On April 3, the White House Office of Management and Budget (“OMB”) released two memoranda with AI guidance and requirements for federal agencies, Memorandum M-25-21 on Accelerating Federal Use of AI through Innovation, Governance, and Public Trust (“OMB AI Use Memo“) and Memorandum M-25-22 on Driving Efficient Acquisition of Artificial Intelligence in Government (“OMB AI Procurement Memo”).  According to the White House’s fact sheet, the OMB AI Use and AI Procurement Memos (collectively, the “new OMB AI Memos”), which rescind and replace OMB memos on AI use and procurement issued under President Biden’s Executive Order 14110 (“Biden OMB AI Memos”), shift U.S. AI policy to a “forward-leaning, pro-innovation, and pro-competition mindset” that will make agencies “more agile, cost-effective, and efficient.”  The new OMB AI Memos implement President Trump’s January 23 Executive Order 14179 on “Removing Barriers to American Leadership in Artificial Intelligence” (the “AI EO”), which directs the OMB to revise the Biden OMB AI Memos to make them consistent with the AI EO’s policy of “sustain[ing] and enhance[ing] America’s global AI dominance.” 

Overall, the new OMB AI Memos build on the frameworks established under President Trump’s 2020 Executive Order 13960 on “Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government” and the Biden OMB AI Memos.  This is consistent with the AI EO, which noted that the Administration would “revise” the Biden AI Memos “as necessary.”  At the same time, the new OMB AI Memos include some significant differences from the Biden OMB’s approach in the areas discussed below (as well as other areas).

  • Scope & Definitions.  The OMB AI Use Memo applies to “new and existing AI that is developed, used, or acquired by or on behalf of covered agencies,” with certain exclusions for the Intelligence Community and the Department of Defense.  The memo defines “AI” by reference to Section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.  Like the Biden OMB AI Memos, the OMB AI Use Memo states that “no system should be considered too simple to qualify as covered AI due to a lack of technical complexity.”

    The OMB AI Procurement Memo applies to “AI systems or services that are acquired by or on behalf of covered agencies,” excluding the Intelligence Community, and includes “data systems, software, applications, tools, or utilities” that are “established primarily” for researching, developing, or implementing AI or where an “AI capability” is integrated into another process, operational activity, or technology system.  The memo excludes AI that is “embedded” in “common commercial products” that are widely available for commercial use and have “substantial non-AI purposes or functionalities,” along with AI “used incidentally by a contractor” during contract performance.  In other words, the policies are targeted at software that is primarily used for its AI capabilities, rather than on software that happens to incorporate AI.
  • Exemption for National Security Systems.  Like the Biden OMB AI Memos, the new OMB AI Memos exclude AI used, or acquired for use, “as a component of a National Security System,” as defined in 44 U.S.C. § 3552(b)(6).  However, the Biden Administration issued a AI National Security Memorandum (“AI NSM”) in 2024 to address the use of AI in national security systems, as required by the now-revoked Executive Order 14110 on the “Safe, Secure, and Trustworthy Development and Use of AI.”  By contrast, the new OMB AI Memos state that the use and acquisition of AI in national security systems will be governed by guidance issued by the Department of Defense.  While the Biden AI NSM itself has yet to be revoked, the Trump Administration is likely to revoke or significantly revise the AI NSM to align it with President Trump’s AI EO, as the AI NSM contains some of the same types of provisions that were altered in the OMB AI Memos.
  • Governance & Transparency Requirements.  The OMB AI Use Memo requires covered agencies, through their Chief AI Officers, to develop and publish “compliance plans” for achieving consistency with the memo; update internal IT, data, cybersecurity, and privacy policies; develop Generative AI policies with acceptable uses, safeguards, and oversight mechanisms; and update AI use case inventories on an annual basis.  The OMB AI Use Memo also establishes heightened “minimum risk management practices” for “high-impact AI use cases,” i.e., AI “with an output that serves as a principal basis for decisions or actions with legal, material, binding, or significant effect” on civil rights, civil liberties, privacy, access to critical life opportunities or government services, human health and safety, critical infrastructure or public safety, or strategic assets or resources.  Under the OMB AI Use Memo, covered agencies that deploy high-impact AI must (1) conduct pre-deployment testing and prepare risk mitigation plans, (2) complete pre-deployment AI impact assessments, (3) conduct ongoing monitoring, (4) ensure adequate training and oversight, (5) offer timely human review and opportunities to appeal for AI-enabled decisions, and (6) collect and incorporate feedback from end users and the public.

