Skip to main content

OMB's New Guidance on AI Procurement Prioritizes Security and Competition

Litigation Alert

The Office of Management and Budget (OMB) released a new memorandum at the beginning of October, "Advancing the Responsible Acquisition of Artificial Intelligence in Government" (M-24-18) (the Memo), intended to help "agencies harness the power of AI." The new guidance builds on the foundation laid by the March 2024 OMB memorandum (M-24-10), "Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence," by directing agencies to adopt acquisition-related practices to manage the risks of AI, particularly those associated with rights- and safety-impacting AI, enhance competition, and make clear the priorities for agencies acquiring AI. While the Memo is directed at agencies and does not impose new requirements on contractors directly, those providing AI products and services could soon see it influence contract requirements, source selection evaluation criteria, and contract terms. 

Having spent over $100 billion on information technology (IT) products and services in 2023, the federal government sees itself as a market driver able to steer industry policy through government-wide procurement strategies. The most recent guidance is one more step towards using that purchasing power to direct industry practice towards increased security, responsibility, and interoperability. 

Who Is Impacted?

All contractors who provide AI-related products and services to government agencies (except Intelligence Community (IC) agencies, which were exempt) will see the effects of the new guidance eventually, but those whose AI offerings are used to perform "safety-impacting" or "rights-impacting" tasks could see changes very quickly. The Memo requires agencies to identify high-risk AI procurements by November 1, 2024, and to comply with the corresponding provisions of M-24-18 and M-24-10 by December 1, 2024. 

The guidance applies to all applications of AI, whether part of stand-alone systems or integrated into broader IT products or services, but it specifically excludes "any common commercial product within which [AI] is embedded, such as a word processor or map navigation system," as long as the system is not customized for the agency. There is also a carve out for "AI used incidentally by a contractor during performance of the contract," where such use is not necessary to fulfill the requirements of the contract.

The Memo is organized around three strategic goals: managing AI risk and performance, promoting a competitive AI market with innovative acquisition, and ensuring collaboration across the federal government. We discuss the first two goals below.

Managing AI Risks and Performance

Agencies are instructed to prioritize "privacy, security, data ownership, and interoperability," with particular focus on AI's inherent risks when dealing with safety-impacting or rights-impacting uses. Again, while the directives are imposed on agencies, contractors should be prepared for the directives to flow down to them in the following ways:

  • Report any proposed use of AI in proposals and notify the agency before integrating new AI components into products or services provided under existing contracts.
  • Explain how personally identifiable information (PII) is protected and privacy risks are minimized. 
  • Identify potential biases within AI systems that could result in unlawful discrimination and propose mitigation strategies.
  • Obtain agency consent before using agency data to train AI models or to train publicly or commercially available AI products.
  • Provide access and documentation necessary for the agency to understand how a model was trained and assess its integrity.
  • Provide agencies with the time and access needed to conduct ongoing tests to monitor the continued functionality of AI systems or services and/or regularly conduct such tests themselves and provide the results.
  • Agree to meet performance standards and retrain AI systems as needed to fix unwanted behaviors.
  • For rights- and safety-impacting uses, report serious incidents of AI malfunction to the contracting agency either within 72 hours or "in a timely manner" based on the severity of the incident. The clock starts when a contractor "reasonably believes an incident has occurred." The terms "serious" and "malfunction" have yet to be defined.
  • For generative AI, identify outputs that are created or modified through the use of AI, such as by including watermarks or metadata; mitigate inappropriate uses and prevent harmful or illegal outputs; and mitigate the environmental impact by using efficient data centers and prioritizing renewable energy.

Contractors should also expect agencies to:

  • Use performance-based requirements to better evaluate vendor claims about their AI systems or services before issuing awards and to monitor performance post-award.
  • Consider data rights during acquisition planning and source selection evaluation to ensure sufficient rights to meet agency mission requirements, safety and monitoring requirements, and prevent vendor-lock.
  • Prioritize as a key contract consideration the handling of data, including procedures for data management, accountability, and access.
  • Include cost estimates for post-award oversight, risk management, maintenance, and corrective action in budgeting for procurements.

Promoting a Competitive AI Market through Innovative Acquisition Practices

Agencies are encouraged to conduct procurements with an eye toward expanding the competitive marketplace, both by lowering barriers to entry and by prioritizing interoperability. 

Contractors in the AI space can expect to see:

  • Contractual language, including clauses or deliverables, requiring vendors to deliver the information and data rights an agency needs to prevent vendor-lock.
  • Requests to maximize data rights and model operability by agreeing to unrestrictive licensing terms.
  • Requests for transparent pricing across the AI lifecycle.
  • Disincentivizing bulk pricing arrangements or other methods of consolidation with one vendor or group.

Agencies are strongly encouraged to use "innovative acquisition practices," which include:

  • Implementing performance-based requirements to better evaluate contractors' claims about their AI offerings during the solicitation process and to improve post-award monitoring.
  • Asking vendors to use "show, don't tell" approaches such as oral presentations, pilots, or trials to demonstrate the technical capabilities of their AI products in action.
  • Promoting competition by limiting the duration of contracts to allow for periodic reassessment of contractors' performance and alignment with agency needs.
  • Prioritizing best value source selection methods, focused on contractors' technical capabilities, rather than low price technically acceptable determinations.
  • Lowering barriers to entry by using non-Federal Acquisition Regulation (FAR) procurement options such as pilot programs or other transaction authorities (OTAs).

It remains to be seen how fundamentally agencies will change their acquisition strategies in response to the Memo. To discuss how best to position your company to align with the priorities outlined in the new guidance, contact the Miller & Chevalier attorneys listed below.

Scott N. Flesch, sflesch@milchev.com, 202-626-1584

Ashley Powers, apowers@milchev.com, 202-626-5564

Elissa Harwood, eharwood@milchev.com, 202-626-5890



The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.