[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4495 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 697
118th CONGRESS
  2d Session
                                S. 4495

                          [Report No. 118-291]

 To enable safe, responsible, and agile procurement, development, and 
use of artificial intelligence by the Federal Government, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 11, 2024

Mr. Peters (for himself and Mr. Tillis) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                           December 16, 2024

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To enable safe, responsible, and agile procurement, development, and 
use of artificial intelligence by the Federal Government, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Promoting Responsible 
Evaluation and Procurement to Advance Readiness for Enterprise-wide 
Deployment for Artificial Intelligence Act'' or the ``PREPARED for AI 
Act''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Adverse incident.--The term ``adverse 
        incident'' means any incident or malfunction of artificial 
        intelligence that directly or indirectly leads to--</DELETED>
                <DELETED>    (A) harm impacting rights or safety, as 
                described in section 7(a)(2)(D);</DELETED>
                <DELETED>    (B) the death of an individual or damage 
                to the health of an individual;</DELETED>
                <DELETED>    (C) material or irreversible disruption of 
                the management and operation of critical 
                infrastructure, as described in section 
                7(a)(2)(D)(i)(II)(cc);</DELETED>
                <DELETED>    (D) material damage to property or the 
                environment;</DELETED>
                <DELETED>    (E) loss of a mission-critical system or 
                equipment;</DELETED>
                <DELETED>    (F) failure of the mission of an 
                agency;</DELETED>
                <DELETED>    (G) the denial of a benefit, payment, or 
                other service to an individual or group of individuals 
                who would have otherwise been eligible;</DELETED>
                <DELETED>    (H) the denial of an employment, contract, 
                grant, or similar opportunity that would have otherwise 
                been offered; or</DELETED>
                <DELETED>    (I) another consequence, as determined by 
                the Director with public notice.</DELETED>
        <DELETED>    (2) Agency.--The term ``agency''--</DELETED>
                <DELETED>    (A) has the meaning given that term in 
                section 3502(1) of title 44, United States Code; 
                and</DELETED>
                <DELETED>    (B) includes each of the independent 
                regulatory agencies described in section 3502(5) of 
                title 44, United States Code.</DELETED>
        <DELETED>    (3) Artificial intelligence.--The term 
        ``artificial intelligence''--</DELETED>
                <DELETED>    (A) has the meaning given that term in 
                section 5002 of the National Artificial Intelligence 
                Initiative Act of 2020 (15 U.S.C. 9401); and</DELETED>
                <DELETED>    (B) includes the artificial systems and 
                techniques described in paragraphs (1) through (5) of 
                section 238(g) of the John S. McCain National Defense 
                Authorization Act for Fiscal Year 2019 (Public Law 115-
                232; 10 U.S.C. 4061 note prec.).</DELETED>
        <DELETED>    (4) Biometric data.--The term ``biometric data'' 
        means data resulting from specific technical processing 
        relating to the unique physical, physiological, or behavioral 
        characteristics of an individual, including facial images, 
        dactyloscopic data, physical movement and gait, breath, voice, 
        DNA, blood type, and expression of emotion, thought, or 
        feeling.</DELETED>
        <DELETED>    (5) Commercial technology.--The term ``commercial 
        technology''--</DELETED>
                <DELETED>    (A) means a technology, process, or 
                method, including research or development; 
                and</DELETED>
                <DELETED>    (B) includes commercial products, 
                commercial services, and other commercial items, as 
                defined in the Federal Acquisition Regulation, 
                including any addition or update thereto by the Federal 
                Acquisition Regulatory Council.</DELETED>
        <DELETED>    (6) Council.--The term ``Council'' means the Chief 
        Artificial Intelligence Officers Council established under 
        section 5(a).</DELETED>
        <DELETED>    (7) Deployer.--The term ``deployer'' means an 
        entity that operates or provides artificial intelligence, 
        whether developed internally or by a third-party 
        developer.</DELETED>
        <DELETED>    (8) Developer.--The term ``developer'' means an 
        entity that designs, codes, produces, or owns artificial 
        intelligence.</DELETED>
        <DELETED>    (9) Director.--The term ``Director'' means the 
        Director of the Office of Management and Budget.</DELETED>
        <DELETED>    (10) Impact assessment.--The term ``impact 
        assessment'' means a structured process for considering the 
        implications of a proposed artificial intelligence use 
        case.</DELETED>
        <DELETED>    (11) Operational design domain.--The term 
        ``operational design domain'' means a set of operating 
        conditions for an automated system.</DELETED>
        <DELETED>    (12) Procure or obtain.--The term ``procure or 
        obtain'' means--</DELETED>
                <DELETED>    (A) to acquire through contract actions 
                awarded pursuant to the Federal Acquisition Regulation, 
                including through interagency agreements, multi-agency 
                use, and purchase card transactions;</DELETED>
                <DELETED>    (B) to acquire through contracts and 
                agreements awarded through other special procurement 
                authorities, including through other transactions and 
                commercial solutions opening authorities; or</DELETED>
                <DELETED>    (C) to obtain through other means, 
                including through open source platforms or 
                freeware.</DELETED>
        <DELETED>    (13) Relevant congressional committees.--The term 
        ``relevant congressional committees'' means the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Oversight and Accountability of the House of 
        Representatives.</DELETED>
        <DELETED>    (14) Risk.--The term ``risk'' means the 
        combination of the probability of an occurrence of harm and the 
        potential severity of that harm.</DELETED>
        <DELETED>    (15) Use case.--The term ``use case'' means the 
        ways and context in which artificial intelligence is operated 
        to perform a specific function.</DELETED>

