[House Report 118-905]
[From the U.S. Government Publishing Office]
118th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 118-905
======================================================================
FEDERAL A.I. GOVERNANCE AND TRANSPARENCY ACT OF
2024
_______
December 18, 2024.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Comer, from the Committee on Oversight and Accountability,
submitted the following
R E P O R T
[To accompany H.R. 7532]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Accountability, to whom was
referred the bill (H.R. 7532) to amend chapter 35 of title 44,
United States Code, to establish Federal AI system governance
requirements, and for other purpose, having considered the
same, reports favorably thereon with an amendment and
recommends that the bill as amended do pass.
CONTENTS
Page
Summary and Purpose of Legislation............................... 8
Background and Need for Legislation.............................. 9
Section-by-Section Analysis...................................... 14
Legislative History.............................................. 17
Committee Consideration.......................................... 18
Roll Call Votes.................................................. 18
Explanation of Amendments........................................ 20
List of Related Committee Hearings............................... 20
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 21
Statement of General Performance Goals and Objectives............ 21
Application of Law to the Legislative Branch..................... 21
Duplication of Federal Programs.................................. 21
Federal Advisory Committee Act Statement......................... 21
Unfunded Mandates Reform Act Statement........................... 22
Earmark Identification........................................... 22
Committee Cost Estimate.......................................... 22
New Budget Authority and Congressional Budget Office Cost
Estimate....................................................... 22
Changes In Existing Law Made by the Bill, as Reported............ 23
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal A.I. Governance and
Transparency Act of 2024''.
SEC. 2. ESTABLISHMENT OF FEDERAL AGENCY ARTIFICIAL INTELLIGENCE SYSTEM
GOVERNANCE REQUIREMENTS.
(a) Federal AI System Governance.--
(1) Amendment.--Chapter 35 of title 44, United States Code,
is amended by adding at the end the following:
``SUBCHAPTER IV--ARTIFICIAL INTELLIGENCE SYSTEM GOVERNANCE
``Sec. 3591. Purposes
``The purposes of this subchapter, with respect to the design,
development, acquisition, use, management, and oversight of artificial
intelligence in the Federal Government, are to ensure the following:
``(1) Actions that are consistent with the Constitution and
any other applicable law and policy, including those addressing
freedom of speech, privacy, civil rights, civil liberties, and
an open and transparent Government.
``(2) Any such action is purposeful and performance-driven,
including ensuring the following:
``(A) Such action promotes the consistent and
systemic treatment of all individuals in a fair, just,
and impartial manner.
``(B) The public benefits of such action
significantly outweigh the risks.
``(C) The risks and operations of such action do not
unfairly and disproportionately benefit or harm an
individual or subgroup of the public.
``(D) The risk of such action is assessed and
responsibly managed, including before the use of
artificial intelligence.
``(3) Any application of artificial intelligence is
consistent with the use cases for which the artificial
intelligence was trained, and the deployers of such application
promote verifiably accurate, ethical, reliable, and effective
use.
``(4) The safety, security, and resiliency of artificial
intelligence applications, including resilience when confronted
with any systematic vulnerability, adversarial manipulation,
and other malicious exploitation.
``(5) The purpose, operations, risks, and outcomes of
artificial intelligence applications are sufficiently
explainable and understandable, to the extent practicable, by
subject matter experts, users, impacted parties, and others, as
appropriate.
``(6) Such action is responsible and accountable, including
by ensuring the following:
``(A) Human roles and responsibilities are clearly
defined, understood, and appropriately assigned.
``(B) Artificial intelligence is used in a manner
consistent with the purposes described in this section
and the purposes for which each use of artificial
intelligence is intended.
``(C) Such action, as well as relevant inputs and
outputs of artificial intelligence applications, are
well documented and accountable.
``(7) Responsible management and oversight by ensuring the
following:
``(A) Artificial intelligence applications are
regularly tested against the purposes described in this
section.
``(B) Mechanisms are maintained to supersede,
disengage, or deactivate applications of artificial
intelligence that demonstrate performance or outcomes
that are inconsistent with the intended use or this
subchapter.
``(C) Engagement with impacted communities.
``(8) Transparency in publicly disclosing relevant
information regarding the use of artificial intelligence to
appropriate stakeholders, to the extent practicable and in
accordance with any applicable law and policy, including with
respect to the protection of privacy, civil liberties, and of
sensitive law enforcement, national security, trade secrets or
proprietary information, and other protected information.
``(9) Accountability for the following:
``(A) Implementing and enforcing appropriate
safeguards necessary to comply with the purposes
described in this section and the requirements of this
subchapter, for the proper use and functioning of the
applications of artificial intelligence.
``(B) Monitoring, auditing, and documenting
compliance with those safeguards, as appropriate.
``(C) Providing appropriate training to all agency
personnel responsible for the design, development,
acquisition, use, management, and oversight of
artificial intelligence.
``Sec. 3592. Definitions
``In this subchapter:
``(1) In general.--Except as provided in paragraph (2), the
definitions under sections 3502 shall apply to this subchapter.
``(2) Additional definitions.--In this subchapter:
``(A) Administrator.--The term `Administrator' means
the Administrator of General Services.
``(B) Appropriate congressional committees.--The term
`appropriate congressional committees' means the
Committee on Oversight and Accountability of the House
of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate.
``(C) Artificial intelligence.--The term `artificial
intelligence' has the meaning given the term in section
238(g) of the John S. McCain National Defense
Authorization Act for Fiscal Year 2019 (Public Law 115-
232; 10 U.S.C. note prec. 4061).
``(D) Artificial intelligence system.--The term
`artificial intelligence system' means any data system,
software, application, tool, or utility that operates
in whole or in part using dynamic or static machine
learning algorithms or other forms of artificial
intelligence, whether--
``(i) the data system, software, application,
tool, or utility is established primarily for
the purpose of researching, developing, or
implementing artificial intelligence
technology; or
``(ii) artificial intelligence capability is
integrated into another system or business
process, operational activity, or technology
system.
``(E) Federal artificial intelligence system.--The
term `Federal artificial intelligence system' means an
artificial intelligence system used in connection with
a Federal information system.
``(F) Federal information system.--The term `Federal
information system' has the meaning given the term in
section 11331(g) of title 40.
``(G) National security system.--The term `national
security system' has the meaning given that term in
section 3552(b) of title 44.
``Sec. 3593. Authority and functions of the Director
``The Director shall oversee the design, development, acquisition,
use, management, and oversight of Federal artificial intelligence
systems by agencies to implement the purposes described in section
3591. In performing such oversight, the Director shall do the
following:
``(1) Develop, coordinate, and oversee the implementation of
policies, purposes, standards, and guidelines to ensure
appropriate use of Federal artificial intelligence systems and
the protection of civil rights, civil liberties, and privacy,
including in conformity with section 552a of title 5 and other
applicable laws, as well as the integrity of Federal
information systems and information technology in accordance
with the other requirements of this chapter.
``(2) Oversee agency compliance with the requirements of this
subchapter, including through any authorized enforcement action
under section 11303(b)(5) of title 40 to ensure agency
accountability and compliance.
``(3) Issue and update, as necessary, guidance to agencies to
take steps to advance the governance of Federal artificial
intelligence systems, manage risk, and remove relevant barriers
to innovation, consistent with the requirements of this
subchapter and, as appropriate the standards promulgated under
section 22A of the National Institute of Standards and
Technology Act (15 U.S.C. 278h-1) pursuant to section 5302 of
the William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021 (15 U.S.C. 9441) that addresses the
following:
``(A) The development of policies regarding Federal
acquisition, procurement, and use by agencies regarding
artificial intelligence, including an identification of
the responsibilities of agency officials managing the
use of such technology.
``(B) The ownership and protection of data and other
information created, used, processed, stored,
maintained, disseminated, disclosed, or disposed of by
a contractor or subcontractor (at any tier) on behalf
of the Federal Government.
``(C) The protection of training data, algorithms,
and other components of any Federal artificial
intelligence system against misuse, unauthorized
alteration, degradation, or being rendered inoperable.
``(D) The removal of barriers to responsible agency
use of artificial intelligence, such as information
technology, data, workforce, and budgetary barriers, in
order to promote the innovative application of those
technologies while protecting privacy, civil liberties,
civil rights, and economic and national security.
``(E) The establishment of best practices for
identifying, assessing, and mitigating any
discrimination in violation of title VI of the Civil
Rights Act of 1964 (42. U.S.C. 2000d et seq.), or any
unintended consequence of the use of artificial
intelligence, including policies to--
``(i) identify data used to train artificial
intelligence;
``(ii) identify data analyzed or ingested by
Federal artificial intelligence systems used by
the agencies; and
``(iii) require periodic evaluation of
Federal artificial intelligence systems, as
appropriate.
``(4) Issue guidance for agencies to establish a plain
language notification process, as necessary and appropriate and
in conformity with applicable law, including section 552a of
title 5, for individuals or entities impacted by an agency
determination that has been based solely on an output from, or
substantively and meaningfully informed, augmented, or assisted
by a Federal artificial intelligence system, including the
contents of any notice, including examples of what the notice
may look like in practice.
``(5) Issue guidance for agencies to review their appeals
process and to make modifications, as necessary and
appropriate, to account for determinations made solely by or
substantively and meaningfully informed, augmented, or assisted
by a Federal artificial intelligence system, including guidance
on how an agency provides the impacted individual or entity the
opportunity for an alternative review independent of the
Federal artificial intelligence system, as appropriate.
``(6) Provide guidance and a template for the required
contents of the agency plans described in section 3594(6) that
uses a uniform resource locator that is in a consistent format
across agencies such as the format `agencyname.gov/AI'.
``(7) Issue guidance, including a uniform required submission
format and criteria for updating entries after significant
changes, for the establishment of agency AI governance charters
under section 3595, including defining high-risk Federal
artificial intelligence systems, and publication under section
3596.
``Sec. 3594. Federal agency responsibilities
``The head of each agency shall do the following:
``(1) Comply with the requirements of this subchapter and
related policies, purposes, standards, and guidelines,
including those under section 552a of title 5 and in guidance
issued by the Director under section 3593.
``(2) Ensure that Federal artificial intelligence system
management processes are integrated with agency strategic,
operational, data, workforce planning, and budgetary planning
processes, and other requirements under this chapter.
``(3) Ensure that senior agency officials, including the
Chief Information Officer, the Chief Data Officer, and the
senior agency official for privacy, implement policies and
procedures regarding Federal artificial intelligence systems
under the control of such officers, assess and reduce any risks
to such systems to an acceptable level, and periodically assess
and validate management procedures and controls to ensure
effective implementation of this subchapter.
``(4) Delegate to the agency Chief Information Officer
established under section 3506 (or comparable official in an
agency not covered by such section) the primary authority and
accountability to ensure compliance with the agency
requirements under this subchapter in coordination with any
other appropriate senior agency official designated by the head
of the agency.
``(5) Ensure that contracts for the acquisition and
procurement of a Federal artificial intelligence system are
consistent with the requirements of this subchapter and any
guidance issued by the Director under section 3593(3).
``(6) Maintain a plan, posted on a publicly available and
centralized webpage of the agency and prepared in accordance
with the template provided by the Director under section
3593(6), to--
``(A) achieve consistency with the requirements of
this subchapter and guidance issued by the Director;
and
``(B) provide the public information about agency
policies and procedures for governing Federal
artificial intelligence systems, including the
inventory of artificial intelligence use cases required
by section 7225(a) of the Advancing American AI Act
(subtitle B of title LXXII of Public Law 117-263; 40
U.S.C. 11301 note).
``(7) Establish procedures for notifying an individual or
entity impacted by an agency determination made solely by an
output from, or substantively and meaningfully informed,
augmented, or assisted by a Federal artificial intelligence
system in accordance with guidance issued by the Director under
section 3593(4).
``(8) Modify the agency appeals process, as necessary and
appropriate, to account for determinations made solely by or
substantively and meaningfully informed, augmented, or assisted
by a Federal artificial intelligence system, and to provide the
impacted individual or entity the opportunity for an
alternative review independent of the Federal artificial
intelligence system, as appropriate, as established by the
Director under section 3593(5).
``(9) In accordance with guidance issued by the Director
under section 3593(7), oversee the establishment of AI
governance charters for Federal artificial intelligence
systems, including by--
``(A) establishing a process, led by each official
identified in section 3594(4) to ensure that each
Federal artificial intelligence system has an
established AI governance charter that is regularly
updated in accordance with the requirements under
section 3595 and made publicly available on the webpage
under paragraph (6);
``(B) submitting each AI governance charter to the
Federal Register not later than 30-days after the
initial establishment or termination of the charter, in
conformity with guidance from the Director; and
``(C) submitting each AI governance charter to the
Administrator for publication in a format established
in the Directors guidance in accordance with section
3596.
``(10) In consultation with the Director, the Director of the
Office of Personnel Management, and the Administrator of
General Services, conduct regular training programs to educate
relevant agency program and management officials, including
employees supporting the functions of the Chief Information
Officer, the Chief Data Officer, the Evaluation Officer, the
senior privacy official, and the statistical official, as
appropriate, about the management of Federal artificial
intelligence systems and compliance with the requirements of
this subchapter, which may be integrated with the training
requirements and covered topics established by the Artificial
Intelligence Training for the Acquisition Workforce Act (Public
Law 117-207; 41 U.S.C. 1703 note).
``Sec. 3595. Agency AI Governance Charters
``(a) In General.--In accordance with the guidance established under
section 3593(7), the head of each agency shall ensure that an accurate
and complete AI governance charter is established for each Federal
artificial intelligence system in use by the agency that is designated
as a high-risk Federal artificial intelligence system or was trained
on, uses, or produces a record maintained on an individual (as defined
under section 552a(a) of title 5).
``(b) Contents of Charters.--An AI governance charter for a Federal
artificial intelligence system shall, at a minimum, include the
following:
``(1) The name and an identifying summary of the Federal
artificial intelligence system, including the following:
``(A) A descriptive summary of each purpose and
relevant use case of the system, as may be documented
on the inventory established under section 7225 of the
Advancing American AI Act (subtitle B of title LXXII of
Public Law 117-263; 40 U.S.C. 11301 note).
``(B) The bureau, department, or office using or
operating the system, and to the extent practicable,
each program designated on the website required under
section 1122(a)(2) of title 31 associated with use of
the system.
``(C) The name and direct contact information for a
designated agency official responsible for the overall
outputs of the system.
``(D) The name and direct contact information for a
designated agency official responsible for the ongoing
maintenance of the system which may be the same
official designated under subparagraph (C).
``(2) Information about how the Federal artificial
intelligence system was developed and funded, including the
following:
``(A) Other individuals or entities that have
developed, maintained, managed, and operated the
system.
``(B) Information about any relevant Federal award
including any associated contract, grant, cooperative
agreement, or other transaction agreement.
``(3) Information about the training, validation, and testing
of the Federal artificial intelligence system, including the
following:
``(A) A description of the type of data or data
assets used in the training, validation, and testing of
the Federal artificial intelligence system or, if such
information is not available, a statement describing
why such information is not available.
