In Part 2 of this series, we look at OMB Memorandum M-25-22, which addresses the procurement of AI by federal agencies. As noted in Part 1, the memos implement Executive Order 14179, “Removing Barriers to American Leadership in Artificial Intelligence,” issued by President Trump on January 23, 2025, and rescinds and replaces prior OMB memos issued by President Biden’s administration addressing the same. Like M-25-21, M-25-22 marks a significant shift in how federal agencies acquire and integrate AI—highlighting what government contractors, especially those in IT, data science, and emerging technologies, must do now to prepare.
Potential Impacts
Please see Part 1 for a list of potential impacts.
Similar to M-25-21, M-25-22 also includes rather short time frames to implement several required actions, thus further signaling that the use and procurement of AI by federal agencies is a priority of the Trump administration.
M-25-22: Driving Efficient Acquisition of Artificial Intelligence in Government
M-25-22 provides guidance to federal agencies to improve their ability to acquire AI responsibly and is driven by three grounding themes:
- ensuring the government and the public benefit from a competitive American AI marketplace;
- safeguarding taxpayer dollars by tracking AI performance and managing risk; and
- promoting effective AI acquisition with cross-functional engagement.
M-25-22 applies to AI systems or services that are acquired by or on behalf of federal agencies. Importantly, similar to M-25-21, M-25-22 does not apply to AI acquired for use as a component of a National Security System and to elements of the Intelligence Community. The term “AI system” includes “data systems, software, applications, tools, or utilities established primarily for the purpose of researching, developing, or implementing artificial intelligence technology, as well as data systems, software, applications, tools, or utilities where an AI capability is integrated into another system or agency business process, operational activity, or technology system.” (internal quotations omitted)
Notably, the term “AI system” does not include “any common commercial product within which artificial intelligence is embedded, such as a word processor or map navigation system.” M-25-22 directs agencies, when determining whether a product that integrates AI functionality is excepted from the requirements of M-25-22, to assess: (a) whether the product is widely available to the public for commercial use, as opposed to products that are not readily available to the general public or are specialized or customized for agency use and (b) whether the AI is embedded in a product that has substantial non-AI purposes or functionalities, as opposed to products for which AI is a primary purpose or functionality.
Lastly, while M-25-21 took effect immediately upon its release on April 3, 2025, M-25-22 will only apply to (a) contracts awarded under solicitations issued 180 days after M-25-22’s release and (b) any option to renew or extend the period of performance exercised on existing contracts after that date. This means that starting in early October, contractors will begin to see AI-specific solicitation provisions and contract clauses implementing these requirements, including provisions in solicitations requiring contractors disclose AI use as part of any given contract performance. Contractors should carefully review all solicitations and all renewals and extensions of existing contracts for AI-specific provisions and clauses.
Buy American
Similar to M-25-21, M-25-22 also emphasizes the need for federal agencies to maximize the use of AI products and services developed and produced in the United States, as recognized by Executive Order 14179. Likewise, M-25-22 also does not provide any guidance regarding what is considered American-made AI, and contractors should be prepared to demonstrate how their AI products and services were developed and produced in the United States.
Protections for Privacy, IP, and Government Data
M-25-22 discusses three broad goals related to protecting government data, privacy rights, and IP.
Starting with government data, M-25-22 calls for the appropriate use of data consistent with applicable laws and government policies, including OMB Circular No. A-130 and OMB Memorandum M-25-05. Agencies are required to have processes in place for procurements for AI systems or services that address the use of government data and include contractual terms that clearly lay out the respective ownership and IP rights of the parties. Further, M-25-22 directs agencies to review and update data ownership processes in procurements for AI systems and services, especially when government data is used to train AI. It also requires agencies to restrict vendors from using non-public agency data for further training of publicly or commercially available AI without explicit consent, necessitating data isolation mechanisms by contractors.
The privacy protections articulated in M-25-22 are targeted at the protection of federal personally identifiable information (PII), which goes hand in hand with the protection of government data and requires close oversight by Senior Agency Officials for Privacy. In any procurement of AI or contractor use of AI involving PII, the acquisition planning team must ensure that the solicitation contains safeguards consistent with current laws and policies related to privacy to manage privacy risks and ensure compliance. While M-25-22 focuses on federal PII, it should raise flags for contractors as well. Contractors should also ensure their own private and proprietary data is not accessible through the AI systems they are developing or procuring for the government.
Finally, M-25-22 recognizes the potentially high value in developing AI systems and discusses protections for IP rights. M-25-22 recommends that agencies consider the following:
- Scoping licensing and IP rights based on intended use to avoid vendor lock-in.
- Timeline of use for the system.
- Data handling, including clear guidelines on use, access, and retention of government data.
- Restrictions on the use of government data.
