[Congressional Record Volume 170, Number 120 (Wednesday, July 24, 2024)]
[Senate]
[Page S5466]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 3139. Mr. SCHUMER (for himself, Mr. Rounds, and Mr. Heinrich) 
submitted an amendment intended to be proposed by him to the bill S. 
4638, to authorize appropriations for fiscal year 2025 for military 
activities of the Department of Defense, for military construction, and 
for defense activities of the Department of Energy, to prescribe 
military personnel strengths for such fiscal year, and for other 
purposes; which was ordered to lie on the table; as follows:

       At the appropriate place in title X, insert the following:

     SEC. ___. PHYSICAL AND CYBERSECURITY REQUIREMENTS FOR HIGHLY 
                   CAPABLE ARTIFICIAL INTELLIGENCE SYSTEMS.

       (a) Definitions.--In this section:
       (1) Artificial intelligence.--The term ``artificial 
     intelligence'' has the meaning given such term in section 
     5002 of the National Artificial Intelligence Initiative Act 
     of 2020 (15 U.S.C. 9401).
       (2) Covered artificial intelligence technology.--The term 
     ``covered artificial intelligence technology'' means a 
     technology specified in the guidance developed under 
     subsection (c)(3), including all components of that 
     technology, such as source code and numerical parameters of a 
     trained artificial intelligence system.
       (3) Covered entity.--The term ``covered entity'' means a 
     person (as defined in section 1742 of the Export Control 
     Reform Act of 2018 (50 U.S.C. 4801)) who engages in the 
     development, deployment, storage, or transportation of a 
     covered artificial intelligence technology.
       (b) Findings.--Congress makes the following findings:
       (1) Source code, numerical parameters, and related 
     technology associated with highly capable artificial 
     intelligence systems in the possession of private artificial 
     intelligence companies are an invaluable national resource 
     that would pose a grave threat to United States national 
     security if stolen by a foreign adversary through a cyber 
     operation or insider threat.
       (2) Numerous foreign adversaries have the capacity to 
     engage in cyber operations to extract important data from 
     private companies, absent the most stringent cybersecurity 
     protections.
       (c) Security Framework.--
       (1) In general.--The Secretary of Commerce and the 
     Secretary of Homeland Security shall jointly, in coordination 
     with the Director of National Intelligence, develop a 
     consensus-based framework describing best practices for 
     artificial intelligence cybersecurity, physical security, and 
     insider threat mitigation to address or mitigate risks 
     relating to national security, foreign policy, economic 
     stability, or public safety implications, including to 
     protect vital national resources from theft that would do 
     grave damage to the United States.
       (2) Risk-based framework.--The framework developed under 
     paragraph (1) shall be risk-based, with stronger security 
     corresponding proportionally to the national security, 
     foreign policy, economic stability, or public safety risks 
     posed by the artificial intelligence technology being stolen 
     or made publicly available.
       (3) Covered artificial intelligence technologies.--
       (A) Guidance.--The framework developed under paragraph (1) 
     shall provide clear guidance about which artificial 
     intelligence technologies are covered under the framework. 
     Such technologies shall be those that, if obtained by a 
     foreign adversary, would pose a grave threat to the national 
     security of the United States.
       (B) Objective evaluation procedures.--Where feasible, the 
     guidance provided under subparagraph (A) shall be specified 
     in terms of objective evaluation procedures that measure or 
     estimate the national security implications of the artificial 
     intelligence technology, either before, during, or after it 
     has been developed.
       (4) Minimum stringency.--The framework developed under 
     paragraph (1) shall be no less stringent than ISO/IEC 27001, 
     as in effect on the day before the date of the enactment of 
     this Act.
       (5) Form.--At the discretion of the Secretary, the 
     framework developed under paragraph (1) may be implemented in 
     the form of technical standards.
       (d) Security Requirements.--
       (1) In general.--The Secretary of Commerce and the 
     Secretary of Homeland Security may issue rules to require 
     covered entities to implement the best practices described in 
     the framework developed under subsection (c).
       (2) Risk-based rules.--Requirements implemented in rules 
     developed under paragraph (1) shall be as narrowly tailored 
     as practicable to the specific covered artificial 
     intelligence technologies developed, deployed, stored, or 
     transported by a covered entity, and shall be calibrated 
     accordingly to the different tasks involved in development, 
     deployment, storage, or transportation of components of those 
     covered artificial intelligence technologies.
                                 ______