New White House Requirements for Government Procurement of AI Technologies: Key Considerations for Contractors

The White House Office of Management and Budget (OMB) recently released Memorandum M-24-18, which directs how federal agencies will procure artificial intelligence (AI) technologies. M-24-18 and its accompanying fact sheet, issued on September 24, 2024, are the latest step in a series of initiatives to encourage agencies to procure AI systems while mitigating risks associated with AI’s potential effect on safety, privacy, and security. M-24-18 builds on OMB’s March 2024 AI procurement memo (M-24-10) implementing President Biden’s October 2023 Executive Order on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence 1140 (EO 1140), which called for government-wide requirements on federal agencies for AI governance, innovation, and risk management.

M-24-18 emphasizes advancing the government’s acquisition of responsible and interoperable AI by leveraging the government’s power as the largest single buyer in the U.S. economy. According to OMB, which is part of the Executive Office of the President and coordinates policies across the executive branch, M-24-18 “ensures that when federal agencies acquire AI, they appropriately manage risks and performance; promote a competitive marketplace; and implement structures to govern and manage their business processes related to acquiring AI.”

This Update provides an overview of the key aspects of the OMB’s requirements and their implications for government contractors.

AI Risks and Performance

M-24-18 includes best practices and detailed directives for managing AI risk and performance, with additional requirements focusing on rights-impacting and safety-impacting AI. It also addresses enterprise-wide generative AI. 

M-24-18 does not have any immediate binding effect on government contractors, but rather directs how federal agencies handle procurements of AI. It states that it shall apply to any contracts awarded pursuant to a solicitation issued on or after 180 days from the issuance of M-24-18, as well as options to renew a pre-existing contract.

The scope of AI affected by M-24-18 is broad. It applies to AI systems or services (a term that is broadly defined to include data systems, software, applications, tools, or utilities where AI is “integrated”) that are acquired by or on behalf of federal agencies (excluding the Intelligence Community). The term “AI system” excludes any “common commercial product within which artificial intelligence is embedded, such as a word processor or map navigation system.” To implement this exception, the memo calls for agencies to assess whether the product is widely available to the public for commercial use and whether the AI involved has “substantial non-AI purposes of functionalities[.]” While M-24-18 suggests that common commercial word processing software (e.g., a spell check function) would be excluded, the memo appears to apply broadly to a variety of commercial products and services sold to the government. As companies increasingly incorporate AI into their products, the government’s efforts to regulate AI through the procurement system seems likely to be consequential for commercial companies that sell to the government market.

M-24-18 directs federal agencies to negotiate contractual terms to ensure government contractors provide sufficient information in their bids to allow agencies to evaluate claims, manage risks, and conduct impact assessments. In addition, M-24-18 addresses the following:

• Privacy and compliance. Highlighting concerns about the impact of AI on privacy, the memorandum requires agencies to engage privacy officials in AI acquisition processes in order to identify and manage privacy risks and to ensure that contractual terms address the lawful collection and accuracy of biometric data. 
• Risk management for rights-impacting and safety-impacting AI. Agencies are required to work with vendors to understand when AI acquisitions trigger additional risk management requirements, particularly for rights-impacting and safety-impacting AI. By December 1, 2024, agencies are directed to identify and align contracts involving rights-impacting or safety-impacting AI with M-24-18.
• Outcome-driven solicitations. M-24-18 instructs agencies to include performance-based requirements and contract terms to evaluate vendor claims and products, negotiate intellectual property (IP) rights, and increase interoperability of AI-acquired systems and services. According to OMB, the performance-based approach helps agencies collect sufficient information to evaluate vendor claims and products regarding appropriate safeguards for data management and cybersecurity, negotiate IP rights, increase interoperability, and manage risk related to AI-enabled biometric systems. By March 23, 2025, for any contract that does not concern the use of rights-impacting or safety-impacting AI, agencies are directed to include the requirements from M-24-18 in any new solicitation and any option to renew or extend the performance period. 
• Enterprise-wide generative AI. M-24-18 further directs agencies to implement risk measures when acquiring enterprise-wide generative AI. “Enterprise-wide generative AI” means “a foundation model or other widely applicable generative AI system, that is acquired for general purposes for which the details are infeasible to define prior to procurement, such as for workforce-productivity use, general application development, or other general tasks, and is acquired for use by end users in more than one agency component; or through a contract vehicle that accommodates the requirements of more than one organizational component.” 

AI Acquisition Practices

M-24-18 directs federal agencies to include acquisition principles that reduce vendor lock-in when setting contractual requirements, signaling the importance of data rights and IP in government procurement of AI. It also highlights the need for agencies to prioritize interoperability and transparency through market research, requirements development, and evaluation of government contractor bids. 

Key Takeaways

M-24-18 is the latest indication that government contractors seeking to sell AI-enabled systems to the government will face heightened scrutiny. It introduces significant requirements for federal agencies to implement regarding the acquisition and management of AI systems, especially AI that is deemed to be rights-impacting or safety-impacting. 

Government contractors should familiarize themselves with these new requirements because agencies will likely begin writing performance and output-based deliverables into their requirements, such as testing and evaluation data. Ultimately, changes to the Federal Acquisition Regulation (FAR) and agency FAR supplements will be necessary to give any AI-specific directives binding effect on industry.

Among the potential issues that will need to be addressed is how to reconcile the new directives with existing statutory and regulatory frameworks for the acquisition of commercial products and services defined in FAR Part 12. That part of the FAR implements a statutory preference to commercial products and services with streamlined compliance obligations compared to noncommercial deliverables.

Another challenge for government contractors will be the protection of IP rights and confidential business information. M-24-18 signals that agencies will be seeking more (in many cases, sensitive) information from contractors, including related to the testing and evaluation of their products. Contractors should be prepared to engage with their customer agencies at the early stages of procurement and mitigate against losses of information to third parties, including by ensuring they mark technical data and software.