[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4495 Reported in Senate (RS)]
<DOC>
Calendar No. 697
118th CONGRESS
2d Session
S. 4495
[Report No. 118-291]
To enable safe, responsible, and agile procurement, development, and
use of artificial intelligence by the Federal Government, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 11, 2024
Mr. Peters (for himself and Mr. Tillis) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 16, 2024
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To enable safe, responsible, and agile procurement, development, and
use of artificial intelligence by the Federal Government, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Promoting Responsible
Evaluation and Procurement to Advance Readiness for Enterprise-wide
Deployment for Artificial Intelligence Act'' or the ``PREPARED for AI
Act''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Adverse incident.--The term ``adverse
incident'' means any incident or malfunction of artificial
intelligence that directly or indirectly leads to--</DELETED>
<DELETED> (A) harm impacting rights or safety, as
described in section 7(a)(2)(D);</DELETED>
<DELETED> (B) the death of an individual or damage
to the health of an individual;</DELETED>
<DELETED> (C) material or irreversible disruption of
the management and operation of critical
infrastructure, as described in section
7(a)(2)(D)(i)(II)(cc);</DELETED>
<DELETED> (D) material damage to property or the
environment;</DELETED>
<DELETED> (E) loss of a mission-critical system or
equipment;</DELETED>
<DELETED> (F) failure of the mission of an
agency;</DELETED>
<DELETED> (G) the denial of a benefit, payment, or
other service to an individual or group of individuals
who would have otherwise been eligible;</DELETED>
<DELETED> (H) the denial of an employment, contract,
grant, or similar opportunity that would have otherwise
been offered; or</DELETED>
<DELETED> (I) another consequence, as determined by
the Director with public notice.</DELETED>
<DELETED> (2) Agency.--The term ``agency''--</DELETED>
<DELETED> (A) has the meaning given that term in
section 3502(1) of title 44, United States Code;
and</DELETED>
<DELETED> (B) includes each of the independent
regulatory agencies described in section 3502(5) of
title 44, United States Code.</DELETED>
<DELETED> (3) Artificial intelligence.--The term
``artificial intelligence''--</DELETED>
<DELETED> (A) has the meaning given that term in
section 5002 of the National Artificial Intelligence
Initiative Act of 2020 (15 U.S.C. 9401); and</DELETED>
<DELETED> (B) includes the artificial systems and
techniques described in paragraphs (1) through (5) of
section 238(g) of the John S. McCain National Defense
Authorization Act for Fiscal Year 2019 (Public Law 115-
232; 10 U.S.C. 4061 note prec.).</DELETED>
<DELETED> (4) Biometric data.--The term ``biometric data''
means data resulting from specific technical processing
relating to the unique physical, physiological, or behavioral
characteristics of an individual, including facial images,
dactyloscopic data, physical movement and gait, breath, voice,
DNA, blood type, and expression of emotion, thought, or
feeling.</DELETED>
<DELETED> (5) Commercial technology.--The term ``commercial
technology''--</DELETED>
<DELETED> (A) means a technology, process, or
method, including research or development;
and</DELETED>
<DELETED> (B) includes commercial products,
commercial services, and other commercial items, as
defined in the Federal Acquisition Regulation,
including any addition or update thereto by the Federal
Acquisition Regulatory Council.</DELETED>
<DELETED> (6) Council.--The term ``Council'' means the Chief
Artificial Intelligence Officers Council established under
section 5(a).</DELETED>
<DELETED> (7) Deployer.--The term ``deployer'' means an
entity that operates or provides artificial intelligence,
whether developed internally or by a third-party
developer.</DELETED>
<DELETED> (8) Developer.--The term ``developer'' means an
entity that designs, codes, produces, or owns artificial
intelligence.</DELETED>
<DELETED> (9) Director.--The term ``Director'' means the
Director of the Office of Management and Budget.</DELETED>
<DELETED> (10) Impact assessment.--The term ``impact