    By contrast, the Biden OMB AI Use Memo established minimum risk management practices for “rights-impacting” and “safety-impacting” AI and imposed additional minimum risk management practices for rights-impacting AI that are absent from the OMB AI Use Memo, including identifying and assessing “AI’s impact on equity and fairness,” mitigating algorithmic discrimination, and providing notice to negatively affected individuals, and providing mechanisms for opting out of AI-enabled decisions.  
  • “American-Made AI” Provisions.  Acknowledging that the AI EO “recognizes the importance of American AI development to promote human flourishing, economic competitiveness, and national security,” the OMB AI Procurement Memo states that “it is the policy of the United States to buy American and to maximize the use of AI products and services that are developed and produced in the United States.”  Similarly, the OMB AI Use Memo encourages covered agencies to “invest in the American AI marketplace” when pursuing AI acquisitions.  These concepts were not emphasized as strongly in the Biden OMB AI Memos, although domestic preferencing in federal procurement has received bipartisan support.
  • IP Rights & Use of Government Data.  Like the Biden OMB AI Memos, the new OMB AI  Memos place a strong emphasis on protections for IP rights and government data when procuring AI systems or services, including through required contractual terms.  However, the OMB AI Procurement Memo specifically requires covered agencies to review and update “agency processes” for the treatment of data ownership and IP rights in AI procurements, which should include (1) appropriately scoped licensing and IP rights, based on the intended use of AI, to avoid vendor lock-in (discussed below), (2) terms ensuring that “components necessary to operate and monitor the AI system or service” are available for the acquiring agency as long as necessary, (3) guidance to ensure that vendors collect and retain government data only when reasonably necessary under the contract, and (4) terms that permanently prohibit the use of non-public agency data in AI inputs, and resulting outputs, for training publicly or commercially available AI algorithms without agency consent.  The memo also calls on covered agencies to prioritize obtaining documentation from vendors that “facilitates transparency and explainability, and that ensures an adequate means of tracking performance and effectiveness for procured AI.”
  • Vendor Lock-In Provisions.  Like their predecessors, the new OMB AI Memos also require covered agencies to promote competition and prevent vendor lock-in when procuring AI.  The OMB AI Use Memo advises covered agencies to “adopt procurement practices that encourage competition to sustain a robust Federal AI marketplace,” including by “preferencing interoperable AI products and services.”  The OMB AI Procurement Memo requires covered agencies to consider vendor lock-in at various points across the “AI acquisition lifecycle.”  Specifically, covered agencies are encouraged to (1) consider vendor lock-in when assessing long-term cost-effectiveness during initial product demonstrations, (2) include provisions that reduce vendor lock-in risks, such as knowledge transfer, data and model portability, and licensing and pricing transparency requirements, in solicitations, (3) include terms to prevent vendor lock-in, such as the requirements above and terms that provide agencies with “rights to code and models produced in performance of a contract,” when selecting and awarding proposals, and (4) implementing terms relating to ongoing rights and access to data at the closeout of a contract to ensure that data can still be used by subsequent vendors.
  • Performance-Based Contracting, Market Research, and Commerciality.  The OMB AI Procurement Memo strongly encourages covered agencies to use performance-based techniques to identify requirements and contract terms.  The memo notes that using performance-based techniques will allow agencies to “understand and assess vendor claims about their proposed use of AI systems or services prior to the contract award, acquire AI capabilities that address their needs, and perform post-award monitoring.”  These performance-based techniques include encouraging: (1) statements of objectives and performance work statements, (2) quality assurance surveillance plans, and (3) contract incentives.  The memo purports that these techniques will help agencies ensure its needs are being met by defining metrics, with the goal of providing agencies with more flexibility to acquire AI systems or services, helping agencies overcome challenges in defining relevant performance metrics, and improving the performance and interoperability of AI systems and services.  Consistent with these principles, the OMB AI Procurement Memo also emphasizes the need for market research.  These provisions, coupled with the memo’s emphasis on “innovative” and “efficient” acquisition and enhancing the competitive U.S. AI marketplace, suggest that the memo contemplates the use of commercial item contracting processes for the acquisition of AI systems and services to the maximum extent consistent with applicable laws and regulations. 