``(B) A designation of whether any of the data or
data assets used in training, validating, or testing
the Federal artificial intelligence system are
classified as an open Government data asset or a public
data asset or a designated system of record described
under paragraph (7).
``(C) Information on how to access any open
Government data asset or public data asset identified
under subparagraph (B).
``(D) A listing of audits, testing, or other risk
assessments of the Federal artificial intelligence
system, including contact information of the individual
or entity that conducted such assessments.
``(4) Information about ongoing oversight and maintenance of
the Federal artificial intelligence system, including a
description of the ongoing testing, monitoring, or auditing of
the Federal artificial intelligence system, including
information about the cadence of testing, as appropriate, and
the entity responsible for such testing.
``(5) Information about how the system is used by the agency,
including--
``(A) the date the agency began using the system and
the intended life span of use, if appropriate; and
``(B) whether any agency determinations have been or
are intended to be based solely on an output from, or
informed, augmented, or assisted by the Federal
artificial intelligence system, and--
``(i) a summary of how the Federal artificial
intelligence system or the data or data assets
produced by the Federal artificial intelligence
system is used to inform, augment, or assist in
making these determinations;
``(ii) information about other agencies or
federally funded entities that use or rely on
these determinations; and
``(iii) a description of any associated
notice or modified appeal process as required
under section 3593(4) and 3593(5).
``(6) Information about data or data assets produced by the
Federal artificial intelligence system, including a description
of the data or data assets produced, altered, or augmented by
the system, including--
``(A) a designation of whether any of the data or
data assets are classified as an open Government data
asset or a public data asset or are included in a
designated system of record described under paragraph
(7);
``(B) information on how to access any such open
Government data asset or public data asset identified
under subparagraph (A); and
``(C) information about any other agency or federally
funded entity known to use or otherwise rely upon the
data or data assets identified under this paragraph.
``(7) Information on whether the system was trained on, uses,
or produces a record maintained on an individual (as defined
under section 552a(a) of title 5), including--
``(A) a listing of any designated system of record
including a reference to any associated notice in the
Federal Register for the establishment or revision of
such system of record, as required under section
552a(d) of title 5; or
``(B) a description of any system of record that has
been exempted under subsection (j) or (k) of section
552a of title 5, including the statement required under
section 553(c) of title 5 that documents the reasons
why the system of records is exempted.
``(c) Regular Updates Required.--The head of each agency shall
establish procedures to ensure that each AI governance charter for the
agency is updated to capture any significant change to the Federal
artificial intelligence system, consistent with guidance established in
section 3593(7) and not less than 30 days after such change has been
implemented.
``(d) Requirement for Publication.--An AI governance charter required
under subsection (a) shall be made public on the agency webpage noticed
in the Federal Register, and published on the Federal AI System
Inventory established under section 3596, in accordance with procedures
established by the agency under section 3594(9) in conformity with
guidance issued by the Director under section 3593(7) before a Federal
artificial intelligence system is used by an agency, except that--
``(1) the head of an agency may, with advance approval of the
Director and notification to the appropriate congressional
committees, including the relevant authorizing committee in the
House of Representatives and the Senate, and the relevant
agency Inspector General, waive the publication requirement
under this subsection; or
``(2) in order to protect properly classified national
security information, a charter may be submitted to the
Director, appropriate congressional committees, including the
relevant authorizing committee in the House of Representatives
and the Senate, and the relevant agency Inspector General in
lieu of the publication requirement of this subsection.
``(e) Exemptions.--A Federal artificial intelligence system is exempt
from the requirements of this section if the system is used--
``(1) solely for the purpose of research or development,
except that the purposes described and guidance promulgated
under this subchapter should inform any such research,
development, testing, or evaluation directed at future
applications of Federal artificial intelligence systems; or
``(2) in a national security system, in whole or in part, if
the agency maintains a complete and regularly updated nonpublic
version of each AI governance charter in accordance with
subsections (a) and (b) and the guidance required by section
3593(7).
``Sec. 3596. AI Governance Charter Inventory
``The Administrator of General Services shall maintain a single,
public online interface for centrally cataloging agency AI governance
charters which shall be known as the `Federal AI System Inventory'. The
Administrator and the Director shall--
``(1) ensure that each agency, as appropriate, submits AI
governance charters for publication on the interface, in a
publicly accessible machine-readable and open format to
facilitate searchability and bulk download of the inventory;
and
``(2) provide a clear process and mechanism for each agency
to make timely revisions and updates.
``Sec. 3597. Independent evaluation
``(a) In General.--Not later than 2 years after the date of the
enactment of this subchapter, and every 2 years thereafter, the
Inspector General appointed under chapter 4 of title 5 for each agency
shall perform an independent evaluation of the Federal artificial
intelligence governance policies and practices of the agency and submit
to the head of the agency, the Director, and the appropriate
congressional committees, a report which may include a classified
annex. The report shall include at a minimum--
``(1) an assessment of the comprehensive compliance of the
agency with the requirement under section 3595 for each Federal
artificial intelligence system in use or maintained by an
agency to have an established, and appropriately noticed, AI
governance charter, including timely revisions to reflect
significant changes and appropriate use of the exemptions
described under section 3595(e); and
``(2) an assessment of compliance by the agency with
artificial intelligence governance policies and practices with
the requirements of this subchapter.
``(b) Comptroller General.--The Comptroller General shall
periodically evaluate and submit to Congress a report on the--
``(1) effectiveness of agency Federal artificial intelligence
system governance policies and practices;
``(2) implementation of the requirements of this subchapter
by the Director, Administrator, and agencies; and
``(3) extent to which the requirements of this subchapter and
related implementing guidance and policies reflect technology
advancements and provide any legislative recommendations as
appropriate.''.
(2) Table of sections.--The table of sections for chapter 35
of title 44, United States Code, is amended by adding at the
end the following:
``subchapter iv--artificial intelligence system governance
``3591. Purposes.
``3592. Definitions.
``3593. Authority and functions of the Director.
``3594. Federal agency responsibilities.
``3595. Agency AI Governance Charters.
``3596. AI Governance Charter Inventory.
``3597. Independent evaluation.''.
(b) OMB Guidance.--Not later than 1 year after the date of the
enactment of this Act, the Director of the Office of Management and
Budget, in consultation with the Director of the National Institute of
Standards and Technology, the Administrator of General Services, the
Director of the Office of Science and Technology Policy, and the head
of any other relevant agency as determined by the Director of the
Office of Management and Budget, shall issue a memorandum to the head
of each agency establishing guidance that implements the requirements
of subchapter IV of title 35 of title 44, as added by this section,
that--
(1) does not conflict with the requirements of and uses the
working group established under section 7224(d) of the
Advancing American AI Act (Public Law 117-263; 40 U.S.C. 11301
note); and
(2) shall be reviewed and updated, as necessary, every 2
years for the next 10 years after the first such issuance and
periodically thereafter.
(c) Requirement to List AI Governance Charters in Agency System of
Records Notice Under the Privacy Act.--Section 552a(e) of title 5,
United States Code, is amended--
(1) in paragraph (4)--
(A) in subparagraph (H), by striking ``and'' at the
end;
(B) in subparagraph (I), by striking the semicolon
and inserting ``; and''; and
(C) by adding at the end the following new
subparagraph:
``(J) a reference to any agency AI governance charter
required under section 3595 of title 44 that is
associated with a Federal artificial intelligence
system which was trained on, uses, or produces records
contained within the system of record;'';
(2) by redesignating paragraphs (11) and (12) as paragraphs
(12) and (13), respectively; and
(3) by inserting after paragraph (10) the following new
paragraph:
``(11) establish appropriate policies and procedures, in
accordance with the requirements of subchapter IV of chapter 35
of title 44 to ensure the security, confidentiality, and
integrity of records that a Federal artificial intelligence
system uses, produces, or modifies;''.
(d) Technical and Conforming Repeals.--The following are repealed:
(1) Subsections (a) and (d) of section 7224 of the Advancing
American AI Act (subtitle B of title LXXII of Public Law 117-
263; 40 U.S.C. 11301 note).
(2) Section 104 of the AI in Government Act of 2020 (Public
Law 116-260; 40 U.S.C. 11301 note).
(e) Contracting Regulations.--Not later than 6 months after the date
on which the first guidance is established pursuant to subsection (b),
the Federal Acquisition Regulation shall be revised to--
(1) implement the amendments made by this section; and
(2) require that any contractor or subcontractor (at any
tier) with the Federal Government that builds, provides,
operates, or maintains (pursuant to a contract entered into on
or after such date of enactment) Federal artificial
intelligence systems is required to provide the information
that the agency is required to report in accordance with the
guidance issued pursuant to section 3593(5) of title 44, United
States Code, as added by subsection (a), and any agency
requirement under section 3595(a) of such title.
(f) Rules of Construction.--
(1) Agency actions.--Nothing in this Act, or an amendment
made by this Act, shall be construed to authorize the head of
an agency to take an action that is not authorized by this Act,
an amendment made by this Act, or other law.
(2) Protection of rights.--Nothing in this Act, or an
amendment made by this Act, shall be construed to permit the
violation of the rights of any individual protected by the
Constitution of the United States, including through censorship
of speech protected by the Constitution of the United States or
unauthorized surveillance.
(3) Protection of privacy.--Nothing in this Act, or any
amendment made by this Act, shall be construed to impinge on
the privacy rights of individuals or allow unauthorized access,
sharing, or use of personal data.
(4) Protection of information.--Nothing in this Act, or any
amendment made by this Act, shall be construed to require, or
otherwise compel, the public disclosure of information that
could be withheld under section 552(b) of title 5, United
States Code.
(g) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning given that
term in section 3502 of title 44, United States Code.
(2) Director.--The term ``Director'' means the Director of
the Office of Management and Budget, unless otherwise
indicated.
Summary and Purpose of Legislation
H.R. 7532 centrally codifies federal agency governance
policies for the responsible use of artificial intelligence
(AI) while consolidating and streamlining relevant existing
laws. In doing so, the bill focuses government resources on
increasing transparency, oversight, and responsible use of
Federal AI systems while protecting the public's privacy and
civil liberties. The bill establishes a new ``Subchapter IV--
Artificial Intelligence System Governance'' in title 44,
chapter 35 which places the Office of Management and Budget in
charge of issuing government-wide policy guidance in harmony
with existing federal IT and data policy requirements. The bill
also requires public notice of AI systems used by federal
agencies through AI Governance Charters, including
identification of testing and validation processes, responsible
agency officials, maintenance plans, public data assets used or
modified, impacted personal information records, and downstream
impacts on agency programs or determinations related to
financial assistance or regulatory enforcement. The bill
establishes a Federal AI System Inventory and requires that the
General Services Administration maintain a single, public
interface that centrally catalogs the Charters. H.R. 7532 also
streamlines and consolidates existing law regarding the
government's use of AI, including requirements for agencies to
provide protections or safeguards commensurate with the risks
of Federal AI systems, and repeals repetitive provisions in the
AI in Government Act of 2020 and the Advancing American AI Act
of 2022.
Background and Need for Legislation
When used responsibly, AI systems have the potential to
improve federal government operations, enhance national and
homeland security, and streamline service delivery.
Federal agencies have already begun to leverage AI for a
variety of use cases. For instance, a February 2020 Stanford
University report submitted to the Administrative Conference of
the United States (ACUS) found that ``nearly half of the
federal agencies studied have experimented with AI and related
machine learning tools.''\1\ The report emphasized that the
``use of AI-based tools to support government decision-making,
implementation, and interaction--what could be called
`algorithmic governance'--already spans the work of the modern
administrative state.''\2\
---------------------------------------------------------------------------
\1\David Freeman Engstrom, Daniel E. Ho, Catherine M. Sharkey, and
Mariano-Florentino Cuellar, Government by Algorithm: Artificial
Intelligence in Federal Administrative Agencies, (Feb, 2020), https://
law.stanford.edu/wp-content/uploads/2020/02/ACUS-AI-Report.pdf.
\2\Id.
---------------------------------------------------------------------------
In a more recent December 2023 report, the U.S. Government
Accountability Office (GAO) surveyed twenty-three federal
agencies to better understand their current and planned use of
AI.\3\ GAO found that twenty of the surveyed agencies were
using AI and that, collectively, these agencies reported
approximately 200 instances of AI use and approximately 1,000
instances of planned AI use.\4\ AI.gov also publicizes AI use
cases across the federal government and includes a portal for
professionals and students to join the national AI talent
surge.\5\
---------------------------------------------------------------------------
\3\U.S. Gov't accountability off., GAO-24-105980, Artificial
Intelligence: Agencies Have Begun Implementation but Need to Complete
Key Requirements, (Dec 12, 2023), https://www.gao.gov/products/gao-24-
105980.
\4\Id.
\5\AI.gov, http://ai.gov.
---------------------------------------------------------------------------
In a number of cases, federal agencies have successfully
used AI to better achieve their missions. For instance, the
Department of Homeland Security (DHS) Immigration and Customs
Enforcement uses AI to ``streamline the process of correcting
data entry errors.''\6\ The General Services Administration
(GSA) uses a Solicitation Review Tool to intake and review all
SAM.gov data to ensure that solicitations contain compliance
language, flagging those that don't as ``non-compliant''.\7\
Further, the State Department, Department of Justice, and
Centers for Disease Control and Prevention have all reportedly
used machine-learning models to search for information in
government record repositories.\8\
---------------------------------------------------------------------------
\6\Artificial Intelligence Use Case Inventory, Dept. of Homeland
Security.
\7\AI Inventory, Tech at GSA, General Services Administration.
\8\Lewis Kamb, Some U.S. government agencies are testing out AI to
help fulfill public records requests, NBC News (Aug. 1, 2023).
---------------------------------------------------------------------------
These use cases vary in both application and maturity but
nonetheless indicate that the federal government has found
relevant uses for AI systems to empower existing agency
missions and streamline programs. The potential benefits of
responsible government use of AI are enormous; however
irresponsible or improper use fosters risks to individual
privacy and the fair and equal treatment of all citizens by
their government.
As agencies use AI today and identify use cases for the
future, Congress must put in place the necessary safeguards in
H.R. 7532 to protect the public's privacy, civil rights, and
civil liberties. The public needs to know that their government
agency missions and programs have mature policies in place to
capitalize on the benefits of AI while safeguarding against
`algorithmic based' decision-making that relies solely on AI
systems without the appropriate governance and transparency
policies to ensure proper and effective use. Policymakers
should instead pursue `algorithmic informed' decision-making in
support of missions and programs through proper governance of
AI systems and policy design which accounts for the inherent
limitations of AI systems within certain use cases.
