[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4495 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 4495
To enable safe, responsible, and agile procurement, development, and
use of artificial intelligence by the Federal Government, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 11, 2024
Mr. Peters (for himself and Mr. Tillis) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To enable safe, responsible, and agile procurement, development, and
use of artificial intelligence by the Federal Government, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Promoting Responsible Evaluation and
Procurement to Advance Readiness for Enterprise-wide Deployment for
Artificial Intelligence Act'' or the ``PREPARED for AI Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Adverse incident.--The term ``adverse incident'' means
any incident or malfunction of artificial intelligence that
directly or indirectly leads to--
(A) harm impacting rights or safety, as described
in section 7(a)(2)(D);
(B) the death of an individual or damage to the
health of an individual;
(C) material or irreversible disruption of the
management and operation of critical infrastructure, as
described in section 7(a)(2)(D)(i)(II)(cc);
(D) material damage to property or the environment;
(E) loss of a mission-critical system or equipment;
(F) failure of the mission of an agency;
(G) the denial of a benefit, payment, or other
service to an individual or group of individuals who
would have otherwise been eligible;
(H) the denial of an employment, contract, grant,
or similar opportunity that would have otherwise been
offered; or
(I) another consequence, as determined by the
Director with public notice.
(2) Agency.--The term ``agency''--
(A) has the meaning given that term in section
3502(1) of title 44, United States Code; and
(B) includes each of the independent regulatory
agencies described in section 3502(5) of title 44,
United States Code.
(3) Artificial intelligence.--The term ``artificial
intelligence''--
(A) has the meaning given that term in section 5002
of the National Artificial Intelligence Initiative Act
of 2020 (15 U.S.C. 9401); and
(B) includes the artificial systems and techniques
described in paragraphs (1) through (5) of section
238(g) of the John S. McCain National Defense
Authorization Act for Fiscal Year 2019 (Public Law 115-
232; 10 U.S.C. 4061 note prec.).
(4) Biometric data.--The term ``biometric data'' means data
resulting from specific technical processing relating to the
unique physical, physiological, or behavioral characteristics
of an individual, including facial images, dactyloscopic data,
physical movement and gait, breath, voice, DNA, blood type, and
expression of emotion, thought, or feeling.
(5) Commercial technology.--The term ``commercial
technology''--
(A) means a technology, process, or method,
including research or development; and
(B) includes commercial products, commercial
services, and other commercial items, as defined in the
Federal Acquisition Regulation, including any addition
or update thereto by the Federal Acquisition Regulatory
Council.
(6) Council.--The term ``Council'' means the Chief
Artificial Intelligence Officers Council established under
section 5(a).
(7) Deployer.--The term ``deployer'' means an entity that
operates or provides artificial intelligence, whether developed
internally or by a third-party developer.
(8) Developer.--The term ``developer'' means an entity that
designs, codes, produces, or owns artificial intelligence.
(9) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(10) Impact assessment.--The term ``impact assessment''
means a structured process for considering the implications of
a proposed artificial intelligence use case.
(11) Operational design domain.--The term ``operational
design domain'' means a set of operating conditions for an
automated system.
(12) Procure or obtain.--The term ``procure or obtain''
means--
(A) to acquire through contract actions awarded
pursuant to the Federal Acquisition Regulation,
including through interagency agreements, multi-agency
use, and purchase card transactions;
(B) to acquire through contracts and agreements
awarded through other special procurement authorities,
including through other transactions and commercial
solutions opening authorities; or
(C) to obtain through other means, including
through open source platforms or freeware.
(13) Relevant congressional committees.--The term
``relevant congressional committees'' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Accountability of the House of
Representatives.
(14) Risk.--The term ``risk'' means the combination of the
probability of an occurrence of harm and the potential severity
of that harm.
(15) Use case.--The term ``use case'' means the ways and
context in which artificial intelligence is operated to perform
a specific function.
SEC. 3. IMPLEMENTATION OF REQUIREMENTS.
(a) Agency Implementation.--Not later than 1 year after the date of
enactment of this Act, the Director shall ensure that agencies have
implemented the requirements of this Act.
(b) Annual Briefing.--Not later than 180 days after the date of
enactment of this Act, and annually thereafter, the Director shall
brief the appropriate Congressional committees on implementation of
this Act and related considerations.
SEC. 4. PROCUREMENT OF ARTIFICIAL INTELLIGENCE.
(a) Government-Wide Requirements.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Federal Acquisition Regulatory
Council shall review Federal Acquisition Regulation acquisition
planning, source selection, and other requirements and update
the Federal Acquisition Regulation as needed to ensure that
agency procurement of artificial intelligence includes--
(A) a requirement to address the outcomes of the
risk evaluation and impact assessments required under
section 8(a);
(B) a requirement for consultation with an
interdisciplinary team of agency experts prior to, and
throughout, as necessary, procuring or obtaining
artificial intelligence; and
(C) any other considerations determined relevant by
the Federal Acquisition Regulatory Council.
(2) Interdisciplinary team of experts.--The
interdisciplinary team of experts described in paragraph (1)(B)
may--
(A) vary depending on the use case and the risks
determined to be associated with the use case; and
(B) include technologists, information security
personnel, domain experts, privacy officers, data
officers, civil rights and civil liberties officers,
contracting officials, legal counsel, customer
experience professionals, and others.
