[Congressional Bills 118th Congress] [From the U.S. Government Publishing Office] [S. 4495 Introduced in Senate (IS)] <DOC> 118th CONGRESS 2d Session S. 4495 To enable safe, responsible, and agile procurement, development, and use of artificial intelligence by the Federal Government, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES June 11, 2024 Mr. Peters (for himself and Mr. Tillis) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs _______________________________________________________________________ A BILL To enable safe, responsible, and agile procurement, development, and use of artificial intelligence by the Federal Government, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Promoting Responsible Evaluation and Procurement to Advance Readiness for Enterprise-wide Deployment for Artificial Intelligence Act'' or the ``PREPARED for AI Act''. SEC. 2. DEFINITIONS. In this Act: (1) Adverse incident.--The term ``adverse incident'' means any incident or malfunction of artificial intelligence that directly or indirectly leads to-- (A) harm impacting rights or safety, as described in section 7(a)(2)(D); (B) the death of an individual or damage to the health of an individual; (C) material or irreversible disruption of the management and operation of critical infrastructure, as described in section 7(a)(2)(D)(i)(II)(cc); (D) material damage to property or the environment; (E) loss of a mission-critical system or equipment; (F) failure of the mission of an agency; (G) the denial of a benefit, payment, or other service to an individual or group of individuals who would have otherwise been eligible; (H) the denial of an employment, contract, grant, or similar opportunity that would have otherwise been offered; or (I) another consequence, as determined by the Director with public notice. (2) Agency.--The term ``agency''-- (A) has the meaning given that term in section 3502(1) of title 44, United States Code; and (B) includes each of the independent regulatory agencies described in section 3502(5) of title 44, United States Code. (3) Artificial intelligence.--The term ``artificial intelligence''-- (A) has the meaning given that term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401); and (B) includes the artificial systems and techniques described in paragraphs (1) through (5) of section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115- 232; 10 U.S.C. 4061 note prec.). (4) Biometric data.--The term ``biometric data'' means data resulting from specific technical processing relating to the unique physical, physiological, or behavioral characteristics of an individual, including facial images, dactyloscopic data, physical movement and gait, breath, voice, DNA, blood type, and expression of emotion, thought, or feeling. (5) Commercial technology.--The term ``commercial technology''-- (A) means a technology, process, or method, including research or development; and (B) includes commercial products, commercial services, and other commercial items, as defined in the Federal Acquisition Regulation, including any addition or update thereto by the Federal Acquisition Regulatory Council. (6) Council.--The term ``Council'' means the Chief Artificial Intelligence Officers Council established under section 5(a). (7) Deployer.--The term ``deployer'' means an entity that operates or provides artificial intelligence, whether developed internally or by a third-party developer. (8) Developer.--The term ``developer'' means an entity that designs, codes, produces, or owns artificial intelligence. (9) Director.--The term ``Director'' means the Director of the Office of Management and Budget. (10) Impact assessment.--The term ``impact assessment'' means a structured process for considering the implications of a proposed artificial intelligence use case. (11) Operational design domain.--The term ``operational design domain'' means a set of operating conditions for an automated system. (12) Procure or obtain.--The term ``procure or obtain'' means-- (A) to acquire through contract actions awarded pursuant to the Federal Acquisition Regulation, including through interagency agreements, multi-agency use, and purchase card transactions; (B) to acquire through contracts and agreements awarded through other special procurement authorities, including through other transactions and commercial solutions opening authorities; or (C) to obtain through other means, including through open source platforms or freeware. (13) Relevant congressional committees.--The term ``relevant congressional committees'' means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Accountability of the House of Representatives. (14) Risk.--The term ``risk'' means the combination of the probability of an occurrence of harm and the potential severity of that harm. (15) Use case.--The term ``use case'' means the ways and context in which artificial intelligence is operated to perform a specific function. SEC. 3. IMPLEMENTATION OF REQUIREMENTS. (a) Agency Implementation.--Not later than 1 year after the date of enactment of this Act, the Director shall ensure that agencies have implemented the requirements of this Act. (b) Annual Briefing.--Not later than 180 days after the date of enactment of this Act, and annually thereafter, the Director shall brief the appropriate Congressional committees on implementation of this Act and related considerations. SEC. 4. PROCUREMENT OF ARTIFICIAL INTELLIGENCE. (a) Government-Wide Requirements.-- (1) In general.--Not later than 1 year after the date of enactment of this Act, the Federal Acquisition Regulatory Council shall review Federal Acquisition Regulation acquisition planning, source selection, and other requirements and update the Federal Acquisition Regulation as needed to ensure that agency procurement of artificial intelligence includes-- (A) a requirement to address the outcomes of the risk evaluation and impact assessments required under section 8(a); (B) a requirement for consultation with an interdisciplinary team of agency experts prior to, and throughout, as necessary, procuring or obtaining artificial intelligence; and (C) any other considerations determined relevant by the Federal Acquisition Regulatory Council. (2) Interdisciplinary team of experts.--The interdisciplinary team of experts described in paragraph (1)(B) may-- (A) vary depending on the use case and the risks determined to be associated with the use case; and (B) include technologists, information security personnel, domain experts, privacy officers, data officers, civil rights and civil liberties officers, contracting officials, legal counsel, customer experience professionals, and others. (3) Acquisition planning.