The federal government already has numerous, established
policies in place governing federal information systems, data,
cybersecurity, and procurement that should be leveraged for
future AI policy development. AI policy that does not engage
with existing information system level requirements across
these policy domains will exist outside of the current
management structure for federal information systems, leading
to confusion, inefficiency, undue administrative or industry
burden, and ultimately overlapping or competing legal or policy
requirements. For instance, legislation governing federal
agency use of AI should build upon existing areas of law
governing federal information policy and security (Chapter 35,
Title 44, U.S. Code) or the acquisition of information
technology (Chapter 113, Title 40, U.S. Code)--and where
necessary, repetitive or conflicting requirements and
definitions should be repealed or harmonized.
Transparency is an important first step to inform future
policymaking.\9\ A primary challenge in effective governance of
AI systems is forming a holistic understanding of the system's
design and provenance, the context of its use for specific
applications, and the ongoing monitoring and maintenance of its
outputs. Transparency requirements around federal agency use of
AI, such as those included in H.R. 7532, can provide important
information about government AI systems to the public, internal
government management, Congress, and stakeholders impacted by
AI informed outputs.\10\
---------------------------------------------------------------------------
\9\Alex Engler, The AI Regulatory Toolbox: How Governments Can
Discover Algorithmic Harms, Brookings (2023), https://
www.brookings.edu/articles/the-ai-regulatory-toolbox-how-governments-
can-discover-algorithmic-harms/.
\10\Id.
---------------------------------------------------------------------------
There are certain challenges, however, in establishing
transparency requirements for AI systems trained on or using
public information. Faculty from the University of Copenhagen,
in a recent research article titled, ``The Right to
Transparency in Public Governance: Freedom of Information and
the Use of Artificial Intelligence by Public Agencies,'' found
that:
[F]or AI algorithms used in public governance, there
is the additional problem that the data and knowledge
used for creating the algorithm as well as the test
data often contain personal information that cannot be
made public. Transparency then has to rely on
documentation for how the data used for the design and
test has been produced instead of access to the
underlying test data.\11\
---------------------------------------------------------------------------
\11\Henrik Palmer Olsen, Thomas Troels Hildebrandt, Cornelius
Wiesener, Matthias Smed Larsen, and Asbjrn William
Ammitzbll Flugge. 2024. The Right to Transparency in Public
Governance: Freedom of Information and the Use of Artificial
Intelligence by Public Agencies. Digit. Gov.: Res. Pract. 5, 1, Article
8 (March 2024), 15 pages. https://doi.org/10.1145/3632753.
---------------------------------------------------------------------------
The challenges in gaining total transparency into AI models
points to the need to look at AI system transparency and
governance in the context of the operational environment in
which these systems reside. In other words, maintaining sound
policies over federal IT and data supporting AI systems will
enable better governance over the AI ultimately used by
agencies. Additionally, transparency policies should be
designed to enable proper governance internal to governmental
functions (e.g., enabling oversight functions internal to the
intelligence community or Congress's oversight role over
executive branch agencies) while also pursuing public
transparency requirements in order to enable the appropriate
levels of operational management, governance, and oversight
over an AI system's entire lifecycle. Such policies should be
applied in context of the complexity and corresponding risk
profile of the AI systems (i.e., simple process automation and
workflow tools should not require the same level of system
governance controls as large language models deployed with
access to sensitive public sector data sets) so as to not
unnecessarily impede agency adoption.
In recent years, Congress has passed an assortment of AI-
related legislation, and the Trump and Biden administrations
have issued a variety of executive orders and policies
regarding agency use of AI. These initiatives, which are
outlined below, have produced positive, but at times disjointed
or contradictory directives for the management of federal
agency AI systems as such policies and laws have spanned
multiple Administrations and Congresses while AI technology has
rapidly evolved.
In February 2019, President Trump issued Executive Order
13859 on Maintaining American Leadership in Artificial
Intelligence, which established the American AI Initiative
coordinated through the National Science and Technology
Council.\12\ This initiative directed implementing agencies to
consider AI as an agency research and development (R&D)
priority, to increase the non-Federal research community's
access to data and computing resources for AI R&D, and to
invest in AI-related educational and workforce development.\13\
EO 13859 also directed the OMB Director to issue guidance to
inform agency approaches to AI applications and
regulations.\14\
---------------------------------------------------------------------------
\12\Exec. Order No. 13859, 84 FR 3967 (Feb. 14, 2019).
\13\Id.
\14\Id.
---------------------------------------------------------------------------
In December 2020, President Trump issued Executive Order
13960 on Promoting the Use of Trustworthy Artificial
Intelligence in the Federal Government, which directs agencies
to adhere to a common set of nine principles to guide agency
design, development, acquisition and use of AI.\15\ EO 13960
also directs agencies to prepare, and in most cases publish,
inventories of current and planned uses of AI to foster
transparency into the federal government's use of AI.\16\
---------------------------------------------------------------------------
\15\Exec. Order No. 13960, 85 FR 78939 (Dec. 8, 2020).
\16\Id.
---------------------------------------------------------------------------
Also in December 2020, Congress enacted the AI in
Government Act of 2020 (P.L. 116-260 Division U, Title I; 40
U.S.C. 11301 note), which requires OMB to issue government-wide
guidance on agency use of AI and agency AI governance
plans.\17\ This legislation also established an AI occupational
series for the federal workforce.\18\
---------------------------------------------------------------------------
\17\Consolidated Appropriations Act, 2021, Pub. L. No. 116-260,
Div. U, Title I, AI in Govt. Act (2020).
\18\Id.
---------------------------------------------------------------------------
In January 2021, Congress enacted the National AI
Initiative Act of 2020, (P.L. 116-283), which established the
National Artificial Intelligence Initiative and required the
White House Office of Science and Technology Policy (OSTP) to
establish or designate the National Artificial Intelligence
Initiative Office to coordinate ongoing AI research,
development, and demonstration activities across the federal
government and carry out additional responsibilities with
respect to this initiative.\19\ This legislation also requires
the National Institute of Standards and Technology (NIST) to
develop voluntary standards for artificial intelligence
systems.\20\
---------------------------------------------------------------------------
\19\William M. (Mac) Thornberry National Defense Authorization Act
for Fiscal Year 2021, Pub. L. No. 116-283, Title XLVII, Div. E,
National Artificial Intelligence Initiative Act of 2020 (2021).
\20\Id.
---------------------------------------------------------------------------
In October 2022, Congress enacted the AI Training for the
Acquisition Workforce Act, (P.L. 117-40; 41 U.S.C. 1703 note),
which requires OMB and GSA to provide a training program on AI
for the program management and acquisition workforce to ensure
they have knowledge of the capabilities and risks associated
with AI.\21\
---------------------------------------------------------------------------
\21\Artificial Intelligence Training for the Acquisition Workforce
Act, Pub. L. No. 117-207 (2022).
---------------------------------------------------------------------------
In October 2022, President Biden's OSTP issued a Blueprint
for an AI Bill of Rights, which is a white paper providing non-
binding, directional guidance regarding the development and use
of AI systems that ``have the potential to meaningfully impact
the American public's rights, opportunities, or access to
critical resources or services.''\22\ The Blueprint does not
constitute U.S. government policy.\23\
---------------------------------------------------------------------------
\22\Blueprint for an AI Bill of Rights: Making Automated Systems
Work for the American People, WhiteHouse.Gov, (October 2022).
\23\Id.
---------------------------------------------------------------------------
In December 2022, Congress enacted the Advancing American
AI Act, (P.L. 117-263, Title LXXII, Subtitle B; 40 U.S.C. 11301
note), which expands the AI in Government Act of 2020 by
directing OMB to also consider Executive Order 13960, cross-
government input, and the recommendations form the National
Security Commission on Artificial Intelligence while developing
the guidance required by that legislation.\24\ This legislation
also encourages OMB to designate a centralized, public
inventory of AI use cases and requires OMB to identify four new
use cases where AI can support interagency modernization
initiatives to improve operations across organizational
boundaries, including to ``drive agency productivity
efficiencies'' or ``accelerate agency investment return''.\25\
---------------------------------------------------------------------------
\24\James M. Inhofe National Defense Authorization Act for Fiscal
Year 2023, Pub. L. No. 117-263, Title LXXII, Subtitle B, Advancing
American AI Act (2022).
\25\Id.
---------------------------------------------------------------------------
In January 2023, NIST issued an AI Risk Management
Framework (AI RMF 1.0), which is a voluntary framework
developed by NIST to inform responsible development and use of
AI systems.\26\
---------------------------------------------------------------------------
\26\National Institute of Standards and Technology, NIST AI 100-1,
Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January
2023).
---------------------------------------------------------------------------
In October 2023, President Biden issued Executive Order
14110 on the Safe, Secure, and Trustworthy Development and Use
of Artificial Intelligence, which establishes eight guiding
principles and includes dozens of new reforms, guidelines,
rules, and programs across eight key workstreams. EO 14110
tasks over 50 federal entities with approximately 150 distinct
requirements.\27\ EO 14110 also includes several requirements
and guidelines for federal agency use of AI, including a
requirement that the Technology Modernization Board consider
prioritizing AI projects when awarding funds from the
Technology Modernization Fund; a requirement that agencies
implement or increase the availability of AI training programs
from employees, managers, and leadership in technology and
relevant policy fields; a requirement that GSA facilitate
access to federal government-wide acquisition solutions for AI
services and products, including generative AI and computing
infrastructure; and a requirement that the White House Deputy
Chief of Staff for Policy convene an AI and Technology Talent
Task Force to accelerate and monitor the hiring and training of
AI talent in the federal government.
---------------------------------------------------------------------------
\27\Rishi Bommasani et al., Decoding the White House AI Executive
Order's Achievements, Stanford University Human-Centered Artificial
Intelligence (Nov. 2, 2023), available at: https://hai.stanford.edu/
news/decoding-white-house-ai-executive-orders-achievements.
---------------------------------------------------------------------------
In March 2024, OMB issued M-24-10, a memorandum for the
heads of executive departments and agencies on Advancing
Governance, Innovation, and Risk Management for Agency Use of
Artificial Intelligence, which directs agencies to advance AI
governance and innovation while managing risks from the use of
AI in the Federal Government.\28\
---------------------------------------------------------------------------
\28\Office of Management and Budget, M-24-10, Advancing Governance,
Innovation, and Risk Management for Agency Use of Artificial
Intelligence, (March 2024).
---------------------------------------------------------------------------
In September 2024, OMB issued M-24-18, a memorandum for the
heads of executive departments and agencies on Advancing the
Responsible Acquisition of Artificial Intelligence in
Government, which directs agencies to improve their capacity
for the responsible acquisition of AI.\29\
---------------------------------------------------------------------------
\29\Office of Management and Budget, M-24-18, Advancing the
Responsible Acquisition of Artificial Intelligence in Government,
(September 2024).
---------------------------------------------------------------------------
While these initiatives have produced positive directives
for federal agencies, important steps remain to achieve a more
useful and comprehensive governance framework for federal
agency AI use. For example, the Center for Democracy and
Technology stated in a recent review of federal agency AI
inventories that ``[t]he information provided by each agency is
inconsistent and unclear, making it difficult for the public to
understand exactly how the use of AI impacts them.''\30\
---------------------------------------------------------------------------
\30\Bowman Cooper, Like Looking for a Needle in an AI Stack, Center
for Democracy and Technology (2023). https://cdt.org/insights/like-
looking-for-a-needle-in-an-ai-stack/.
---------------------------------------------------------------------------
H.R. 7532 builds on the core themes of these past efforts
by centrally codifying federal agency governance and
responsible use policies while consolidating and streamlining
other existing federal agency AI laws in order to reduce
duplicative or contradictory directives to federal agencies,
simplify compliance, and provide a strong foundation for future
legislative efforts. In doing so, the bill focuses government
resources on increasing transparency, oversight, and
responsible use of Federal AI systems while protecting the
public's privacy and civil liberties.
Specifically, H.R. 7532 establishes a new ``Subchapter IV--
Artificial Intelligence System Governance'' in title 44,
chapter 35 which places the Office of Management and Budget in
charge of issuing government-wide policy guidance in harmony
with existing federal IT and data policy requirements and
codifies statutory standards for the development, acquisition,
use, management, and oversight of AI used by federal agencies.
H.R. 7532 also requires public notice of AI systems used by
federal agencies through AI Governance Charters, including
identifying testing and validation processes, responsible
agency officials, maintenance plans, descriptions of public
data assets used or modified, impacted personal information
records, and downstream impacts on agency programs or
determinations related to financial assistance or regulatory
enforcement. The bill establishes a Federal AI System Inventory
by requiring the General Services Administration to maintain a
single, public interface that centrally catalogs the Governance
Charters, and requires agencies to ensure existing appeals
processes provide an opportunity for alternative review
independent of AI.
Further, H.R. 7532 streamlines and consolidates existing
law regarding the government's use of AI, including
requirements for agencies to provide protections or safeguards
for Federal AI systems that are commensurate with risk, and
repeals repetitive provisions in the AI in Government Act of
2020 and the 2022 Advancing American AI Act. This bill was
favorably reported out of the Oversight Committee on March 7th,
2024.
Section-by-Section Analysis
Section 1. Short title
Section 2. Establishment of Federal agency artificial intelligence
system governance requirements
Subsection (a) adds a new Subchapter IV in Chapter 35,
Title 44 of the U.S. Code to establish federal agency AI system
governance requirements, including the following new sections:
``Sec. 3591. Purposes. Codifies nine
directives for agency heads to adhere to when
designing, developing, acquiring, using, managing, or
conducting oversight over AI in the Federal Government.
``Sec. 3592. Definitions. Applies existing
definitions under 44 U.S.C. 3502 and defines additional
terms including: ``artificial intelligence,''
``artificial intelligence system,'' ``federal
artificial intelligence system,'' ``federal information
system,'' and ``national security system.''
``Sec. 3593. Authority and functions of the
Director. Places the Director of the Office of
Management and Budget (OMB) in charge of overseeing
government-wide use of federal AI systems, including
implementation of the purposes outlined in section
3591, as well as:
Developing, coordinating, and
overseeing the implementation of policies,
principles, standards, and guidelines to ensure
appropriate use of federal AI systems for the
protection of civil rights and civil liberties,
and conformity with existing Privacy Act (5
U.S.C. 552a) and federal information system
protections.
D Note: Recodifies existing
provisions of section 7224(d)(1)(B) of
the Advancing American AI Act (P.L.
117-263, Division G, Title LXXII,
Subtitle B; 40 U.S.C. 11301 note).
Requiring agencies to identify
and provide protections and safeguards for the
use of federal AI systems commensurate with the
risk in a consistent manner with the standards
promulgated under the National Institute of
Standards and Technology Act (15 U.S.C. 278h-
1).
Recommending approaches to
removing barriers to agency use of AI
technologies while protecting privacy, civil
liberties, civil rights, and economic and
national security, as well as, identifying,
assessing, and mitigating any discriminatory
impact or bias.
D Note: Recodifies existing
provisions of section 104(a)(1)-(3) of
the AI in Government Act (P.L. 116-260,
Division U, Title I; 40 U.S.C. 11301
note) and section 7224(d)(1) of the
Advancing American AI Act (P.L. 117-
263, Division G, Title LXXII, Subtitle
B; 40 U.S.C. 11301 note).