(3) Acquisition planning.--The acquisition planning updates
described in paragraph (1) shall include considerations for, at
minimum, as appropriate depending on the use case--
(A) data ownership and privacy;
(B) data information security;
(C) interoperability requirements;
(D) data and model assessment processes;
(E) scope of use;
(F) ongoing monitoring techniques;
(G) type and scope of artificial intelligence
audits;
(H) environmental impact; and
(I) safety and security risk mitigation techniques,
including a plan for how adverse event reporting can be
incorporated, pursuant to section 5(g).
(b) Requirements for High Risk Use Cases.--
(1) In general.--
(A) Establishment.--Beginning on the date that is 1
year after the date of enactment of this Act, the head
of an agency may not procure or obtain artificial
intelligence for a high risk use case, as defined in
section 7(a)(2)(D), prior to establishing and
incorporating certain terms into relevant contracts,
agreements, and employee guidelines for artificial
intelligence, including--
(i) a requirement that the use of the
artificial intelligence be limited to its
operational design domain;
(ii) requirements for safety, security, and
trustworthiness, including--
(I) a reporting mechanism through
which agency personnel are notified by
the deployer of any adverse incident;
(II) a requirement, in accordance
with section 5(g), that agency
personnel receive from the deployer a
notification of any adverse incident,
an explanation of the cause of the
adverse incident, and any data directly
connected to the adverse incident in
order to address and mitigate the harm;
and
(III) that the agency has the right
to temporarily or permanently suspend
use of the artificial intelligence if--
(aa) the risks of the
artificial intelligence to
rights or safety become
unacceptable, as determined
under the agency risk
classification system pursuant
to section 7; or
(bb) on or after the date
that is 180 days after the
publication of the most
recently updated version of the
framework developed and updated
pursuant to section 22(A)(c) of
the National Institute of
Standards and Technology Act
(15 U.S.C. 278h-1(c)), the
deployer is found not to comply
with such most recent update;
(iii) requirements for quality, relevance,
sourcing and ownership of data, as appropriate
by use case, and applicable unless the head of
the agency waives such requirements in writing,
including--
(I) retention of rights to
Government data and any modification to
the data including to protect the data
from unauthorized disclosure and use to
subsequently train or improve the
functionality of commercial products
offered by the deployer, any relevant
developers, or others; and
(II) a requirement that the
deployer and any relevant developers or
other parties isolate Government data
from all other data, through physical
separation, electronic separation via
secure copies with strict access
controls, or other computational
isolation mechanisms;
(iv) requirements for evaluation and
testing of artificial intelligence based on use
case, to be performed on an ongoing basis; and
(v) requirements that the deployer and any
relevant developers provide documentation, as
determined necessary and requested by the
agency, in accordance with section 8(b).
(B) Review.--The Senior Procurement Executive, in
coordination with the Chief Artificial Intelligence
Officer, shall consult with technologists, information
security personnel, domain experts, privacy officers,
data officers, civil rights and civil liberties
officers, contracting officials, legal counsel,
customer experience professionals, and other relevant
agency officials to review the requirements described
in clauses (i) through (v) of subparagraph (A) and
determine whether it may be necessary to incorporate
additional requirements into relevant contracts or
agreements.
(C) Regulation.--The Federal Acquisition Regulatory
Council shall revise the Federal Acquisition Regulation
as necessary to implement the requirements of this
subsection.
(2) Rules of construction.--This Act shall supersede any
requirements that conflict with this Act under the guidance
required to be produced by the Director pursuant to section
7224(d) of the Advancing American AI Act (40 U.S.C. 11301
note).
SEC. 5. INTERAGENCY GOVERNANCE OF ARTIFICIAL INTELLIGENCE.
(a) Chief Artificial Intelligence Officers Council.--Not later than
60 days after the date of enactment of this Act, the Director shall
establish a Chief Artificial Intelligence Officers Council.
(b) Duties.--The duties of the Council shall include--
(1) coordinating agency development and use of artificial
intelligence in agency programs and operations, including
practices relating to the design, operation, risk management,
and performance of artificial intelligence;
(2) sharing experiences, ideas, best practices, and
innovative approaches relating to artificial intelligence; and
(3) assisting the Director, as necessary, with respect to--
(A) the identification, development, and
coordination of multi-agency projects and other
initiatives, including initiatives to improve
Government performance;
(B) the management of risks relating to developing,
obtaining, or using artificial intelligence, including
by developing a common template to guide agency Chief
Artificial Intelligence Officers in implementing a risk
classification system that may incorporate best
practices, such as those from--
(i) the most recently updated version of
the framework developed and updated pursuant to
section 22A(c) of the National Institute of
Standards and Technology Act (15 U.S.C. 278h-
1(c)); and
(ii) the report published by the Government
Accountability Office entitled ``Artificial
Intelligence: An Accountability Framework for
Federal Agencies and Other Entities'' (GAO-21-
519SP), published on June 30, 2021;
(C) promoting the development and use of efficient,
effective, common, shared, or other approaches to key
processes that improve the delivery of services for the
public; and
(D) soliciting and providing perspectives on
matters of concern, including from and to--
(i) interagency councils;
(ii) Federal Government entities;
(iii) private sector, public sector,
nonprofit, and academic experts;
(iv) State, local, Tribal, territorial, and
international governments; and
(v) other individuals and entities, as
determined relevant by the Council.
(c) Membership of the Council.--
(1) Co-chairs.--The Council shall have 2 co-chairs, which
shall be--
(A) the Director; and
(B) an individual selected by a majority of the
members of the Council.
(2) Members.--Other members of the Council shall include--
(A) the Chief Artificial Intelligence Officer of
each agency; and
(B) the senior official for artificial intelligence
of the Office of Management and Budget.
(d) Standing Committees; Working Groups.--The Council shall have
the authority to establish standing committees, including an