--The acquisition planning updates described in paragraph (1) shall include considerations for, at minimum, as appropriate depending on the use case-- (A) data ownership and privacy; (B) data information security; (C) interoperability requirements; (D) data and model assessment processes; (E) scope of use; (F) ongoing monitoring techniques; (G) type and scope of artificial intelligence audits; (H) environmental impact; and (I) safety and security risk mitigation techniques, including a plan for how adverse event reporting can be incorporated, pursuant to section 5(g). (b) Requirements for High Risk Use Cases.-- (1) In general.-- (A) Establishment.--Beginning on the date that is 1 year after the date of enactment of this Act, the head of an agency may not procure or obtain artificial intelligence for a high risk use case, as defined in section 7(a)(2)(D), prior to establishing and incorporating certain terms into relevant contracts, agreements, and employee guidelines for artificial intelligence, including-- (i) a requirement that the use of the artificial intelligence be limited to its operational design domain; (ii) requirements for safety, security, and trustworthiness, including-- (I) a reporting mechanism through which agency personnel are notified by the deployer of any adverse incident; (II) a requirement, in accordance with section 5(g), that agency personnel receive from the deployer a notification of any adverse incident, an explanation of the cause of the adverse incident, and any data directly connected to the adverse incident in order to address and mitigate the harm; and (III) that the agency has the right to temporarily or permanently suspend use of the artificial intelligence if-- (aa) the risks of the artificial intelligence to rights or safety become unacceptable, as determined under the agency risk classification system pursuant to section 7; or (bb) on or after the date that is 180 days after the publication of the most recently updated version of the framework developed and updated pursuant to section 22(A)(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h-1(c)), the deployer is found not to comply with such most recent update; (iii) requirements for quality, relevance, sourcing and ownership of data, as appropriate by use case, and applicable unless the head of the agency waives such requirements in writing, including-- (I) retention of rights to Government data and any modification to the data including to protect the data from unauthorized disclosure and use to subsequently train or improve the functionality of commercial products offered by the deployer, any relevant developers, or others; and (II) a requirement that the deployer and any relevant developers or other parties isolate Government data from all other data, through physical separation, electronic separation via secure copies with strict access controls, or other computational isolation mechanisms; (iv) requirements for evaluation and testing of artificial intelligence based on use case, to be performed on an ongoing basis; and (v) requirements that the deployer and any relevant developers provide documentation, as determined necessary and requested by the agency, in accordance with section 8(b). (B) Review.--The Senior Procurement Executive, in coordination with the Chief Artificial Intelligence Officer, shall consult with technologists, information security personnel, domain experts, privacy officers, data officers, civil rights and civil liberties officers, contracting officials, legal counsel, customer experience professionals, and other relevant agency officials to review the requirements described in clauses (i) through (v) of subparagraph (A) and determine whether it may be necessary to incorporate additional requirements into relevant contracts or agreements. (C) Regulation.--The Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation as necessary to implement the requirements of this subsection. (2) Rules of construction.--This Act shall supersede any requirements that conflict with this Act under the guidance required to be produced by the Director pursuant to section 7224(d) of the Advancing American AI Act (40 U.S.C. 11301 note). SEC. 5. INTERAGENCY GOVERNANCE OF ARTIFICIAL INTELLIGENCE. (a) Chief Artificial Intelligence Officers Council.--Not later than 60 days after the date of enactment of this Act, the Director shall establish a Chief Artificial Intelligence Officers Council. (b) Duties.--The duties of the Council shall include-- (1) coordinating agency development and use of artificial intelligence in agency programs and operations, including practices relating to the design, operation, risk management, and performance of artificial intelligence; (2) sharing experiences, ideas, best practices, and innovative approaches relating to artificial intelligence; and (3) assisting the Director, as necessary, with respect to-- (A) the identification, development, and coordination of multi-agency projects and other initiatives, including initiatives to improve Government performance; (B) the management of risks relating to developing, obtaining, or using artificial intelligence, including by developing a common template to guide agency Chief Artificial Intelligence Officers in implementing a risk classification system that may incorporate best practices, such as those from-- (i) the most recently updated version of the framework developed and updated pursuant to section 22A(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h- 1(c)); and (ii) the report published by the Government Accountability Office entitled ``Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities'' (GAO-21- 519SP), published on June 30, 2021; (C) promoting the development and use of efficient, effective, common, shared, or other approaches to key processes that improve the delivery of services for the public; and (D) soliciting and providing perspectives on matters of concern, including from and to-- (i) interagency councils; (ii) Federal Government entities; (iii) private sector, public sector, nonprofit, and academic experts; (iv) State, local, Tribal, territorial, and international governments; and (v) other individuals and entities, as determined relevant by the Council. (c) Membership of the Council.-- (1) Co-chairs.--The Council shall have 2 co-chairs, which shall be-- (A) the Director; and (B) an individual selected by a majority of the members of the Council. (2) Members.--Other members of the Council shall include-- (A) the Chief Artificial Intelligence Officer of each agency; and (B) the senior official for artificial intelligence of the Office of Management and Budget. (d) Standing Committees; Working Groups.--The Council shall have the authority to establish standing committees, including an