<DELETED>SEC. 3. IMPLEMENTATION OF REQUIREMENTS.</DELETED>

<DELETED>    (a) Agency Implementation.--Not later than 1 year after 
the date of enactment of this Act, the Director shall ensure that 
agencies have implemented the requirements of this Act.</DELETED>
<DELETED>    (b) Annual Briefing.--Not later than 180 days after the 
date of enactment of this Act, and annually thereafter, the Director 
shall brief the appropriate Congressional committees on implementation 
of this Act and related considerations.</DELETED>

<DELETED>SEC. 4. PROCUREMENT OF ARTIFICIAL INTELLIGENCE.</DELETED>

<DELETED>    (a) Government-Wide Requirements.--</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act, the Federal Acquisition 
        Regulatory Council shall review Federal Acquisition Regulation 
        acquisition planning, source selection, and other requirements 
        and update the Federal Acquisition Regulation as needed to 
        ensure that agency procurement of artificial intelligence 
        includes--</DELETED>
                <DELETED>    (A) a requirement to address the outcomes 
                of the risk evaluation and impact assessments required 
                under section 8(a);</DELETED>
                <DELETED>    (B) a requirement for consultation with an 
                interdisciplinary team of agency experts prior to, and 
                throughout, as necessary, procuring or obtaining 
                artificial intelligence; and</DELETED>
                <DELETED>    (C) any other considerations determined 
                relevant by the Federal Acquisition Regulatory 
                Council.</DELETED>
        <DELETED>    (2) Interdisciplinary team of experts.--The 
        interdisciplinary team of experts described in paragraph (1)(B) 
        may--</DELETED>
                <DELETED>    (A) vary depending on the use case and the 
                risks determined to be associated with the use case; 
                and</DELETED>
                <DELETED>    (B) include technologists, information 
                security personnel, domain experts, privacy officers, 
                data officers, civil rights and civil liberties 
                officers, contracting officials, legal counsel, 
                customer experience professionals, and 
                others.</DELETED>
        <DELETED>    (3) Acquisition planning.--The acquisition 
        planning updates described in paragraph (1) shall include 
        considerations for, at minimum, as appropriate depending on the 
        use case--</DELETED>
                <DELETED>    (A) data ownership and privacy;</DELETED>
                <DELETED>    (B) data information security;</DELETED>
                <DELETED>    (C) interoperability 
                requirements;</DELETED>
                <DELETED>    (D) data and model assessment 
                processes;</DELETED>
                <DELETED>    (E) scope of use;</DELETED>
                <DELETED>    (F) ongoing monitoring 
                techniques;</DELETED>
                <DELETED>    (G) type and scope of artificial 
                intelligence audits;</DELETED>
                <DELETED>    (H) environmental impact; and</DELETED>
                <DELETED>    (I) safety and security risk mitigation 
                techniques, including a plan for how adverse event 
                reporting can be incorporated, pursuant to section 
                5(g).</DELETED>
<DELETED>    (b) Requirements for High Risk Use Cases.--</DELETED>
        <DELETED>    (1) In general.--</DELETED>
                <DELETED>    (A) Establishment.--Beginning on the date 
                that is 1 year after the date of enactment of this Act, 
                the head of an agency may not procure or obtain 
                artificial intelligence for a high risk use case, as 
                defined in section 7(a)(2)(D), prior to establishing 
                and incorporating certain terms into relevant 
                contracts, agreements, and employee guidelines for 
                artificial intelligence, including--</DELETED>
                        <DELETED>    (i) a requirement that the use of 
                        the artificial intelligence be limited to its 
                        operational design domain;</DELETED>
                        <DELETED>    (ii) requirements for safety, 
                        security, and trustworthiness, including--
                        </DELETED>
                                <DELETED>    (I) a reporting mechanism 
                                through which agency personnel are 
                                notified by the deployer of any adverse 
                                incident;</DELETED>
                                <DELETED>    (II) a requirement, in 
                                accordance with section 5(g), that 
                                agency personnel receive from the 
                                deployer a notification of any adverse 
                                incident, an explanation of the cause 
                                of the adverse incident, and any data 
                                directly connected to the adverse 
                                incident in order to address and 
                                mitigate the harm; and</DELETED>