Providing agencies with guidance
to establish a plain language notification and
appeals process that conforms with existing
statutory requirements regarding the protection
of agency records for individuals or entities
impacted by an agency determination based on a
federal AI system output.
Providing guidance and a
template for the agency AI plans described in
section 3594 and issuing guidance to help
agencies establish the AI governance charters,
including defining high-risk Federal artificial
intelligence systems, described in section
3595.
``Sec. 3594. Federal agency
responsibilities. Requires the head of each agency to
ensure that federal AI system management processes are
integrated with agency planning and that senior agency
officials implement necessary policies and procedures,
with the agency Chief Information Officer (CIO), in
coordination with other appropriate senior agency AI
officials, being the responsible agency official for
compliance with this subchapter.
Requires a public plan providing
information about the agency's federal AI
system governance policies and procedures,
including the inventory of AI use cases as
required by section 7225(a) of the Advancing
American AI Act (P.L. 117-263; 40 U.S.C. 11301
note).
Requires the modification of an
agency's appeals process for individuals or
entities impacted by federal agency
determinations that were substantively and
meaningfully augmented by a federal AI system.
Requires, in accordance with OMB
guidance and section 3595, the implementation
of regularly updated AI governance charters
that are submitted to the Federal Register and
the General Services Administration (GSA) for
publication under section 3596.
Requires regular training
programs for relevant agency employees on
federal AI system management requirements,
which may be integrated into training
requirements established by the A.I. Training
for the Acquisition Workforce Act (P.L. 117-
207).
``Sec. 3595. Agency AI Governance Charters.
Requires agency heads to ensure that an accurate and
complete AI governance charter is established for each
federal AI system in use by an agency that has been
designated as high-risk (as defined by OMB guidance) or
interacts with a record maintained on an individual (as
defined under the Privacy Act; 5 U.S.C. 552a)--with a
required annual review and requirement that a new
charter be issued within 30 days of any major system
changes--and specifies the required AI governance
charter contents, including:
The bureau, department, or
office using or operating the federal AI
system, and the contact information for the
designated agency official responsible for
maintenance of the system.
Information about how the
federal AI system was developed and funded,
including the training, validation, and testing
of the system.
Information about ongoing
oversight and maintenance of the system,
including the cadence of system testing,
validation, monitoring, and auditing, and
performance metrics considered by the agency.
Information about how the system
is used, the data or data assets produced by
the system, and whether the system was trained
on, uses, or produces a federal record
maintained on an individual.
Subsection (d) requires the AI
governance charter of each agency to be made
public on the agency webpage and noticed in the
Federal Register but allows an agency head to
waive the publication requirement with approval
by the OMB Director and notification to
Congress and the agency Inspector General, or
to protect properly classified national
security information.
Subsection (e) exempts federal
AI systems used solely for research and
development or systems used in national
security systems from the requirements of this
section.
Sec. 3596. AI Governance Charter Inventory.
This section requires the GSA Administrator to maintain
a single, public, online interface for centrally
cataloging agency AI governance charters in a machine-
readable and open format for bulk download, which shall
be known as the ``Federal AI System Inventory.''
``Sec. 3597. Independent evaluation.
Requires IGs to evaluate the federal AI governance
policies and practices of the agency every two years
and submit to the agency head, the OMB Director, and
Congress, a report which may include a classified annex
and directs the Comptroller General to periodically
evaluate and submit to Congress a report on the
effectiveness of agency federal AI system governance
policies and practices.
Subsection (b) requires the OMB Director--in consultation
with NIST, GSA, and the Office of Science and Technology Policy
(OSTP)--to issue a memo to agencies one year after enactment
(to be updated as necessary every two years and then
periodically after 10 years) establishing guidelines for
implementing the requirements of this Act's newly established
Subchapter IV.
Subsection (c) updates the Privacy Act (5 U.S.C. 552a) to
include listing of any related AI governance charters in an
agency system of records notice and to ensure the security,
confidentiality, and integrity of federal AI system records.
Subsection (d) repeals provisions of the AI in Government
Act and the Advancing American AI Act which have been
recodified into the new Subchapter IV established by subsection
(a) of this Act.
Subsection (e) requires that within six months after the
issuance of OMB guidance under subsection (b) the Federal
Acquisition Regulation (FAR) will be updated to reflect the
amendments made in this section and require contractors and
subcontractors that work on federal AI systems to provide
agencies with the information necessary for compliance with
this Act.
Subsection (f) restricts the ability of agencies to take
actions not authorized by this Act, specifies protections of
individuals' constitutional and privacy rights, and clarifies
that nothing in the Act should be construed as requiring the
public disclosure of information that could otherwise be
withheld under the Freedom of Information Act (5 U.S.C.
522(b)).
Subsection (g) clarifies that the definition of ``agency''
and ``Director''.
Legislative History
H.R. 7532, the Federal AI Governance and Transparency Act,
was introduced on March 5, 2024, by Representative James Comer.
The following Representatives are cosponsors of the bill: Jamie
Raskin (D-MD), Nancy Mace (R-SC), Alexandria Ocasio-Cortez (D-
NY), Clay Higgins (R-LA), Gerald E. Connolly (D-VA), Nicholas
A. Langworthy (R-NY), and Ro Khanna (D-CA). The bill was
referred to the Committee on Oversight and Accountability. The
Committee on Oversight and Accountability held a hearing
related to and used for development and consideration of the
bill on September 14, 2023. The Committee considered H.R. 7532
at a business meeting on March 7, 2024, and ordered the bill as
amended favorably reported by a recorded vote.
Committee Consideration
On March 7, 2024, the Committee met in open session and
ordered the bill, H.R. 7532, favorably reported with an
amendment in the nature of a substitute, by a roll call vote of
36-3, a quorum being present.
Roll Call Votes
In compliance with clause 3(b) of rule XIII of the Rules of
the House of Representatives, the following roll call vote
occurred during the Committee's consideration of H.R. 7532:
The first and only roll call vote was on final passage of
H.R. 7532. The bill was agreed to in a recorded vote of 36-3.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Explanation of Amendments
During Committee consideration of the bill, Representative
James Comer (R-KY), Chairman of the Committee, offered an
amendment in the nature of a substitute that would make certain
technical changes to the bill. The amendment in the nature of a
substitute passed by voice vote.
List of Related Committee Hearings
In accordance with clause 3(c)(6) of rule XIII of the Rules
of the House of Representatives, (1) The following hearing was
used to develop or consider H.R. 7532:
On September 14, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``How are Federal Agencies Harnessing Artificial
Intelligence?'' with Dr. Arati Prabhakar, Director, White House
Office of Science and Technology Policy; Dr. Craig Martell,
Chief Digital and AI Officer, Department of Defense; and Mr.
Eric Hysen, Chief Information Officer, Department of Homeland
Security.
(2) The following related hearings were held:
On March 8, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``Advances in AI: Are We Ready for a Tech
Revolution?'' with Dr. Eric Schmidt, Chair, Special Competitive
Studies Project; Dr. Aleksander Madry, Director, MIT Center for
Deployable Machine Learning, and Cadence Design Systems
Professor of Computing, Massachusetts Institute of Technology;
Dr. Scott Crowder, Vice President, IBM Quantum, and CTO, IBM
Systems, Technical Strategy and Transformation IBM; and Ms.
Merve Hickok, Senior Research Director, Center for AI and
Digital Policy.
On June 22, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``Using Cutting-Edge Technologies to Keep
America Safe'' with Mr. Ryan Rawding, Vice President of
Business Development, Pangiam; Mr. Wahid Nawabi, Chairman,
President, and Chief Executive Officer, AeroVironment; Mr.
Gavin Kenneally, Chief Executive Officer, Ghost Robotics; and
Dr. Benjamin Boudreaux, Policy Researcher and Professor of
Policy Analysis, Pardee RAND Graduate School, RAND Corporation.
On December 6, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``White House Policy on AI'' with Mr. Ross
Nodurft, Executive Director, Alliance for Digital Innovation;
Mr. Samuel Hammond, Senior Economist, Foundation for American
Innovation; Ms. Kate Goodloe, Managing Director BSA | The
Software Alliance; Dr. Daniel Ho, William Benjamin Scott and
Luna M. Scott Professor of Law, Senior Fellow, Stanford
Institute for Human-Centered AI, Stanford Law School; and Dr.
Rumman Chowdhury, Responsible AI Fellow, Berkman Klein Center
for Internet & Society, Harvard University.
On January 17, 2024, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``Toward an AI Ready Workforce'' with Dr.
William Scherlis, Professor of Computer Science, Carnegie
Mellon University; Ms. Timi Hadra, Client Partner and Senior
Executive for West Virginia, IBM; Dr. Richard Levin, Former
President, Yale University and Senior Advisor, Coursera; and
Dr. Costis Toregas, Director, Cyber Security and Privacy
Research Institute, The George Washington University.
On March 21, 2024, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled ``White House Overreach on AI'' with Ms.
Jennifer Huddleston, Technology Policy Research Fellow, Cato
Institute; Mr. Adam Thierer, Resident Senior Fellow, Technology
& Innovation, R Street Institute; Mr. Neil Chilson, Head of AI
Policy The Abundance Institute; and Dr. Nicol Turner Lee,
Senior Fellow, Governance Studies and Director, Center for
Technology Innovation, Brookings Institution.
Statement of Oversight Findings and Recommendations of
the Committee
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the Committee's oversight findings and
recommendations are reflected in the Background and Need for
Legislation section above.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goals or objectives of this bill are to amend chapter 35 of
title 44, United States Code, to establish Federal AI system
governance requirements, and for other purposes.
Application of Law to the Legislative Branch
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill does not relate to employment or access to public
services and accommodations in the legislative branch.
Duplication of Federal Programs
In accordance with clause 3(c)(5) of rule XIII of the Rules
of the House of Representatives, no provision of this bill
establishes or reauthorizes a program of the Federal Government
known to be duplicative of another Federal program, a program
that was included in any report from the Government
Accountability Office to Congress pursuant to section 21 of
Public Law 111-139, or a program related to a program
identified in the most recent Catalog of Federal Domestic
Assistance.
Federal Advisory Committee Act Statement
The Committee finds that this legislation does not direct
the establishment of advisory committees within the definition
of Section 5(b) of the appendix to title 5, U.S.C.
Unfunded Mandates Reform Act Statement
Pursuant to section 423 of the Congressional Budget Act of
1974 the Committee has included a letter received from the
Congressional Budget Office below.
Earmark Identification
This bill does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the Rules of the House of
Representatives.
Committee Cost Estimate
Pursuant to clause 3(d) of rule XIII of the Rules of the
House of Representatives, the Committee includes below a cost
estimate of the bill prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974.
New Budget Authority and Congressional Budget Office
Cost Estimate
Pursuant to clause 3(c)(2) of rule XIII of the Rules of the
House of Representatives and section 308(a) of the
Congressional Budget Act of 1974, and pursuant to clause
3(c)(3) of rule XIII of the Rules of the House of
Representatives, the cost estimate prepared by the
Congressional Budget Office and submitted pursuant to section
402 of the Congressional Budget Act of 1974 is as follows:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
H.R. 7532 would require federal agencies to develop and
publish charters governing the operations, maintenance, and
transparency of their artificial intelligence (AI) programs.
The bill would codify the responsibilities of the Office of
Management and Budget (OMB) in producing government-wide
policies for the safe and secure adoption of AI technology. The
bill also would require agency inspectors general and the
Government Accountability Office to report to the Congress
every two years after enactment on the effectiveness of those
efforts.
The Administration has issued executive orders and
memoranda concerning the creation of federal AI programs. CBO
expects those actions will satisfy most of the requirements of
the bill. Using information on the costs of similar plans and
reports, CBO estimates that satisfying the governance charter
and reporting requirements would cost $6 million over the 2024-
2029 period. Such spending would be subject to the availability
of appropriated funds.
Enacting H.R. 7532 could affect direct spending by some
agencies that are allowed to use fees, receipts from the sale
of goods, and other collections to cover operating costs. CBO
estimates that any net changes in direct spending by those
agencies would be negligible because most of them can adjust
amounts collected to reflect changes in operating costs.
The costs of the legislation, detailed in Table 1, fall
within budget function 800 (general government).
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER H.R. 7532
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------------------
2024 2025 2026 2027 2028 2029 2024-2029
----------------------------------------------------------------------------------------------------------------
Estimated Authorization........................ * 4 * 1 * 1 6
Estimated Outlays.............................. * 4 * 1 * 1 6
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Christina Hawley Anthony, Deputy
Director of Budget Analysis.
Phillip L. Swagel,
Director, Congressional Budget Office.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italics, and existing law in which no
change is proposed is shown in roman):
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italics, and existing law in which no
change is proposed is shown in roman):
TITLE 44, UNITED STATES CODE
PART A--GENERAL
* * * * * * *
CHAPTER 35--COORDINATION OF FEDERAL
INFORMATION POLICY
SUBCHAPTER I--FEDERAL INFORMATION POLICY
Sec.
* * * * * * *
Subchapter IV--Artificial Intelligence System Governance
3591. Purposes.
3592. Definitions.
3593. Authority and functions of the Director.
3594. Federal agency responsibilities.
3595. Agency AI Governance Charters.
3596. AI Governance Charter Inventory.
3597. Independent evaluation.
* * * * * * *
SUBCHAPTER IV--ARTIFICIAL INTELLIGENCE SYSTEM
GOVERNANCE
Sec. 3591. Purposes
The purposes of this subchapter, with respect to the design,
development, acquisition, use, management, and oversight of
artificial intelligence in the Federal Government, are to
ensure the following:
(1) Actions that are consistent with the Constitution
and any other applicable law and policy, including
those addressing freedom of speech, privacy, civil
rights, civil liberties, and an open and transparent
Government.
(2) Any such action is purposeful and performance-
driven, including ensuring the following:
(A) Such action promotes the consistent and
systemic treatment of all individuals in a
fair, just, and impartial manner.
(B) The public benefits of such action
significantly outweigh the risks.
(C) The risks and operations of such action
do not unfairly and disproportionately benefit
or harm an individual or subgroup of the
public.
(D) The risk of such action is assessed and
responsibly managed, including before the use
of artificial intelligence.
(3) Any application of artificial intelligence is
consistent with the use cases for which the artificial
intelligence was trained, and the deployers of such
application promote verifiably accurate, ethical,
reliable, and effective use.
(4) The safety, security, and resiliency of
artificial intelligence applications, including
resilience when confronted with any systematic
vulnerability, adversarial manipulation, and other
malicious exploitation.
(5) The purpose, operations, risks, and outcomes of
artificial intelligence applications are sufficiently
explainable and understandable, to the extent
practicable, by subject matter experts, users, impacted
parties, and others, as appropriate.
(6) Such action is responsible and accountable,
including by ensuring the following:
(A) Human roles and responsibilities are
clearly defined, understood, and appropriately
assigned.