    The memo notes that OMB will develop additional playbooks focused on the procurement of certain types of AI, including generative AI and AI-based biometrics.  Additionally, the memo directs the General Services Administration (“GSA”) to release AI procurement guides for the federal acquisition workforce that will address “acquisition authorities, approaches, and vehicles,” and to establish an online repository for agencies to share AI acquisition information and best practices, including language for standard AI contract clauses and negotiated costs.
  • The Role of NIST AI Standards.  In another sharp contrast to the Biden OMB AI Memos, the new OMB AI Memos lack any mention of the National Institute of Standards and Technology (“NIST”) or its recent and ongoing initiatives to develop AI performance and risk management standards.  For example, while both OMB AI Use Memos view the minimum risk management practices as an “initial baseline” for agencies, the Biden OMB AI Use Memo encouraged agencies to supplement the minimum requirements with best practices from NIST’s 2023 AI Risk Management Framework.  By contrast, the new OMB AI Use Memo encourages covered agencies to “continue developing their own agency-specific practices” that build upon the minimum practices.  Similarly, while the Biden OMB AI Procurement Memo called on agencies to adapt NIST’s AI Risk Management Framework and Secure Software Development Framework when procuring AI, the new OMB AI Procurement Memo only instructs covered agencies to ensure that contracts comply with minimum risk management practices established in the OMB AI Use Memo.

    The omission of NIST from the OMB AI Memos could suggest a less active role for NIST and the Department of Commerce in U.S. AI policy under the Trump Administration, or at least that agencies may have greater flexibility when considering whether to incorporate NIST standards.  At the same time, NIST has continued its work on AI standards in recent weeks, including the development of a Cyber AI Profile, while its U.S. AI Safety Institute has continued to garner support from industry stakeholders.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nooree Lee Nooree Lee

Nooree Lee represents government contractors in all aspects of the procurement process and focuses his practice on the regulatory aspects of M&A activity, procurements involving emerging technologies, and international contracting matters.

Nooree advises government contractors and financial investors regarding the regulatory aspects of…

Nooree Lee represents government contractors in all aspects of the procurement process and focuses his practice on the regulatory aspects of M&A activity, procurements involving emerging technologies, and international contracting matters.

Nooree advises government contractors and financial investors regarding the regulatory aspects of corporate transactions and restructurings. His experience includes preparing businesses for sale, negotiating deal documents, coordinating large-scale diligence processes, and navigating pre- and post-closing regulatory approvals and integration. He has advised on 35+ M&A deals involving government contractors totaling over $30 billion in combined value. This includes Veritas Capital’s acquisition of Cubic Corp. for $2.8 billion; the acquisition of Perspecta Inc. by Veritas Capital portfolio company Peraton for $7.1 billion; and Cameco Corporation’s strategic partnership with Brookfield Renewable Partners to acquire Westinghouse Electric Company for $7.8+ billion.

Nooree also counsels clients focused on delivering emerging technologies to public sector customers. Over the past several years, his practice has expanded to include advising on the intersection of government procurement and artificial intelligence. Nooree counsels clients on the negotiation of AI-focused procurement and non-procurement agreements with the U.S. government and the rollout of federal and state-level regulations impacting the procurement and deployment of AI solutions on behalf of government agencies.

Nooree also counsels clients navigating the Foreign Military Sales (FMS) program and Foreign Military Financing (FMF) arrangements. Nooree has advised both U.S. and ex-U.S. companies in connection with defense sales to numerous foreign defense ministries, including those of Australia, Israel, Singapore, South Korea, and Taiwan.