                                <DELETED>    (III) that the agency has 
                                the right to temporarily or permanently 
                                suspend use of the artificial 
                                intelligence if--</DELETED>
                                        <DELETED>    (aa) the risks of 
                                        the artificial intelligence to 
                                        rights or safety become 
                                        unacceptable, as determined 
                                        under the agency risk 
                                        classification system pursuant 
                                        to section 7; or</DELETED>
                                        <DELETED>    (bb) on or after 
                                        the date that is 180 days after 
                                        the publication of the most 
                                        recently updated version of the 
                                        framework developed and updated 
                                        pursuant to section 22(A)(c) of 
                                        the National Institute of 
                                        Standards and Technology Act 
                                        (15 U.S.C. 278h-1(c)), the 
                                        deployer is found not to comply 
                                        with such most recent 
                                        update;</DELETED>
                        <DELETED>    (iii) requirements for quality, 
                        relevance, sourcing and ownership of data, as 
                        appropriate by use case, and applicable unless 
                        the head of the agency waives such requirements 
                        in writing, including--</DELETED>
                                <DELETED>    (I) retention of rights to 
                                Government data and any modification to 
                                the data including to protect the data 
                                from unauthorized disclosure and use to 
                                subsequently train or improve the 
                                functionality of commercial products 
                                offered by the deployer, any relevant 
                                developers, or others; and</DELETED>
                                <DELETED>    (II) a requirement that 
                                the deployer and any relevant 
                                developers or other parties isolate 
                                Government data from all other data, 
                                through physical separation, electronic 
                                separation via secure copies with 
                                strict access controls, or other 
                                computational isolation 
                                mechanisms;</DELETED>
                        <DELETED>    (iv) requirements for evaluation 
                        and testing of artificial intelligence based on 
                        use case, to be performed on an ongoing basis; 
                        and</DELETED>
                        <DELETED>    (v) requirements that the deployer 
                        and any relevant developers provide 
                        documentation, as determined necessary and 
                        requested by the agency, in accordance with 
                        section 8(b).</DELETED>
                <DELETED>    (B) Review.--The Senior Procurement 
                Executive, in coordination with the Chief Artificial 
                Intelligence Officer, shall consult with technologists, 
                information security personnel, domain experts, privacy 
                officers, data officers, civil rights and civil 
                liberties officers, contracting officials, legal 
                counsel, customer experience professionals, and other 
                relevant agency officials to review the requirements 
                described in clauses (i) through (v) of subparagraph 
                (A) and determine whether it may be necessary to 
                incorporate additional requirements into relevant 
                contracts or agreements.</DELETED>
                <DELETED>    (C) Regulation.--The Federal Acquisition 
                Regulatory Council shall revise the Federal Acquisition 
                Regulation as necessary to implement the requirements 
                of this subsection.</DELETED>
        <DELETED>    (2) Rules of construction.--This Act shall 
        supersede any requirements that conflict with this Act under 
        the guidance required to be produced by the Director pursuant 
        to section 7224(d) of the Advancing American AI Act (40 U.S.C. 
        11301 note).</DELETED>

<DELETED>SEC. 5. INTERAGENCY GOVERNANCE OF ARTIFICIAL 
              INTELLIGENCE.</DELETED>

<DELETED>    (a) Chief Artificial Intelligence Officers Council.--Not 
later than 60 days after the date of enactment of this Act, the 
Director shall establish a Chief Artificial Intelligence Officers 
Council.</DELETED>
<DELETED>    (b) Duties.--The duties of the Council shall include--
</DELETED>