(B) Artificial intelligence is used in a
manner consistent with the purposes described
in this section and the purposes for which each
use of artificial intelligence is intended.
(C) Such action, as well as relevant inputs
and outputs of artificial intelligence
applications, are well documented and
accountable.
(7) Responsible management and oversight by ensuring
the following:
(A) Artificial intelligence applications are
regularly tested against the purposes described
in this section.
(B) Mechanisms are maintained to supersede,
disengage, or deactivate applications of
artificial intelligence that demonstrate
performance or outcomes that are inconsistent
with the intended use or this subchapter.
(C) Engagement with impacted communities.
(8) Transparency in publicly disclosing relevant
information regarding the use of artificial
intelligence to appropriate stakeholders, to the extent
practicable and in accordance with any applicable law
and policy, including with respect to the protection of
privacy, civil liberties, and of sensitive law
enforcement, national security, trade secrets or
proprietary information, and other protected
information.
(9) Accountability for the following:
(A) Implementing and enforcing appropriate
safeguards necessary to comply with the
purposes described in this section and the
requirements of this subchapter, for the proper
use and functioning of the applications of
artificial intelligence.
(B) Monitoring, auditing, and documenting
compliance with those safeguards, as
appropriate.
(C) Providing appropriate training to all
agency personnel responsible for the design,
development, acquisition, use, management, and
oversight of artificial intelligence.
Sec. 3592. Definitions
In this subchapter:
(1) In general.--Except as provided in paragraph (2),
the definitions under sections 3502 shall apply to this
subchapter.
(2) Additional definitions.--In this subchapter:
(A) Administrator.--The term
``Administrator'' means the Administrator of
General Services.
(B) Appropriate congressional committees.--
The term ``appropriate congressional
committees'' means the Committee on Oversight
and Accountability of the House of
Representatives and the Committee on Homeland
Security and Governmental Affairs of the
Senate.
(C) Artificial intelligence.--The term
``artificial intelligence'' has the meaning
given the term in section 238(g) of the John S.
McCain National Defense Authorization Act for
Fiscal Year 2019 (Public Law 115-232; 10 U.S.C.
note prec. 4061).
(D) Artificial intelligence system.--The term
``artificial intelligence system'' means any
data system, software, application, tool, or
utility that operates in whole or in part using
dynamic or static machine learning algorithms
or other forms of artificial intelligence,
whether--
(i) the data system, software,
application, tool, or utility is
established primarily for the purpose
of researching, developing, or
implementing artificial intelligence
technology; or
(ii) artificial intelligence
capability is integrated into another
system or business process, operational
activity, or technology system.
(E) Federal artificial intelligence system.--
The term ``Federal artificial intelligence
system'' means an artificial intelligence
system used in connection with a Federal
information system.
(F) Federal information system.--The term
``Federal information system'' has the meaning
given the term in section 11331(g) of title 40.
(G) National security system.--The term
``national security system'' has the meaning
given that term in section 3552(b) of title 44.
Sec. 3593. Authority and functions of the Director
The Director shall oversee the design, development,
acquisition, use, management, and oversight of Federal
artificial intelligence systems by agencies to implement the
purposes described in section 3591. In performing such
oversight, the Director shall do the following:
(1) Develop, coordinate, and oversee the
implementation of policies, purposes, standards, and
guidelines to ensure appropriate use of Federal
artificial intelligence systems and the protection of
civil rights, civil liberties, and privacy, including
in conformity with section 552a of title 5 and other
applicable laws, as well as the integrity of Federal
information systems and information technology in
accordance with the other requirements of this chapter.
(2) Oversee agency compliance with the requirements
of this subchapter, including through any authorized
enforcement action under section 11303(b)(5) of title
40 to ensure agency accountability and compliance.
(3) Issue and update, as necessary, guidance to
agencies to take steps to advance the governance of
Federal artificial intelligence systems, manage risk,
and remove relevant barriers to innovation, consistent
with the requirements of this subchapter and, as
appropriate the standards promulgated under section 22A
of the National Institute of Standards and Technology
Act (15 U.S.C. 278h-1) pursuant to section 5302 of the
William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021 (15 U.S.C. 9441)
that addresses the following:
(A) The development of policies regarding
Federal acquisition, procurement, and use by
agencies regarding artificial intelligence,
including an identification of the
responsibilities of agency officials managing
the use of such technology.
(B) The ownership and protection of data and
other information created, used, processed,
stored, maintained, disseminated, disclosed, or
disposed of by a contractor or subcontractor
(at any tier) on behalf of the Federal
Government.
(C) The protection of training data,
algorithms, and other components of any Federal
artificial intelligence system against misuse,
unauthorized alteration, degradation, or being
rendered inoperable.
(D) The removal of barriers to responsible
agency use of artificial intelligence, such as
information technology, data, workforce, and
budgetary barriers, in order to promote the
innovative application of those technologies
while protecting privacy, civil liberties,
civil rights, and economic and national
security.
(E) The establishment of best practices for
identifying, assessing, and mitigating any
discrimination in violation of title VI of the
Civil Rights Act of 1964 (42. U.S.C. 2000d et
seq.), or any unintended consequence of the use
of artificial intelligence, including policies
to--
(i) identify data used to train
artificial intelligence;
(ii) identify data analyzed or
ingested by Federal artificial
intelligence systems used by the
agencies; and
(iii) require periodic evaluation of
Federal artificial intelligence
systems, as appropriate.
(4) Issue guidance for agencies to establish a plain
language notification process, as necessary and
appropriate and in conformity with applicable law,
including section 552a of title 5, for individuals or
entities impacted by an agency determination that has
been based solely on an output from, or substantively
and meaningfully informed, augmented, or assisted by a
Federal artificial intelligence system, including the
contents of any notice, including examples of what the
notice may look like in practice.
(5) Issue guidance for agencies to review their
appeals process and to make modifications, as necessary
and appropriate, to account for determinations made
solely by or substantively and meaningfully informed,
augmented, or assisted by a Federal artificial
intelligence system, including guidance on how an
agency provides the impacted individual or entity the
opportunity for an alternative review independent of
the Federal artificial intelligence system, as
appropriate.
(6) Provide guidance and a template for the required
contents of the agency plans described in section
3594(6) that uses a uniform resource locator that is in
a consistent format across agencies such as the format
``agencyname.gov/AI''.
(7) Issue guidance, including a uniform required
submission format and criteria for updating entries
after significant changes, for the establishment of
agency AI governance charters under section 3595,
including defining high-risk Federal artificial
intelligence systems, and publication under section
3596.
Sec. 3594. Federal agency responsibilities
The head of each agency shall do the following:
(1) Comply with the requirements of this subchapter
and related policies, purposes, standards, and
guidelines, including those under section 552a of title
5 and in guidance issued by the Director under section
3593.
(2) Ensure that Federal artificial intelligence
system management processes are integrated with agency
strategic, operational, data, workforce planning, and
budgetary planning processes, and other requirements
under this chapter.
(3) Ensure that senior agency officials, including
the Chief Information Officer, the Chief Data Officer,
and the senior agency official for privacy, implement
policies and procedures regarding Federal artificial
intelligence systems under the control of such
officers, assess and reduce any risks to such systems
to an acceptable level, and periodically assess and
validate management procedures and controls to ensure
effective implementation of this subchapter.
(4) Delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the primary
authority and accountability to ensure compliance with
the agency requirements under this subchapter in
coordination with any other appropriate senior agency
official designated by the head of the agency.
(5) Ensure that contracts for the acquisition and
procurement of a Federal artificial intelligence system
are consistent with the requirements of this subchapter
and any guidance issued by the Director under section
3593(3).
(6) Maintain a plan, posted on a publicly available
and centralized webpage of the agency and prepared in
accordance with the template provided by the Director
under section 3593(6), to--
(A) achieve consistency with the requirements
of this subchapter and guidance issued by the
Director; and
(B) provide the public information about
agency policies and procedures for governing
Federal artificial intelligence systems,
including the inventory of artificial
intelligence use cases required by section
7225(a) of the Advancing American AI Act
(subtitle B of title LXXII of Public Law 117-
263; 40 U.S.C. 11301 note).
(7) Establish procedures for notifying an individual
or entity impacted by an agency determination made
solely by an output from, or substantively and
meaningfully informed, augmented, or assisted by a
Federal artificial intelligence system in accordance
with guidance issued by the Director under section
3593(4).
(8) Modify the agency appeals process, as necessary
and appropriate, to account for determinations made
solely by or substantively and meaningfully informed,
augmented, or assisted by a Federal artificial
intelligence system, and to provide the impacted
individual or entity the opportunity for an alternative
review independent of the Federal artificial
intelligence system, as appropriate, as established by
the Director under section 3593(5).
(9) In accordance with guidance issued by the
Director under section 3593(7), oversee the
establishment of AI governance charters for Federal
artificial intelligence systems, including by--
(A) establishing a process, led by each
official identified in section 3594(4) to
ensure that each Federal artificial
intelligence system has an established AI
governance charter that is regularly updated in
accordance with the requirements under section
3595 and made publicly available on the webpage
under paragraph (6);
(B) submitting each AI governance charter to
the Federal Register not later than 30-days
after the initial establishment or termination
of the charter, in conformity with guidance
from the Director; and
(C) submitting each AI governance charter to
the Administrator for publication in a format
established in the Directors guidance in
accordance with section 3596.
(10) In consultation with the Director, the Director
of the Office of Personnel Management, and the
Administrator of General Services, conduct regular
training programs to educate relevant agency program
and management officials, including employees
supporting the functions of the Chief Information
Officer, the Chief Data Officer, the Evaluation
Officer, the senior privacy official, and the
statistical official, as appropriate, about the
management of Federal artificial intelligence systems
and compliance with the requirements of this
subchapter, which may be integrated with the training
requirements and covered topics established by the
Artificial Intelligence Training for the Acquisition
Workforce Act (Public Law 117-207; 41 U.S.C. 1703
note).
Sec. 3595. Agency AI Governance Charters
(a) In General.--In accordance with the guidance established
under section 3593(7), the head of each agency shall ensure
that an accurate and complete AI governance charter is
established for each Federal artificial intelligence system in
use by the agency that is designated as a high-risk Federal
artificial intelligence system or was trained on, uses, or
produces a record maintained on an individual (as defined under
section 552a(a) of title 5).
(b) Contents of Charters.--An AI governance charter for a
Federal artificial intelligence system shall, at a minimum,
include the following:
(1) The name and an identifying summary of the
Federal artificial intelligence system, including the
following:
(A) A descriptive summary of each purpose and
relevant use case of the system, as may be
documented on the inventory established under
section 7225 of the Advancing American AI Act
(subtitle B of title LXXII of Public Law 117-
263; 40 U.S.C. 11301 note).
(B) The bureau, department, or office using
or operating the system, and to the extent
practicable, each program designated on the
website required under section 1122(a)(2) of
title 31 associated with use of the system.
(C) The name and direct contact information
for a designated agency official responsible
for the overall outputs of the system.
(D) The name and direct contact information
for a designated agency official responsible
for the ongoing maintenance of the system which
may be the same official designated under
subparagraph (C).
(2) Information about how the Federal artificial
intelligence system was developed and funded, including
the following:
(A) Other individuals or entities that have
developed, maintained, managed, and operated
the system.
(B) Information about any relevant Federal
award including any associated contract, grant,
cooperative agreement, or other transaction
agreement.
(3) Information about the training, validation, and
testing of the Federal artificial intelligence system,
including the following:
(A) A description of the type of data or data
assets used in the training, validation, and
testing of the Federal artificial intelligence
system or, if such information is not
available, a statement describing why such
information is not available.
(B) A designation of whether any of the data
or data assets used in training, validating, or
testing the Federal artificial intelligence
system are classified as an open Government
data asset or a public data asset or a
designated system of record described under
paragraph (7).
(C) Information on how to access any open
Government data asset or public data asset
identified under subparagraph (B).
(D) A listing of audits, testing, or other
risk assessments of the Federal artificial
intelligence system, including contact
information of the individual or entity that
conducted such assessments.
(4) Information about ongoing oversight and
maintenance of the Federal artificial intelligence
system, including a description of the ongoing testing,
monitoring, or auditing of the Federal artificial
intelligence system, including information about the
cadence of testing, as appropriate, and the entity
responsible for such testing.
(5) Information about how the system is used by the
agency, including--
(A) the date the agency began using the
system and the intended life span of use, if
appropriate; and
(B) whether any agency determinations have
been or are intended to be based solely on an
output from, or informed, augmented, or
assisted by the Federal artificial intelligence
system, and--
(i) a summary of how the Federal
artificial intelligence system or the
data or data assets produced by the
Federal artificial intelligence system
is used to inform, augment, or assist
in making these determinations;
(ii) information about other agencies
or federally funded entities that use
or rely on these determinations; and
(iii) a description of any associated
notice or modified appeal process as
required under section 3593(4) and
3593(5).
(6) Information about data or data assets produced by
the Federal artificial intelligence system, including a
description of the data or data assets produced,
altered, or augmented by the system, including--
(A) a designation of whether any of the data
or data assets are classified as an open
Government data asset or a public data asset or
are included in a designated system of record
described under paragraph (7);
(B) information on how to access any such
open Government data asset or public data asset
identified under subparagraph (A); and
(C) information about any other agency or
federally funded entity known to use or
otherwise rely upon the data or data assets
identified under this paragraph.
(7) Information on whether the system was trained on,
uses, or produces a record maintained on an individual
(as defined under section 552a(a) of title 5),
including--
(A) a listing of any designated system of
record including a reference to any associated
notice in the Federal Register for the
establishment or revision of such system of
record, as required under section 552a(d) of
title 5; or
(B) a description of any system of record
that has been exempted under subsection (j) or
(k) of section 552a of title 5, including the
statement required under section 553(c) of
title 5 that documents the reasons why the
system of records is exempted.
(c) Regular Updates Required.--The head of each agency shall
establish procedures to ensure that each AI governance charter
for the agency is updated to capture any significant change to
the Federal artificial intelligence system, consistent with
guidance established in section 3593(7) and not less than 30
days after such change has been implemented.
(d) Requirement for Publication.--An AI governance charter
required under subsection (a) shall be made public on the
agency webpage noticed in the Federal Register, and published
on the Federal AI System Inventory established under section
3596, in accordance with procedures established by the agency
under section 3594(9) in conformity with guidance issued by the
Director under section 3593(7) before a Federal artificial
intelligence system is used by an agency, except that--
(1) the head of an agency may, with advance approval
of the Director and notification to the appropriate
congressional committees, including the relevant
authorizing committee in the House of Representatives
and the Senate, and the relevant agency Inspector
General, waive the publication requirement under this
subsection; or
(2) in order to protect properly classified national
security information, a charter may be submitted to the
Director, appropriate congressional committees,
including the relevant authorizing committee in the
House of Representatives and the Senate, and the
relevant agency Inspector General in lieu of the
publication requirement of this subsection.