- Transparency regarding the AI system, which may involve protections for proprietary data.
M-25-22 states “[c]areful consideration of respective IP licensing rights is even more important when an agency procures an AI system or service, including where agency information is used to train, fine-tune, and develop the AI system.” This signals the government’s recognition of contractors’ IP rights in their AI systems, which is welcome news.
Disclosure of AI Use as Part of Contract Performance
M-25-22 warns federal agencies that the use of AI by federal contractors is not going to slow down. Federal agencies should expect that vendors will “increasingly utilize AI as part of contract performance” even when the government does not expect it. M-25-22 instructs agencies to be “cognizant of the risks posed by the unsolicited use of AI systems by vendors” and, where merited, include a solicitation provision that expressly requires vendors disclose the use of AI as part of contract performance. Contractors should carefully review all solicitations to determine whether they need to disclose to the cognizant agency that they will use AI as part of performing the contract. The last thing a contractor wants is to receive a letter of concern because the agency believes they are improperly using AI.
Determining the Use of High-Impact AI
Similar to M-25-21, M-25-22 also recognizes the risks associated with the use of high-impact AI and the need to investigate such as part of the agency’s market research. Specifically, M-25-22 mandates that agencies, when identifying requirements during its acquisition planning, “identify reasonably foreseeable use cases arising from the use of an AI system or services, and to the greatest extent practicable, make an initial determination of whether a system is likely to host high-impact AI use cases.” Additionally, M-25-22 requires agencies to “disclose in solicitations whether a planned use of an AI system meets the threshold of a high-impact use case or if there is a reasonable likelihood for such a high-impact use case is to occur during the life of the contract.” Contractors should review their solicitations to determine whether the procurement calls for the use of high-impact AI, which could introduce additional compliance requirements and costs to the contractor not originally anticipated.
Contract Terms
M-25-22 directs agencies to include terms in all contracts for AI systems and services that address: (i) intellectual property rights and the use of government data; (ii) privacy; (iii) vendor lock-in protections; (iv) compliance with minimum risk management practices for high-impact AI use cases; (v) ongoing testing and monitoring of performance, risks, and effectiveness of an AI system or service; (vi) vendor performance requirements; (vii) and notification by vendors of new AI enhancements, features, or components into systems and services delivered under the contract. Contractors should expect to see these terms addressed in contracts and contract extensions and renewals for AI systems and services starting in early October of this year.
Competition
As stated above, M-25-22 has a clear goal of promoting a competitive AI marketplace. The memo includes a footnote outlining several ways agencies can foster competition, including:
- establishing well-defined interfaces that promote interoperability;
- providing robust documentation on the AI’s model and development;
- using open source licenses; and
- seeking products without bulk pricing arrangements that encourage spending consolidation, including fixed contract lengths, discounts, incentives, and systems priced comparably to those available to the public.
Similar to M-25-21, M-25-22 also states a requirement to avoid vendor lock-in, which is consistent with these considerations. Importantly, part of this policy calls for requirements “regarding knowledge transfer, clear data and model portability practices, clear licensing terms, and pricing transparency.”
Contract Closeout
In the event a contract for an AI system or service is not extended or renewed, M-25-22 instructs agencies to work with the vendor to “implement any contractual terms related to ongoing rights and access to any data or derived products resulting from the services provided under the contract.” M-25-22 further instructs agencies to ensure that the parties have a “mutual understanding of format and usability of any data, and any circumstances that could result in expiration of access, as well as a plan for conducting any transfers of data or other derived assets necessary per the terms of the contract.”
Contractors should not wait until their contract is not extended or renewed to address how data will be transferred to the government. Oftentimes, disputes arise regarding the format of the data to be delivered and whether the data is in a format that is usable to the agency for its intended purposes. Contractors should not leave this up to chance and should work with the cognizant agency to negotiate a clear and unambiguous contract clause that specifically addresses the format and usability of any data to be delivered in the event the contract is not extended or renewed.
Required Actions
The Appendices, located on the last page of each memo linked above, contain tables of all of the required government actions necessitated by the memos. Some of the highlights from M-25-22 include:
- Achieve full compliance within 180 days.
- Develop a process for the treatment of data ownership and IP rights within 200 days.
- GSA must create publicly available tools to enable the procurement of AI systems within 100 days.
If you have questions regarding the memos or AI generally, please contact Cy Alba, Jackie Unger, Joseph Loman, Ryan Boonstra, or another member of PilieroMazza’s Government Contracts or Intellectual Property & Technology Rights practice groups.
____________________
If you’re seeking practical insights to gain a competitive edge by understanding the government’s compliance requirements, tune into PilieroMazza’s podcasts: GovCon Live!, Clocking in with PilieroMazza, and Ex Rel. Radio.