assessment'' means a structured process for considering the
implications of a proposed artificial intelligence use
case.</DELETED>
<DELETED> (11) Operational design domain.--The term
``operational design domain'' means a set of operating
conditions for an automated system.</DELETED>
<DELETED> (12) Procure or obtain.--The term ``procure or
obtain'' means--</DELETED>
<DELETED> (A) to acquire through contract actions
awarded pursuant to the Federal Acquisition Regulation,
including through interagency agreements, multi-agency
use, and purchase card transactions;</DELETED>
<DELETED> (B) to acquire through contracts and
agreements awarded through other special procurement
authorities, including through other transactions and
commercial solutions opening authorities; or</DELETED>
<DELETED> (C) to obtain through other means,
including through open source platforms or
freeware.</DELETED>
<DELETED> (13) Relevant congressional committees.--The term
``relevant congressional committees'' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Accountability of the House of
Representatives.</DELETED>
<DELETED> (14) Risk.--The term ``risk'' means the
combination of the probability of an occurrence of harm and the
potential severity of that harm.</DELETED>
<DELETED> (15) Use case.--The term ``use case'' means the
ways and context in which artificial intelligence is operated
to perform a specific function.</DELETED>
<DELETED>SEC. 3. IMPLEMENTATION OF REQUIREMENTS.</DELETED>
<DELETED> (a) Agency Implementation.--Not later than 1 year after
the date of enactment of this Act, the Director shall ensure that
agencies have implemented the requirements of this Act.</DELETED>
<DELETED> (b) Annual Briefing.--Not later than 180 days after the
date of enactment of this Act, and annually thereafter, the Director
shall brief the appropriate Congressional committees on implementation
of this Act and related considerations.</DELETED>
<DELETED>SEC. 4. PROCUREMENT OF ARTIFICIAL INTELLIGENCE.</DELETED>
<DELETED> (a) Government-Wide Requirements.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act, the Federal Acquisition
Regulatory Council shall review Federal Acquisition Regulation
acquisition planning, source selection, and other requirements
and update the Federal Acquisition Regulation as needed to
ensure that agency procurement of artificial intelligence
includes--</DELETED>
<DELETED> (A) a requirement to address the outcomes
of the risk evaluation and impact assessments required
under section 8(a);</DELETED>
<DELETED> (B) a requirement for consultation with an
interdisciplinary team of agency experts prior to, and
throughout, as necessary, procuring or obtaining
artificial intelligence; and</DELETED>
<DELETED> (C) any other considerations determined
relevant by the Federal Acquisition Regulatory
Council.</DELETED>
<DELETED> (2) Interdisciplinary team of experts.--The
interdisciplinary team of experts described in paragraph (1)(B)
may--</DELETED>
<DELETED> (A) vary depending on the use case and the
risks determined to be associated with the use case;
and</DELETED>
<DELETED> (B) include technologists, information
security personnel, domain experts, privacy officers,
data officers, civil rights and civil liberties
officers, contracting officials, legal counsel,
customer experience professionals, and
others.</DELETED>
<DELETED> (3) Acquisition planning.--The acquisition
planning updates described in paragraph (1) shall include
considerations for, at minimum, as appropriate depending on the
use case--</DELETED>
<DELETED> (A) data ownership and privacy;</DELETED>
<DELETED> (B) data information security;</DELETED>
<DELETED> (C) interoperability
requirements;</DELETED>
<DELETED> (D) data and model assessment
processes;</DELETED>
<DELETED> (E) scope of use;</DELETED>
<DELETED> (F) ongoing monitoring
techniques;</DELETED>
<DELETED> (G) type and scope of artificial
intelligence audits;</DELETED>
<DELETED> (H) environmental impact; and</DELETED>
<DELETED> (I) safety and security risk mitigation
techniques, including a plan for how adverse event
reporting can be incorporated, pursuant to section
5(g).</DELETED>
<DELETED> (b) Requirements for High Risk Use Cases.--</DELETED>
<DELETED> (1) In general.--</DELETED>
<DELETED> (A) Establishment.--Beginning on the date