(e) Exemptions.--A Federal artificial intelligence system is
exempt from the requirements of this section if the system is
used--
(1) solely for the purpose of research or
development, except that the purposes described and
guidance promulgated under this subchapter should
inform any such research, development, testing, or
evaluation directed at future applications of Federal
artificial intelligence systems; or
(2) in a national security system, in whole or in
part, if the agency maintains a complete and regularly
updated nonpublic version of each AI governance charter
in accordance with subsections (a) and (b) and the
guidance required by section 3593(7).
Sec. 3596. AI Governance Charter Inventory
The Administrator of General Services shall maintain a
single, public online interface for centrally cataloging agency
AI governance charters which shall be known as the ``Federal AI
System Inventory''. The Administrator and the Director shall--
(1) ensure that each agency, as appropriate, submits
AI governance charters for publication on the
interface, in a publicly accessible machine-readable
and open format to facilitate searchability and bulk
download of the inventory; and
(2) provide a clear process and mechanism for each
agency to make timely revisions and updates.
Sec. 3597. Independent evaluation
(a) In General.--Not later than 2 years after the date of the
enactment of this subchapter, and every 2 years thereafter, the
Inspector General appointed under chapter 4 of title 5 for each
agency shall perform an independent evaluation of the Federal
artificial intelligence governance policies and practices of
the agency and submit to the head of the agency, the Director,
and the appropriate congressional committees, a report which
may include a classified annex. The report shall include at a
minimum--
(1) an assessment of the comprehensive compliance of
the agency with the requirement under section 3595 for
each Federal artificial intelligence system in use or
maintained by an agency to have an established, and
appropriately noticed, AI governance charter, including
timely revisions to reflect significant changes and
appropriate use of the exemptions described under
section 3595(e); and
(2) an assessment of compliance by the agency with
artificial intelligence governance policies and
practices with the requirements of this subchapter.
(b) Comptroller General.--The Comptroller General shall
periodically evaluate and submit to Congress a report on the--
(1) effectiveness of agency Federal artificial
intelligence system governance policies and practices;
(2) implementation of the requirements of this
subchapter by the Director, Administrator, and
agencies; and
(3) extent to which the requirements of this
subchapter and related implementing guidance and
policies reflect technology advancements and provide
any legislative recommendations as appropriate.
* * * * * * *
----------
TITLE 5, UNITED STATES CODE
PART I--THE AGENCIES GENERALLY
* * * * * * *
CHAPTER 5--ADMINISTRATIVE PROCEDURE
* * * * * * *
SUBCHAPTER II--ADMINISTRATIVE PROCEDURE
* * * * * * *
Sec. 552a. Records maintained on individuals
(a) Definitions.--For purposes of this section--
(1) the term ``agency'' means agency as defined in
section 552(e) of this title;
(2) the term ``individual'' means a citizen of the
United States or an alien lawfully admitted for
permanent residence;
(3) the term ``maintain'' includes maintain, collect,
use, or disseminate;
(4) the term ``record'' means any item, collection,
or grouping of information about an individual that is
maintained by an agency, including, but not limited to,
his education, financial transactions, medical history,
and criminal or employment history and that contains
his name, or the identifying number, symbol, or other
identifying particular assigned to the individual, such
as a finger or voice print or a photograph;
(5) the term ``system of records'' means a group of
any records under the control of any agency from which
information is retrieved by the name of the individual
or by some identifying number, symbol, or other
identifying particular assigned to the individual;
(6) the term ``statistical record'' means a record in
a system of records maintained for statistical research
or reporting purposes only and not used in whole or in
part in making any determination about an identifiable
individual, except as provided by section 8 of title
13;
(7) the term ``routine use'' means, with respect to
the disclosure of a record, the use of such record for
a purpose which is compatible with the purpose for
which it was collected;
(8) the term ``matching program''--
(A) means any computerized comparison of--
(i) two or more automated systems of
records or a system of records with
non-Federal records for the purpose
of--
(I) establishing or verifying
the eligibility of, or
continuing compliance with
statutory and regulatory
requirements by, applicants
for, recipients or
beneficiaries of, participants
in, or providers of services
with respect to, cash or in-
kind assistance or payments
under Federal benefit programs,
or
(II) recouping payments or
delinquent debts under such
Federal benefit programs, or
(ii) two or more automated Federal
personnel or payroll systems of records
or a system of Federal personnel or
payroll records with non-Federal
records,
(B) but does not include--
(i) matches performed to produce
aggregate statistical data without any
personal identifiers;
(ii) matches performed to support any
research or statistical project, the
specific data of which may not be used
to make decisions concerning the
rights, benefits, or privileges of
specific individuals;
(iii) matches performed, by an agency
(or component thereof) which performs
as its principal function any activity
pertaining to the enforcement of
criminal laws, subsequent to the
initiation of a specific criminal or
civil law enforcement investigation of
a named person or persons for the
purpose of gathering evidence against
such person or persons;
(iv) matches of tax information (I)
pursuant to section 6103(d) of the
Internal Revenue Code of 1986, (II) for
purposes of tax administration as
defined in section 6103(b)(4) of such
Code, (III) for the purpose of
intercepting a tax refund due an
individual under authority granted by
section 404(e), 464, or 1137 of the
Social Security Act; or (IV) for the
purpose of intercepting a tax refund
due an individual under any other tax
refund intercept program authorized by
statute which has been determined by
the Director of the Office of
Management and Budget to contain
verification, notice, and hearing
requirements that are substantially
similar to the procedures in section
1137 of the Social Security Act;
(v) matches--
(I) using records
predominantly relating to
Federal personnel, that are
performed for routine
administrative purposes
(subject to guidance provided
by the Director of the Office
of Management and Budget
pursuant to subsection (v)); or
(II) conducted by an agency
using only records from systems
of records maintained by that
agency;
if the purpose of the match is not to take any
adverse financial, personnel, disciplinary, or
other adverse action against Federal personnel;
(vi) matches performed for foreign
counterintelligence purposes or to
produce background checks for security
clearances of Federal personnel or
Federal contractor personnel;
(vii) matches performed incident to a
levy described in section 6103(k)(8) of
the Internal Revenue Code of 1986;
(viii) matches performed pursuant to
section 202(x)(3) or 1611(e)(1) of the
Social Security Act (42 U.S.C.
402(x)(3), 1382(e)(1));
(ix) matches performed by the
Secretary of Health and Human Services
or the Inspector General of the
Department of Health and Human Services
with respect to potential fraud, waste,
and abuse, including matches of a
system of records with non-Federal
records; or
(x) matches performed pursuant to
section 3(d)(4) of the Achieving a
Better Life Experience Act of 2014;
1
(9) the term ``recipient agency'' means any
agency, or contractor thereof, receiving records
contained in a system of records from a source agency
for use in a matching program;
(10) the term ``non-Federal agency'' means any State
or local government, or agency thereof, which receives
records contained in a system of records from a source
agency for use in a matching program;
(11) the term ``source agency'' means any agency
which discloses records contained in a system of
records to be used in a matching program, or any State
or local government, or agency thereof, which discloses
records to be used in a matching program;
(12) the term ``Federal benefit program'' means any
program administered or funded by the Federal
Government, or by any agent or State on behalf of the
Federal Government, providing cash or in-kind
assistance in the form of payments, grants, loans, or
loan guarantees to individuals; and
(13) the term ``Federal personnel'' means officers
and employees of the Government of the United States,
members of the uniformed services (including members of
the Reserve Components), individuals entitled to
receive immediate or deferred retirement benefits under
any retirement program of the Government of the United
States (including survivor benefits).
(b) Conditions of Disclosure.--No agency shall disclose any
record which is contained in a system of records by any means
of communication to any person, or to another agency, except
pursuant to a written request by, or with the prior written
consent of, the individual to whom the record pertains, unless
disclosure of the record would be--
(1) to those officers and employees of the agency
which maintains the record who have a need for the
record in the performance of their duties;
(2) required under section 552 of this title;
(3) for a routine use as defined in subsection (a)(7)
of this section and described under subsection
(e)(4)(D) of this section;
(4) to the Bureau of the Census for purposes of
planning or carrying out a census or survey or related
activity pursuant to the provisions of title 13;
(5) to a recipient who has provided the agency with
advance adequate written assurance that the record will
be used solely as a statistical research or reporting
record, and the record is to be transferred in a form
that is not individually identifiable;
(6) to the National Archives and Records
Administration as a record which has sufficient
historical or other value to warrant its continued
preservation by the United States Government, or for
evaluation by the Archivist of the United States or the
designee of the Archivist to determine whether the
record has such value;
(7) to another agency or to an instrumentality of any
governmental jurisdiction within or under the control
of the United States for a civil or criminal law
enforcement activity if the activity is authorized by
law, and if the head of the agency or instrumentality
has made a written request to the agency which
maintains the record specifying the particular portion
desired and the law enforcement activity for which the
record is sought;
(8) to a person pursuant to a showing of compelling
circumstances affecting the health or safety of an
individual if upon such disclosure notification is
transmitted to the last known address of such
individual;
(9) to either House of Congress, or, to the extent of
matter within its jurisdiction, any committee or
subcommittee thereof, any joint committee of Congress
or subcommittee of any such joint committee;
(10) to the Comptroller General, or any of his
authorized representatives, in the course of the
performance of the duties of the Government
Accountability Office;
(11) pursuant to the order of a court of competent
jurisdiction; or
(12) to a consumer reporting agency in accordance
with section 3711(e) of title 31.
(c) Accounting of Certain Disclosures.--Each agency, with
respect to each system of records under its control, shall--
(1) except for disclosures made under subsections
(b)(1) or (b)(2) of this section, keep an accurate
accounting of--
(A) the date, nature, and purpose of each
disclosure of a record to any person or to
another agency made under subsection (b) of
this section; and
(B) the name and address of the person or
agency to whom the disclosure is made;
(2) retain the accounting made under paragraph (1) of
this subsection for at least five years or the life of
the record, whichever is longer, after the disclosure
for which the accounting is made;
(3) except for disclosures made under subsection
(b)(7) of this section, make the accounting made under
paragraph (1) of this subsection available to the
individual named in the record at his request; and
(4) inform any person or other agency about any
correction or notation of dispute made by the agency in
accordance with subsection (d) of this section of any
record that has been disclosed to the person or agency
if an accounting of the disclosure was made.
(d) Access to Records.--Each agency that maintains a system
of records shall--
(1) upon request by any individual to gain access to
his record or to any information pertaining to him
which is contained in the system, permit him and upon
his request, a person of his own choosing to accompany
him, to review the record and have a copy made of all
or any portion thereof in a form comprehensible to him,
except that the agency may require the individual to
furnish a written statement authorizing discussion of
that individual's record in the accompanying person's
presence;
(2) permit the individual to request amendment of a
record pertaining to him and--
(A) not later than 10 days (excluding
Saturdays, Sundays, and legal public holidays)
after the date of receipt of such request,
acknowledge in writing such receipt; and
(B) promptly, either--
(i) make any correction of any
portion thereof which the individual
believes is not accurate, relevant,
timely, or complete; or
(ii) inform the individual of its
refusal to amend the record in
accordance with his request, the reason
for the refusal, the procedures
established by the agency for the
individual to request a review of that
refusal by the head of the agency or an
officer designated by the head of the
agency, and the name and business
address of that official;
(3) permit the individual who disagrees with the
refusal of the agency to amend his record to request a
review of such refusal, and not later than 30 days
(excluding Saturdays, Sundays, and legal public
holidays) from the date on which the individual
requests such review, complete such review and make a
final determination unless, for good cause shown, the
head of the agency extends such 30-day period; and if,
after his review, the reviewing official also refuses
to amend the record in accordance with the request,
permit the individual to file with the agency a concise
statement setting forth the reasons for his
disagreement with the refusal of the agency, and notify
the individual of the provisions for judicial review of
the reviewing official's determination under subsection
(g)(1)(A) of this section;
(4) in any disclosure, containing information about
which the individual has filed a statement of
disagreement, occurring after the filing of the
statement under paragraph (3) of this subsection,
clearly note any portion of the record which is
disputed and provide copies of the statement and, if
the agency deems it appropriate, copies of a concise
statement of the reasons of the agency for not making
the amendments requested, to persons or other agencies
to whom the disputed record has been disclosed; and
(5) nothing in this section shall allow an individual
access to any information compiled in reasonable
anticipation of a civil action or proceeding.
(e) Agency Requirements.--Each agency that maintains a system
of records shall--
(1) maintain in its records only such information
about an individual as is relevant and necessary to
accomplish a purpose of the agency required to be
accomplished by statute or by executive order of the
President;
(2) collect information to the greatest extent
practicable directly from the subject individual when
the information may result in adverse determinations
about an individual's rights, benefits, and privileges
under Federal programs;
(3) inform each individual whom it asks to supply
information, on the form which it uses to collect the
information or on a separate form that can be retained
by the individual--
(A) the authority (whether granted by
statute, or by executive order of the
President) which authorizes the solicitation of
the information and whether disclosure of such
information is mandatory or voluntary;
(B) the principal purpose or purposes for
which the information is intended to be used;
(C) the routine uses which may be made of the
information, as published pursuant to paragraph
(4)(D) of this subsection; and
(D) the effects on him, if any, of not
providing all or any part of the requested
information;
(4) subject to the provisions of paragraph (11) of
this subsection, publish in the Federal Register upon
establishment or revision a notice of the existence and
character of the system of records, which notice shall
include--
(A) the name and location of the system;
(B) the categories of individuals on whom
records are maintained in the system;
(C) the categories of records maintained in
the system;
(D) each routine use of the records contained
in the system, including the categories of
users and the purpose of such use;
(E) the policies and practices of the agency
regarding storage, retrievability, access
controls, retention, and disposal of the
records;
(F) the title and business address of the
agency official who is responsible for the
system of records;
(G) the agency procedures whereby an
individual can be notified at his request if
the system of records contains a record
pertaining to him;
(H) the agency procedures whereby an
individual can be notified at his request how
he can gain access to any record pertaining to
him contained in the system of records, and how
he can contest its content; [and]
(I) the categories of sources of records in
the system; and
(J) a reference to any agency AI governance
charter required under section 3595 of title 44
that is associated with a Federal artificial
intelligence system which was trained on, uses,
or produces records contained within the system
of record;
(5) maintain all records which are used by the agency
in making any determination about any individual with
such accuracy, relevance, timeliness, and completeness
as is reasonably necessary to assure fairness to the
individual in the determination;
(6) prior to disseminating any record about an
individual to any person other than an agency, unless
the dissemination is made pursuant to subsection (b)(2)
of this section, make reasonable efforts to assure that
such records are accurate, complete, timely, and
relevant for agency purposes;
(7) maintain no record describing how any individual
exercises rights guaranteed by the First Amendment
unless expressly authorized by statute or by the
individual about whom the record is maintained or
unless pertinent to and within the scope of an
authorized law enforcement activity;
(8) make reasonable efforts to serve notice on an
individual when any record on such individual is made
available to any person under compulsory legal process
when such process becomes a matter of public record;
(9) establish rules of conduct for persons involved
in the design, development, operation, or maintenance
of any system of records, or in maintaining any record,
and instruct each such person with respect to such
rules and the requirements of this section, including
any other rules and procedures adopted pursuant to this
section and the penalties for noncompliance;
(10) establish appropriate administrative, technical,
and physical safeguards to insure the security and
confidentiality of records and to protect against any
anticipated threats or hazards to their security or
integrity which could result in substantial harm,
embarrassment, inconvenience, or unfairness to any
individual on whom information is maintained;
(11) establish appropriate policies and procedures,
in accordance with the requirements of subchapter IV of
chapter 35 of title 44 to ensure the security,
confidentiality, and integrity of records that a
Federal artificial intelligence system uses, produces,
or modifies;
[(11)] (12) at least 30 days prior to publication of
information under paragraph (4)(D) of this subsection,
publish in the Federal Register notice of any new use
or intended use of the information in the system, and
provide an opportunity for interested persons to submit
written data, views, or arguments to the agency; and
[(12)] (13) if such agency is a recipient agency or a
source agency in a matching program with a non-Federal
agency, with respect to any establishment or revision
of a matching program, at least 30 days prior to
conducting such program, publish in the Federal
Register notice of such establishment or revision.