Nooree maintains an active pro bono practice focusing on appeals of denied industrial security clearance applications and public housing and housing discrimination matters. In addition to his work within the firm, Nooree is an active member of the American Bar Association’s Section of Public Contract Law and has served on the Section Council and the Section’s Diversity Committee. He also served as the firm’s Fellow for the Leadership Council on Legal Diversity program in 2023.

Read more about Nooree LeeEmailNooree's Linkedin Profile
Show more Show less
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Read more about Robert HuffmanEmail
Show more Show less
Photo of Matthew Shapanka Matthew Shapanka

Matthew Shapanka practices at the intersection of law, policy, and politics. He advises clients before Congress, state legislatures, and government agencies, helping businesses to navigate complex legislative, regulatory, and investigations matters, mitigate their legal, political, and reputational risks, and capture business opportunities.

Drawing…

Matthew Shapanka practices at the intersection of law, policy, and politics. He advises clients before Congress, state legislatures, and government agencies, helping businesses to navigate complex legislative, regulatory, and investigations matters, mitigate their legal, political, and reputational risks, and capture business opportunities.

Drawing on more than 15 years of experience on Capitol Hill and in private practice, state government, and political campaigns, Matt develops and executes complex, multifaceted public policy initiatives for clients seeking actions by Congress, state legislatures, and federal and state government agencies. He regularly counsels and represents businesses in legislative and regulatory matters involving intellectual property, national security, regulation of critical and emerging technologies like artificial intelligence, connected and autonomous vehicles, and other tech policy issues. He also represents clients facing congressional investigations or inquiries across a range of committees and subject matters.

Matt rejoined Covington after serving as Chief Counsel for the U.S. Senate Committee on Rules and Administration, where he advised Chairwoman Amy Klobuchar (D-MN) on all legal, policy, and oversight matters before the Committee, particularly federal election and campaign finance law, Federal Election Commission nominations, and oversight of the legislative branch. Most significantly, Matt led the Committee’s staff work on the Electoral Count Reform Act – a landmark bipartisan law that updates the procedures for certifying and counting votes in presidential elections—and the Committee’s bipartisan joint investigation (with the Homeland Security Committee) into the security planning and response to the January 6th attack.

Both in Congress and at Covington, Matt has prepared dozens of corporate and nonprofit executives, academics, government officials, and presidential nominees for testimony at congressional committee hearings and depositions. He is a skilled legislative drafter who has composed dozens of bills and amendments introduced in Congress and state legislatures, including several that have been enacted into law across multiple policy areas. Matt also leads the firm’s state policy practice, advising clients on complex multistate legislative and regulatory matters and managing state-level advocacy efforts.

In addition to his policy work, Matt advises and represents clients on the full range of political law compliance and enforcement matters involving federal election, campaign finance, lobbying, and government ethics laws, the Securities and Exchange Commission’s “Pay-to-Play” rule, and the election and political laws of states and municipalities across the country.

Before law school, Matt served in the administration of former Governor Deval Patrick (D-MA) as a research analyst in the Massachusetts Recovery & Reinvestment Office, where he worked on policy, communications, and compliance matters for federal economic recovery funding awarded to the state. He has also staffed federal, state, and local political candidates in Massachusetts and New Hampshire.

Read more about Matthew ShapankaEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of August Gweon August Gweon

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks…

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks, and policy trends.

August regularly provides advice to clients on privacy and competition frameworks and AI regulations, with an increasing focus on U.S. state AI legislative developments and trends related to synthetic content, automated decision-making, and generative AI. He also assists clients in assessing federal and state privacy regulations like the California Privacy Rights Act, responding to government inquiries and investigations, and engaging in public policy discussions and rulemaking processes.

Read more about August GweonEmail
Show more Show less
Bolatito Adetula

Tito Adetula is an associate in the firm’s Washington, DC office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Government Contracts Practice Group.

Tito also maintains an active pro bono practice focused on data privacy and cybersecurity matters.

Read more about Bolatito AdetulaEmail