Executive Summary

President Joe Biden’s recent signing of a sweeping executive order aimed at increasing governance of artificial intelligence in the federal government brings urgency to the creation and implementation of AI risk management standards and federal procurement guidelines.¹ The Office of Management and Budget (OMB) quickly followed with its guidance to departments and agencies, which includes AI minimum risk standards and their incorporation into federal contracts.² A looming challenge is how the government can best utilize federal procurement rules, requirements, and practices to ensure supplier compliance with AI development best practices.

The federal government often utilizes its significant purchasing power to incentivize and enforce policies among its industrial base, making compliance a condition of being awarded government contracts. The U.S. government’s position as a major customer of many top companies has effectively made its cybersecurity framework the “de facto standard” that has been adopted by governments and industries worldwide.³ The effectiveness of procurement rules in increasing the use and adoption of best practices in the case of cybersecurity has led members of Congress and industry leaders to cite it as an example to follow for AI risk management enforcement.

The current evolution of AI risk management frameworks, the corresponding legislation driving their development and use in the government, and the calls for their inclusion in federal procurement regulations are similar to the conditions that drove the creation of cybersecurity frameworks and federal procurement rules. For this reason, the federal government’s adoption and implementation of procurement rules to enforce cybersecurity standards within its supplier base provides a blueprint for AI and can help forecast upcoming difficulties. These previous lessons and challenges arising from the implementation of cybersecurity procurement rules include:

1. Difficulty balancing the level of risk management to the level of risk impact.
2. Difficulty balancing trust and verification in assessment requirements.
3. Difficulty in oversight and enforcement of workforce preparation and training.
4. Concerns about third-party auditing and government oversight.
5. Use of procurement rules to enforce incident reporting and sharing.

Using these lessons as a guide, this paper provides the following recommendations for policymakers looking to institute AI procurement practices and standards:

1. Develop standards to assess the level of risk and potential impacts of AI systems. Establish categories to differentiate the levels of risk AI systems pose and develop the appropriate risk management practices required for each category.
2. Base the level of requirements verification on the overall risk of the system. Compliance audits are costly, and therefore the federal government should utilize risk categories to determine which systems require compliance auditing.
3. Mandate and provide training on AI risk management standards for the federal acquisition workforce.
4. Leverage third-party auditors to support assessments of supplier compliance with AI risk management standards. This would solve labor limitations and skills gaps in the federal workforce, but it is important that final approval decisions rest with the government. Establish an AI standards center of excellence to provide government oversight and support compliance assessments.
5. Use contracting rules to incentivize and, when necessary, compel government suppliers to comply with AI incident reporting and cross-agency sharing.

The recommendations provide implementation guidance on how to avoid missteps of the past while also enabling timely adoption of best practices. Oversight and enforcement of supplier compliance with AI risk management standards will require a significant effort on behalf of the government, one that should be informed by the historical experiences in cybersecurity and that is tailored to meet the specific demands of AI technologies. These recommendations can help guide the establishment of effective procurement rules, practices, and enforcement infrastructure to best ensure AI risk management compliance and mitigate the realization of AI harms.

1. Exec. Order No. 14110, 88 FR 75191 (2023), https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/.
2. Shalanda Young, “Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence,” memorandum, Office of Management and Budget, March 28, 2024, https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf.
3. NIST, Initial Summary Analysis of Responses to the Request for Information (RFI) Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management (Washington, DC: Department of Commerce, 2022), https://www.nist.gov/system/files/documents/2022/06/03/NIST-Cybersecurity-RFI-Summary-Analysis-Final.pdf.