(f) Agency Rules.--In order to carry out the provisions of
this section, each agency that maintains a system of records
shall promulgate rules, in accordance with the requirements
(including general notice) of section 553 of this title, which
shall--
(1) establish procedures whereby an individual can be
notified in response to his request if any system of
records named by the individual contains a record
pertaining to him;
(2) define reasonable times, places, and requirements
for identifying an individual who requests his record
or information pertaining to him before the agency
shall make the record or information available to the
individual;
(3) establish procedures for the disclosure to an
individual upon his request of his record or
information pertaining to him, including special
procedure, if deemed necessary, for the disclosure to
an individual of medical records, including
psychological records, pertaining to him;
(4) establish procedures for reviewing a request from
an individual concerning the amendment of any record or
information pertaining to the individual, for making a
determination on the request, for an appeal within the
agency of an initial adverse agency determination, and
for whatever additional means may be necessary for each
individual to be able to exercise fully his rights
under this section; and
(5) establish fees to be charged, if any, to any
individual for making copies of his record, excluding
the cost of any search for and review of the record.
The Office of the Federal Register shall biennially compile and
publish the rules promulgated under this subsection and agency
notices published under subsection (e)(4) of this section in a
form available to the public at low cost.
(g)(1) Civil Remedies.--Whenever any agency
(A) makes a determination under subsection (d)(3) of
this section not to amend an individual's record in
accordance with his request, or fails to make such
review in conformity with that subsection;
(B) refuses to comply with an individual request
under subsection (d)(1) of this section;
(C) fails to maintain any record concerning any
individual with such accuracy, relevance, timeliness,
and completeness as is necessary to assure fairness in
any determination relating to the qualifications,
character, rights, or opportunities of, or benefits to
the individual that may be made on the basis of such
record, and consequently a determination is made which
is adverse to the individual; or
(D) fails to comply with any other provision of this
section, or any rule promulgated thereunder, in such a
way as to have an adverse effect on an individual,
the individual may bring a civil action against the agency, and
the district courts of the United States shall have
jurisdiction in the matters under the provisions of this
subsection.
(2)(A) In any suit brought under the provisions of subsection
(g)(1)(A) of this section, the court may order the agency to
amend the individual's record in accordance with his request or
in such other way as the court may direct. In such a case the
court shall determine the matter de novo.
(B) The court may assess against the United States reasonable
attorney fees and other litigation costs reasonably incurred in
any case under this paragraph in which the complainant has
substantially prevailed.
(3)(A) In any suit brought under the provisions of subsection
(g)(1)(B) of this section, the court may enjoin the agency from
withholding the records and order the production to the
complainant of any agency records improperly withheld from him.
In such a case the court shall determine the matter de novo,
and may examine the contents of any agency records in camera to
determine whether the records or any portion thereof may be
withheld under any of the exemptions set forth in subsection
(k) of this section, and the burden is on the agency to sustain
its action.
(B) The court may assess against the United States reasonable
attorney fees and other litigation costs reasonably incurred in
any case under this paragraph in which the complainant has
substantially prevailed.
(4) In any suit brought under the provisions of subsection
(g)(1)(C) or (D) of this section in which the court determines
that the agency acted in a manner which was intentional or
willful, the United States shall be liable to the individual in
an amount equal to the sum of--
(A) actual damages sustained by the individual as a
result of the refusal or failure, but in no case shall
a person entitled to recovery receive less than the sum
of $1,000; and
(B) the costs of the action together with reasonable
attorney fees as determined by the court.
(5) An action to enforce any liability created under this
section may be brought in the district court of the United
States in the district in which the complainant resides, or has
his principal place of business, or in which the agency records
are situated, or in the District of Columbia, without regard to
the amount in controversy, within two years from the date on
which the cause of action arises, except that where an agency
has materially and willfully misrepresented any information
required under this section to be disclosed to an individual
and the information so misrepresented is material to
establishment of the liability of the agency to the individual
under this section, the action may be brought at any time
within two years after discovery by the individual of the
misrepresentation. Nothing in this section shall be construed
to authorize any civil action by reason of any injury sustained
as the result of a disclosure of a record prior to September
27, 1975.
(h) Rights of Legal Guardians.--For the purposes of this
section, the parent of any minor, or the legal guardian of any
individual who has been declared to be incompetent due to
physical or mental incapacity or age by a court of competent
jurisdiction, may act on behalf of the individual.
(i)(1) Criminal Penalties.--Any officer or employee of an
agency, who by virtue of his employment or official position,
has possession of, or access to, agency records which contain
individually identifiable information the disclosure of which
is prohibited by this section or by rules or regulations
established thereunder, and who knowing that disclosure of the
specific material is so prohibited, willfully discloses the
material in any manner to any person or agency not entitled to
receive it, shall be guilty of a misdemeanor and fined not more
than $5,000.
(2) Any officer or employee of any agency who willfully
maintains a system of records without meeting the notice
requirements of subsection (e)(4) of this section shall be
guilty of a misdemeanor and fined not more than $5,000.
(3) Any person who knowingly and willfully requests or
obtains any record concerning an individual from an agency
under false pretenses shall be guilty of a misdemeanor and
fined not more than $5,000.
(j) General Exemptions.--The head of any agency may
promulgate rules, in accordance with the requirements
(including general notice) of sections 553(b)(1), (2), and (3),
(c), and (e) of this title, to exempt any system of records
within the agency from any part of this section except
subsections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6),
(7), (9), (10), and (11), and (i) if the system of records is--
(1) maintained by the Central Intelligence Agency; or
(2) maintained by an agency or component thereof
which performs as its principal function any activity
pertaining to the enforcement of criminal laws,
including police efforts to prevent, control, or reduce
crime or to apprehend criminals, and the activities of
prosecutors, courts, correctional, probation, pardon,
or parole authorities, and which consists of (A)
information compiled for the purpose of identifying
individual criminal offenders and alleged offenders and
consisting only of identifying data and notations of
arrests, the nature and disposition of criminal
charges, sentencing, confinement, release, and parole
and probation status; (B) information compiled for the
purpose of a criminal investigation, including reports
of informants and investigators, and associated with an
identifiable individual; or (C) reports identifiable to
an individual compiled at any stage of the process of
enforcement of the criminal laws from arrest or
indictment through release from supervision.
At the time rules are adopted under this subsection, the agency
shall include in the statement required under section 553(c) of
this title, the reasons why the system of records is to be
exempted from a provision of this section.
(k) Specific Exemptions.--The head of any agency may
promulgate rules, in accordance with the requirements
(including general notice) of sections 553(b)(1), (2), and (3),
(c), and (e) of this title, to exempt any system of records
within the agency from subsections (c)(3), (d), (e)(1),
(e)(4)(G), (H), and (I) and (f) of this section if the system
of records is--
(1) subject to the provisions of section 552(b)(1) of
this title;
(2) investigatory material compiled for law
enforcement purposes, other than material within the
scope of subsection (j)(2) of this section: Provided,
however, That if any individual is denied any right,
privilege, or benefit that he would otherwise be
entitled by Federal law, or for which he would
otherwise be eligible, as a result of the maintenance
of such material, such material shall be provided to
such individual, except to the extent that the
disclosure of such material would reveal the identity
of a source who furnished information to the Government
under an express promise that the identity of the
source would be held in confidence, or, prior to the
effective date of this section, under an implied
promise that the identity of the source would be held
in confidence;
(3) maintained in connection with providing
protective services to the President of the United
States or other individuals pursuant to section 3056 of
title 18;
(4) required by statute to be maintained and used
solely as statistical records;
(5) investigatory material compiled solely for the
purpose of determining suitability, eligibility, or
qualifications for Federal civilian employment,
military service, Federal contracts, or access to
classified information, but only to the extent that the
disclosure of such material would reveal the identity
of a source who furnished information to the Government
under an express promise that the identity of the
source would be held in confidence, or, prior to the
effective date of this section, under an implied
promise that the identity of the source would be held
in confidence;
(6) testing or examination material used solely to
determine individual qualifications for appointment or
promotion in the Federal service the disclosure of
which would compromise the objectivity or fairness of
the testing or examination process; or
(7) evaluation material used to determine potential
for promotion in the armed services, but only to the
extent that the disclosure of such material would
reveal the identity of a source who furnished
information to the Government under an express promise
that the identity of the source would be held in
confidence, or, prior to the effective date of this
section, under an implied promise that the identity of
the source would be held in confidence.
At the time rules are adopted under this subsection, the agency
shall include in the statement required under section 553(c) of
this title, the reasons why the system of records is to be
exempted from a provision of this section.
(l)(1) Archival Records.--Each agency record which is
accepted by the Archivist of the United States for storage,
processing, and servicing in accordance with section 3103 of
title 44 shall, for the purposes of this section, be considered
to be maintained by the agency which deposited the record and
shall be subject to the provisions of this section. The
Archivist of the United States shall not disclose the record
except to the agency which maintains the record, or under rules
established by that agency which are not inconsistent with the
provisions of this section.
(2) Each agency record pertaining to an identifiable
individual which was transferred to the National Archives of
the United States as a record which has sufficient historical
or other value to warrant its continued preservation by the
United States Government, prior to the effective date of this
section, shall, for the purposes of this section, be considered
to be maintained by the National Archives and shall not be
subject to the provisions of this section, except that a
statement generally describing such records (modeled after the
requirements relating to records subject to subsections
(e)(4)(A) through (G) of this section) shall be published in
the Federal Register.
(3) Each agency record pertaining to an identifiable
individual which is transferred to the National Archives of the
United States as a record which has sufficient historical or
other value to warrant its continued preservation by the United
States Government, on or after the effective date of this
section, shall, for the purposes of this section, be considered
to be maintained by the National Archives and shall be exempt
from the requirements of this section except subsections
(e)(4)(A) through (G) and (e)(9) of this section.
(m)(1) Government Contractors.--When an agency provides by a
contract for the operation by or on behalf of the agency of a
system of records to accomplish an agency function, the agency
shall, consistent with its authority, cause the requirements of
this section to be applied to such system. For purposes of
subsection (i) of this section any such contractor and any
employee of such contractor, if such contract is agreed to on
or after the effective date of this section, shall be
considered to be an employee of an agency.
(2) A consumer reporting agency to which a record is
disclosed under section 3711(e) of title 31 shall not be
considered a contractor for the purposes of this section.
(n) Mailing Lists.--An individual's name and address may not
be sold or rented by an agency unless such action is
specifically authorized by law. This provision shall not be
construed to require the withholding of names and addresses
otherwise permitted to be made public.
(o) Matching Agreements.--(1) No record which is contained in
a system of records may be disclosed to a recipient agency or
non-Federal agency for use in a computer matching program
except pursuant to a written agreement between the source
agency and the recipient agency or non-Federal agency
specifying--
(A) the purpose and legal authority for conducting
the program;
(B) the justification for the program and the
anticipated results, including a specific estimate of
any savings;
(C) a description of the records that will be
matched, including each data element that will be used,
the approximate number of records that will be matched,
and the projected starting and completion dates of the
matching program;
(D) procedures for providing individualized notice at
the time of application, and notice periodically
thereafter as directed by the Data Integrity Board of
such agency (subject to guidance provided by the
Director of the Office of Management and Budget
pursuant to subsection (v)), to--
(i) applicants for and recipients of
financial assistance or payments under Federal
benefit programs, and
(ii) applicants for and holders of positions
as Federal personnel,
that any information provided by such applicants, recipients,
holders, and individuals may be subject to verification through
matching programs;
(E) procedures for verifying information produced in
such matching program as required by subsection (p);
(F) procedures for the retention and timely
destruction of identifiable records created by a
recipient agency or non-Federal agency in such matching
program;
(G) procedures for ensuring the administrative,
technical, and physical security of the records matched
and the results of such programs;
(H) prohibitions on duplication and redisclosure of
records provided by the source agency within or outside
the recipient agency or the non-Federal agency, except
where required by law or essential to the conduct of
the matching program;
(I) procedures governing the use by a recipient
agency or non-Federal agency of records provided in a
matching program by a source agency, including
procedures governing return of the records to the
source agency or destruction of records used in such
program;
(J) information on assessments that have been made on
the accuracy of the records that will be used in such
matching program; and
(K) that the Comptroller General may have access to
all records of a recipient agency or a non-Federal
agency that the Comptroller General deems necessary in
order to monitor or verify compliance with the
agreement.
(2)(A) A copy of each agreement entered into pursuant to
paragraph (1) shall--
(i) be transmitted to the Committee on Governmental
Affairs of the Senate and the Committee on Government
Operations of the House of Representatives; and
(ii) be available upon request to the public.
(B) No such agreement shall be effective until 30 days after
the date on which such a copy is transmitted pursuant to
subparagraph (A)(i).
(C) Such an agreement shall remain in effect only for such
period, not to exceed 18 months, as the Data Integrity Board of
the agency determines is appropriate in light of the purposes,
and length of time necessary for the conduct, of the matching
program.
(D) Within 3 months prior to the expiration of such an
agreement pursuant to subparagraph (C), the Data Integrity
Board of the agency may, without additional review, renew the
matching agreement for a current, ongoing matching program for
not more than one additional year if--
(i) such program will be conducted without any
change; and
(ii) each party to the agreement certifies to the
Board in writing that the program has been conducted in
compliance with the agreement.