that is 1 year after the date of enactment of this Act,
the head of an agency may not procure or obtain
artificial intelligence for a high risk use case, as
defined in section 7(a)(2)(D), prior to establishing
and incorporating certain terms into relevant
contracts, agreements, and employee guidelines for
artificial intelligence, including--</DELETED>
<DELETED> (i) a requirement that the use of
the artificial intelligence be limited to its
operational design domain;</DELETED>
<DELETED> (ii) requirements for safety,
security, and trustworthiness, including--
</DELETED>
<DELETED> (I) a reporting mechanism
through which agency personnel are
notified by the deployer of any adverse
incident;</DELETED>
<DELETED> (II) a requirement, in
accordance with section 5(g), that
agency personnel receive from the
deployer a notification of any adverse
incident, an explanation of the cause
of the adverse incident, and any data
directly connected to the adverse
incident in order to address and
mitigate the harm; and</DELETED>
<DELETED> (III) that the agency has
the right to temporarily or permanently
suspend use of the artificial
intelligence if--</DELETED>
<DELETED> (aa) the risks of
the artificial intelligence to
rights or safety become
unacceptable, as determined
under the agency risk
classification system pursuant
to section 7; or</DELETED>
<DELETED> (bb) on or after
the date that is 180 days after
the publication of the most
recently updated version of the
framework developed and updated
pursuant to section 22(A)(c) of
the National Institute of
Standards and Technology Act
(15 U.S.C. 278h-1(c)), the
deployer is found not to comply
with such most recent
update;</DELETED>
<DELETED> (iii) requirements for quality,
relevance, sourcing and ownership of data, as
appropriate by use case, and applicable unless
the head of the agency waives such requirements
in writing, including--</DELETED>
<DELETED> (I) retention of rights to
Government data and any modification to
the data including to protect the data
from unauthorized disclosure and use to
subsequently train or improve the
functionality of commercial products
offered by the deployer, any relevant
developers, or others; and</DELETED>
<DELETED> (II) a requirement that
the deployer and any relevant
developers or other parties isolate
Government data from all other data,
through physical separation, electronic
separation via secure copies with
strict access controls, or other
computational isolation
mechanisms;</DELETED>
<DELETED> (iv) requirements for evaluation
and testing of artificial intelligence based on
use case, to be performed on an ongoing basis;
and</DELETED>
<DELETED> (v) requirements that the deployer
and any relevant developers provide
documentation, as determined necessary and
requested by the agency, in accordance with
section 8(b).</DELETED>
<DELETED> (B) Review.--The Senior Procurement
Executive, in coordination with the Chief Artificial
Intelligence Officer, shall consult with technologists,
information security personnel, domain experts, privacy
officers, data officers, civil rights and civil
liberties officers, contracting officials, legal
counsel, customer experience professionals, and other
relevant agency officials to review the requirements
described in clauses (i) through (v) of subparagraph
(A) and determine whether it may be necessary to
incorporate additional requirements into relevant
contracts or agreements.</DELETED>
<DELETED> (C) Regulation.--The Federal Acquisition
Regulatory Council shall revise the Federal Acquisition
Regulation as necessary to implement the requirements
of this subsection.</DELETED>
<DELETED> (2) Rules of construction.--This Act shall
supersede any requirements that conflict with this Act under
the guidance required to be produced by the Director pursuant
to section 7224(d) of the Advancing American AI Act (40 U.S.C.
11301 note).</DELETED>
<DELETED>SEC. 5. INTERAGENCY GOVERNANCE OF ARTIFICIAL
INTELLIGENCE.</DELETED>
<DELETED> (a) Chief Artificial Intelligence Officers Council.--Not
later than 60 days after the date of enactment of this Act, the
Director shall establish a Chief Artificial Intelligence Officers
Council.</DELETED>
<DELETED> (b) Duties.--The duties of the Council shall include--
</DELETED>