of an agency may carry out research and prototype projects in accordance with this section. (b) Purpose.--A pilot program established under this section shall provide a means by which an agency may-- (1) carry out basic, applied, and advanced research and development projects; and (2) carry out prototype projects that address-- (A) a proof of concept, model, or process, including a business process; (B) reverse engineering to address obsolescence; (C) a pilot or novel application of commercial technologies for agency mission purposes; (D) agile development activity; (E) the creation, design, development, or demonstration of operational utility; or (F) any combination of items described in subparagraphs (A) through (E). (c) Contracting Procedures.--Under a pilot program established under this section, the head of an agency may carry out research and prototype projects-- (1) using small businesses to the maximum extent practicable; (2) using cost sharing arrangements where practicable; (3) tailoring intellectual property terms and conditions relevant to the project and commercialization opportunities; and (4) ensuring that such projects do not duplicate research being conducted under existing agency programs. (d) Treatment as Competitive Procedures.--The use of research and development contracting procedures under this section shall be considered to be use of competitive procedures, as defined in section 152 of title 41, United States Code. (e) Treatment as Commercial Technology.--The use of research and development contracting procedures under this section shall be considered to be use of commercial technology, as defined in section 2. (f) Follow-On Projects or Phases.--A follow-on contract provided for in a contract opportunity announced under this section may, at the discretion of the head of the agency, be awarded to a participant in the original project or phase if the original project or phase was successfully completed. (g) Limitation.--The head of an agency shall not enter into a contract under the pilot program for an amount in excess of $10,000,000. (h) Guidance.-- (1) Federal acquisition regulatory council.--The Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation research and development contracting procedures as necessary to implement this section, including requirements for each research and development project under a pilot program to be made publicly available through a means that provides access to the notice of the opportunity through the System for Award Management or subsequent government-wide point of entry, with classified solicitations posted to the appropriate government portal. (2) Agency procedures.--The head of an agency may not award contracts under a pilot program until the agency, in consultation with the relevant Acquisition Regulatory Council issues and makes publicly available guidance on procedures for use of the authority. (i) Reporting.--Contract actions entered into under this section shall be reported to the Federal Procurement Data System, or any successor system. (j) Sunset.--The authority for a pilot program under this section shall terminate on the date that is 5 years from the date the Federal Acquisition Regulation is revised pursuant to subsection (h)(1) to implement the program. SEC. 13. DEVELOPMENT OF TOOLS AND GUIDANCE FOR TESTING AND EVALUATING ARTIFICIAL INTELLIGENCE. (a) Agency Report Requirements.--In a manner specified by the Director, the Chief Artificial Intelligence Officer shall identify and annually submit to the Council a report on obstacles encountered in the testing and evaluation of artificial intelligence, specifying-- (1) the nature of the obstacles; (2) the impact of the obstacles on agency operations, mission achievement, and artificial intelligence adoption; (3) recommendations for addressing the identified obstacles, including the need for particular resources or guidance to address certain obstacles; and (4) a timeline that would be needed to implement proposed solutions. (b) Council Review and Collaboration.-- (1) Annual review.--Not less frequently than annually, the Council shall conduct a review of agency reports under subsection (a) to identify common challenges and opportunities for cross-agency collaboration. (2) Development of tools and guidance.-- (A) In general.--Not later than 2 years after the date of enactment of this Act, the Director, in consultation with the Council, shall convene a working group to-- (i) develop tools and guidance to assist agencies in addressing the obstacles that agencies identify in the reports under subsection (a); (ii) support interagency coordination to facilitate the identification and use of relevant voluntary standards, guidelines, and other consensus-based approaches for testing and evaluation and other relevant areas; and (iii) address any additional matters determined appropriate by the Director. (B) Working group membership.--The working group described in subparagraph (A) shall include Federal interdisciplinary personnel, such as technologists, information security personnel, domain experts, privacy officers, data officers, civil rights and civil liberties officers, contracting officials, legal counsel, customer experience professionals, and others, as determined by the Director. (3) Information sharing.--The Director, in consultation with the Council, shall establish a mechanism for sharing tools and guidance developed under paragraph (2) across agencies. (c) Congressional Reporting.-- (1) In general.--Each agency shall submit the annual report under subsection (a) to relevant congressional committees. (2) Consolidated report.--The Director, in consultation with the Council, may suspend the requirement under paragraph (1) and submit to the relevant congressional committees a consolidated report that conveys government-wide testing and evaluation challenges, recommended solutions, and progress toward implementing recommendations from prior reports developed in fulfillment of this subsection. (d) Sunset.--The requirements under this section shall terminate on the date that is 10 years after the date of enactment of this Act. SEC. 14. UPDATES TO ARTIFICIAL INTELLIGENCE USE CASE INVENTORIES. (a) Amendments.-- (1) Advancing american ai act.--The Advancing American AI Act (Public Law 117-263; 40 U.S.C. 11301 note) is amended-- (A) in section 7223(3), by striking the period and inserting ``and in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).''; and (B) in section 7225, by striking subsection (d). (2) Executive order 13960.--The provisions of section 5 of Executive Order 13960 (85 Fed. Reg. 78939; relating to promoting the use of trustworthy artificial intelligence in Federal Government) that exempt classified and sensitive use cases from agency inventories of artificial intelligence use cases shall cease to have legal effect. (b) Compliance.-- (1) In general.--The Director shall ensure that agencies submit artificial intelligence use case inventories and that the inventories comply with applicable artificial intelligence inventory guidance. (2) Annual report.--The Director shall submit to the relevant congressional committees an annual report on agency compliance with artificial intelligence inventory guidance. (c) Disclosure.-- (1) In general.--The artificial intelligence inventory of each agency shall publicly disclose-- (A) whether artificial intelligence was developed internally by the agency or procured externally, without excluding any use case on basis that the use case is ``sensitive'' solely because it was externally procured; (B) data provenance information, including identifying the source of the training data of the artificial intelligence, including internal government data, public data, commercially held data, or similar data; (C) the level of risk at which the agency has classified the artificial intelligence use case and a brief explanation for how the determination was made; (D) a list of targeted impact assessments conducted pursuant to section 7(a)(2)(C); and (E) the number of artificial intelligence use cases excluded from public reporting as being ``sensitive.'' (2) Updates.-- (A) In general.--When an agency updates the public artificial intelligence use case inventory of the agency, the agency shall disclose the date of the modification and make change logs publicly available and accessible. (B) Guidance.--The Director shall issue guidance to agencies that describes how to appropriately update artificial intelligence use case inventories and clarifies how sub-agencies and regulatory agencies should participate in the artificial intelligence use case inventorying process. (d) Congressional Reporting.--The head of each agency shall submit to the relevant congressional committees a copy of the annual artificial intelligence use case inventory of the agency, including-- (1) the use cases that have been identified as ``sensitive'' and not for public disclosure; and (2) a classified annex of classified use cases. (e) Government Trends Report.--Beginning 1 year after the date of enactment of this Act, and annually thereafter, the Director, in coordination with the Council, shall issue a report, based on the artificial intelligence use cases reported in use case inventories, that describes trends in the use of artificial intelligence in the Federal Government. (f) Comptroller General.-- (1) Report required.--Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Comptroller General of the United States shall submit to relevant congressional committees a report on whether agencies are appropriately classifying use cases. (2) Appropriate classification.--The Comptroller General of the United States shall examine whether the appropriate level of disclosure of artificial intelligence use cases by agencies should be included on the High Risk List of the Government Accountability Office. <all>