(p) Verification and Opportunity to Contest Findings.--(1) In
order to protect any individual whose records are used in a
matching program, no recipient agency, non-Federal agency, or
source agency may suspend, terminate, reduce, or make a final
denial of any financial assistance or payment under a Federal
benefit program to such individual, or take other adverse
action against such individual, as a result of information
produced by such matching program, until--
(A)(i) the agency has independently verified the
information; or
(ii) the Data Integrity Board of the agency, or in
the case of a non-Federal agency the Data Integrity
Board of the source agency, determines in accordance
with guidance issued by the Director of the Office of
Management and Budget that--
(I) the information is limited to
identification and amount of benefits paid by
the source agency under a Federal benefit
program; and
(II) there is a high degree of confidence
that the information provided to the recipient
agency is accurate;
(B) the individual receives a notice from the agency
containing a statement of its findings and informing
the individual of the opportunity to contest such
findings; and
(C)(i) the expiration of any time period established
for the program by statute or regulation for the
individual to respond to that notice; or
(ii) in the case of a program for which no such
period is established, the end of the 30-day period
beginning on the date on which notice under
subparagraph (B) is mailed or otherwise provided to the
individual.
(2) Independent verification referred to in paragraph (1)
requires investigation and confirmation of specific information
relating to an individual that is used as a basis for an
adverse action against the individual, including where
applicable investigation and confirmation of--
(A) the amount of any asset or income involved;
(B) whether such individual actually has or had
access to such asset or income for such individual's
own use; and
(C) the period or periods when the individual
actually had such asset or income.
(3) Notwithstanding paragraph (1), an agency may take any
appropriate action otherwise prohibited by such paragraph if
the agency determines that the public health or public safety
may be adversely affected or significantly threatened during
any notice period required by such paragraph.
(q) Sanctions.--(1) Notwithstanding any other provision of
law, no source agency may disclose any record which is
contained in a system of records to a recipient agency or non-
Federal agency for a matching program if such source agency has
reason to believe that the requirements of subsection (p), or
any matching agreement entered into pursuant to subsection (o),
or both, are not being met by such recipient agency.
(2) No source agency may renew a matching agreement unless--
(A) the recipient agency or non-Federal agency has
certified that it has complied with the provisions of
that agreement; and
(B) the source agency has no reason to believe that
the certification is inaccurate.
(r) Report on New Systems and Matching Programs.--Each agency
that proposes to establish or make a significant change in a
system of records or a matching program shall provide adequate
advance notice of any such proposal (in duplicate) to the
Committee on Government Operations of the House of
Representatives, the Committee on Governmental Affairs of the
Senate, and the Office of Management and Budget in order to
permit an evaluation of the probable or potential effect of
such proposal on the privacy or other rights of individuals.
(s) Biennial Report.--The President shall biennially submit
to the Speaker of the House of Representatives and the
President pro tempore of the Senate a report--
(1) describing the actions of the Director of the
Office of Management and Budget pursuant to section 6
of the Privacy Act of 1974 during the preceding 2
years;
(2) describing the exercise of individual rights of
access and amendment under this section during such
years;
(3) identifying changes in or additions to systems of
records;
(4) containing such other information concerning
administration of this section as may be necessary or
useful to the Congress in reviewing the effectiveness
of this section in carrying out the purposes of the
Privacy Act of 1974.
(t)(1) Effect of Other Laws.--No agency shall rely on any
exemption contained in section 552 of this title to withhold
from an individual any record which is otherwise accessible to
such individual under the provisions of this section.
(2) No agency shall rely on any exemption in this section to
withhold from an individual any record which is otherwise
accessible to such individual under the provisions of section
552 of this title.
(u) Data Integrity Boards.--(1) Every agency conducting or
participating in a matching program shall establish a Data
Integrity Board to oversee and coordinate among the various
components of such agency the agency's implementation of this
section.
(2) Each Data Integrity Board shall consist of senior
officials designated by the head of the agency, and shall
include any senior official designated by the head of the
agency as responsible for implementation of this section, and
the inspector general of the agency, if any. The inspector
general shall not serve as chairman of the Data Integrity
Board.
(3) Each Data Integrity Board--
(A) shall review, approve, and maintain all written
agreements for receipt or disclosure of agency records
for matching programs to ensure compliance with
subsection (o), and all relevant statutes, regulations,
and guidelines;
(B) shall review all matching programs in which the
agency has participated during the year, either as a
source agency or recipient agency, determine compliance
with applicable laws, regulations, guidelines, and
agency agreements, and assess the costs and benefits of
such programs;
(C) shall review all recurring matching programs in
which the agency has participated during the year,
either as a source agency or recipient agency, for
continued justification for such disclosures;
(D) shall compile an annual report, which shall be
submitted to the head of the agency and the Office of
Management and Budget and made available to the public
on request, describing the matching activities of the
agency, including--
(i) matching programs in which the agency has
participated as a source agency or recipient
agency;
(ii) matching agreements proposed under
subsection (o) that were disapproved by the
Board;
(iii) any changes in membership or structure
of the Board in the preceding year;
(iv) the reasons for any waiver of the
requirement in paragraph (4) of this section
for completion and submission of a cost-benefit
analysis prior to the approval of a matching
program;
(v) any violations of matching agreements
that have been alleged or identified and any
corrective action taken; and
(vi) any other information required by the
Director of the Office of Management and Budget
to be included in such report;
(E) shall serve as a clearinghouse for receiving and
providing information on the accuracy, completeness,
and reliability of records used in matching programs;
(F) shall provide interpretation and guidance to
agency components and personnel on the requirements of
this section for matching programs;
(G) shall review agency recordkeeping and disposal
policies and practices for matching programs to assure
compliance with this section; and
(H) may review and report on any agency matching
activities that are not matching programs.
(4)(A) Except as provided in subparagraphs (B) and (C), a
Data Integrity Board shall not approve any written agreement
for a matching program unless the agency has completed and
submitted to such Board a cost-benefit analysis of the proposed
program and such analysis demonstrates that the program is
likely to be cost effective.
(B) The Board may waive the requirements of subparagraph (A)
of this paragraph if it determines in writing, in accordance
with guidelines prescribed by the Director of the Office of
Management and Budget, that a cost-benefit analysis is not
required.
(C) A cost-benefit analysis shall not be required under
subparagraph (A) prior to the initial approval of a written
agreement for a matching program that is specifically required
by statute. Any subsequent written agreement for such a program
shall not be approved by the Data Integrity Board unless the
agency has submitted a cost-benefit analysis of the program as
conducted under the preceding approval of such agreement.
(5)(A) If a matching agreement is disapproved by a Data
Integrity Board, any party to such agreement may appeal the
disapproval to the Director of the Office of Management and
Budget. Timely notice of the filing of such an appeal shall be
provided by the Director of the Office of Management and Budget
to the Committee on Governmental Affairs of the Senate and the
Committee on Government Operations of the House of
Representatives.
(B) The Director of the Office of Management and Budget may
approve a matching agreement notwithstanding the disapproval of
a Data Integrity Board if the Director determines that--
(i) the matching program will be consistent with all
applicable legal, regulatory, and policy requirements;
(ii) there is adequate evidence that the matching
agreement will be cost-effective; and
(iii) the matching program is in the public interest.
(C) The decision of the Director to approve a matching
agreement shall not take effect until 30 days after it is
reported to committees described in subparagraph (A).
(D) If the Data Integrity Board and the Director of the
Office of Management and Budget disapprove a matching program
proposed by the inspector general of an agency, the inspector
general may report the disapproval to the head of the agency
and to the Congress.
(6) In the reports required by paragraph (3)(D), agency
matching activities that are not matching programs may be
reported on an aggregate basis, if and to the extent necessary
to protect ongoing law enforcement or counterintelligence
investigations.
(v) Office of Management and Budget Responsibilities.--The
Director of the Office of Management and Budget shall--
(1) develop and, after notice and opportunity for
public comment, prescribe guidelines and regulations
for the use of agencies in implementing the provisions
of this section; and
(2) provide continuing assistance to and oversight of
the implementation of this section by agencies.
(w) Applicability to Bureau of Consumer Financial
Protection.--Except as provided in the Consumer Financial
Protection Act of 2010, this section shall apply with respect
to the Bureau of Consumer Financial Protection.
* * * * * * *
----------
ADVANCING AMERICAN AI ACT
* * * * * * *
DIVISION G--HOMELAND SECURITY
* * * * * * *
TITLE LXXII--GOVERNMENTAL AFFAIRS
* * * * * * *
Subtitle B--Advancing American AI Act
* * * * * * *
SEC. 7224. PRINCIPLES AND POLICIES FOR USE OF ARTIFICIAL INTELLIGENCE
IN GOVERNMENT.
[(a) Guidance.--The Director shall, when developing the
guidance required under section 104(a) of the AI in Government
Act of 2020 (title I of division U of Public Law 116-260),
consider--
[(1) the considerations and recommended practices
identified by the National Security Commission on
Artificial Intelligence in the report entitled ``Key
Considerations for the Responsible Development and
Fielding of AI'', as updated in April 2021;
[(2) the principles articulated in Executive Order
13960 (85 Fed. Reg. 78939; relating to promoting the
use of trustworthy artificial intelligence in
Government); and
[(3) the input of--
[(A) the Administrator of General Services;
[(B) relevant interagency councils, such as
the Federal Privacy Council, the Chief
Financial Officers Council, the Chief
Information Officers Council, and the Chief
Data Officers Council;
[(C) other governmental and nongovernmental
privacy, civil rights, and civil liberties
experts;
[(D) academia;
[(E) industry technology and data science
experts; and
[(F) any other individual or entity the
Director determines to be appropriate.]
(b) Department Policies and Processes for Procurement and Use
of Artificial Intelligence-enabled Systems..--Not later than
180 days after the date of enactment of this Act--
(1) the Secretary of Homeland Security, with the
participation of the Chief Procurement Officer, the
Chief Information Officer, the Chief Privacy Officer,
and the Officer for Civil Rights and Civil Liberties of
the Department and any other person determined to be
relevant by the Secretary of Homeland Security, shall
issue policies and procedures for the Department
related to--
(A) the acquisition and use of artificial
intelligence; and
(B) considerations for the risks and impacts
related to artificial intelligence-enabled
systems, including associated data of machine
learning systems, to ensure that full
consideration is given to--
(i) the privacy, civil rights, and
civil liberties impacts of artificial
intelligence-enabled systems; and
(ii) security against misuse,
degradation, or rending inoperable of
artificial intelligence-enabled
systems; and
(2) the Chief Privacy Officer and the Officer for
Civil Rights and Civil Liberties of the Department
shall report to Congress on any additional staffing or
funding resources that may be required to carry out the
requirements of this subsection.
(c) Inspector General.--Not later than 180 days after the
date of enactment of this Act, the Inspector General of the
Department shall identify any training and investments needed
to enable employees of the Office of the Inspector General to
continually advance their understanding of--
(1) artificial intelligence systems;
(2) best practices for governance, oversight, and
audits of the use of artificial intelligence systems;
and
(3) how the Office of the Inspector General is using
artificial intelligence to enhance audit and
investigative capabilities, including actions to--
(A) ensure the integrity of audit and
investigative results; and
(B) guard against bias in the selection and
conduct of audits and investigations.
[(d) Artificial Intelligence Hygiene and Protection of
Government Information, Privacy, Civil Rights, and Civil
Liberties.--
[(1) Establishment.--Not later than 1 year after the
date of enactment of this Act, the Director, in
consultation with a working group consisting of members
selected by the Director from appropriate interagency
councils, shall develop an initial means by which to--
[(A) ensure that contracts for the
acquisition of an artificial intelligence
system or service--
[(i) align with the guidance issued
to the head of each agency under
section 104(a) of the AI in Government
Act of 2020 (title I of division U of
Public Law 116-260);
[(ii) address protection of privacy,
civil rights, and civil liberties;
[(iii) address the ownership and
security of data and other information
created, used, processed, stored,
maintained, disseminated, disclosed, or
disposed of by a contractor or
subcontractor on behalf of the Federal
Government; and
[(iv) include considerations for
securing the training data, algorithms,
and other components of any artificial
intelligence system against misuse,
unauthorized alteration, degradation,
or rendering inoperable; and
[(B) address any other issue or concern
determined to be relevant by the Director to
ensure appropriate use and protection of
privacy and Government data and other
information.
[(2) Consultation.--In developing the considerations
under paragraph (1)(A)(iv), the Director shall consult
with the Secretary of Homeland Security, the Secretary
of Energy, the Director of the National Institute of
Standards and Technology, and the Director of National
Intelligence.
[(3) Review.--The Director--
[(A) should continuously update the means
developed under paragraph (1); and
[(B) not later than 2 years after the date of
enactment of this Act and not less frequently
than every 2 years thereafter, shall update the
means developed under paragraph (1).
[(4) Briefing.--The Director shall brief the
appropriate congressional committees--
[(A) not later than 90 days after the date of
enactment of this Act and thereafter on a
quarterly basis until the Director first
implements the means developed under paragraph
(1); and
[(B) annually thereafter on the
implementation of this subsection.
[(5) Sunset.--This subsection shall cease to be
effective on the date that is 5 years after the date of
enactment of this Act.]
* * * * * * *
----------
AI IN GOVERNMENT ACT OF 2020
* * * * * * *
DIVISION U--HOMELAND SECURITY
AND GOVERNMENTAL AFFAIRS PRO-
VISIONS
TITLE I--AI IN GOVERNMENT ACT OF
2020
* * * * * * *
[SEC. 104. GUIDANCE FOR AGENCY USE OF ARTIFICIAL INTEL-
LIGENCE.
[(a) Guidance.--Not later than 270 days after the date of
enactment of this Act, the Director, in coordination with the
Director of the Office of Science and Technology Policy in
consultation with the Administrator and any other relevant
agencies and key stakeholders as determined by the Director,
shall issue a memorandum to the head of each agency that
shall--
[(1) inform the development of policies regarding
Federal acquisition and use by agencies regarding
technologies that are empowered or enabled by
artificial intelligence, including an identification of
the responsibilities of agency officials managing the
use of such technology;
[(2) recommend approaches to remove barriers for use
by agencies of artificial intelligence technologies in
order to promote the innovative application of those
technologies while protecting civil liberties, civil
rights, and economic and national security;
[(3) identify best practices for identifying,
assessing, and mitigating any discriminatory impact or
bias on the basis of any classification protected under
Federal nondiscrimination laws, or any unintended
consequence of the use of artificial intelligence,
including policies to identify data used to train
artificial intelligence algorithms as well as the data
analyzed by artificial intelligence used by the
agencies; and
[(4) provide a template of the required contents of
the agency plans described in subsection (c).
[(b) Public Comment.--To help ensure public trust in the
applications of artificial intelligence technologies, the
Director shall issue a draft version of the memorandum required
under subsection (a) for public comment not later than 180 days
after date of enactment of this Act.
[(c) Plans.--Not later than 180 days after the date on which
the Director issues the memorandum required under subsection
(a) or an update to the memorandum required under subsection
(d), the head of each agency shall submit to the Director and
post on a publicly available page on the website of the
agency--
[(1) a plan to achieve consistency with the
memorandum; or
[(2) a written determination that the agency does not
use and does not anticipate using artificial
intelligence.
[(d) Updates.--Not later than 2 years after the date on which
the Director issues the memorandum required under subsection
(a), and every 2 years thereafter for 10 years, the Director
shall issue updates to the memorandum.]
* * * * * * *
[all]