CHAPTER 113—RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

SUBCHAPTER I—DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

        

SUBCHAPTER II—EXECUTIVE AGENCIES

        

SUBCHAPTER III—OTHER RESPONSIBILITIES

        

Editorial Notes

Amendments

2014—Pub. L. 113–291, div. A, title VIII, §831(b), Dec. 19, 2014, 128 Stat. 3440, added item 11319.

2002—Pub. L. 107–296, title X, §§1002(b), 1005(a)(2), Nov. 25, 2002, 116 Stat. 2269, 2272, and Pub. L. 107–347, title III, §§302(b), 305(a), Dec. 17, 2002, 116 Stat. 2957, 2960, amended table of sections identically, substituting "Responsibilities for Federal information systems standards" for "Responsibilities regarding efficiency, security, and privacy of federal computer systems" in item 11331 and striking out item 11332 "Federal computer system security training and plan".

SUBCHAPTER I—DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

§11301. Responsibility of Director

In fulfilling the responsibility to administer the functions assigned under chapter 35 of title 44, the Director of the Office of Management and Budget shall comply with this chapter with respect to the specific matters covered by this chapter.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1237.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11301	40:1411.	Pub. L. 104–106, div. E, title LI, §5111, Feb. 10, 1996, 110 Stat. 680.

Statutory Notes and Related Subsidiaries

Advancing American Artificial Intelligence

Pub. L. 117–263, div. G, title LXXII, subtitle B, Dec. 23, 2022, 136 Stat. 3668, provided that:

"SEC. 7221. SHORT TITLE.

"This subtitle may be cited as the 'Advancing American AI Act'.

"SEC. 7222. PURPOSES.

"The purposes of this subtitle are to—

"(1) encourage agency artificial intelligence-related programs and initiatives that enhance the competitiveness of the United States and foster an approach to artificial intelligence that builds on the strengths of the United States in innovation and entrepreneurialism;

"(2) enhance the ability of the Federal Government to translate research advances into artificial intelligence applications to modernize systems and assist agency leaders in fulfilling their missions;

"(3) promote adoption of modernized business practices and advanced technologies across the Federal Government that align with the values of the United States, including the protection of privacy, civil rights, and civil liberties; and

"(4) test and harness applied artificial intelligence to enhance mission effectiveness, agency program integrity, and business practice efficiency.

"SEC. 7223. DEFINITIONS.

"In this subtitle:

"(1) Agency.—The term 'agency' has the meaning given the term in section 3502 of title 44, United States Code.

"(2) Appropriate congressional committees.—The term 'appropriate congressional committees' means—

"(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

"(B) the Committee on Oversight and Reform [now Committee on Oversight and Accountability] of the House of Representatives; and

"(C) the Committee on Homeland Security of the House of Representatives.

"(3) Artificial intelligence.—The term 'artificial intelligence' has the meaning given the term in section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (10 U.S.C. 2358 note).

"(4) Artificial intelligence system.—The term 'artificial intelligence system'—

"(A) means any data system, software, application, tool, or utility that operates in whole or in part using dynamic or static machine learning algorithms or other forms of artificial intelligence, whether—

"(i) the data system, software, application, tool, or utility is established primarily for the purpose of researching, developing, or implementing artificial intelligence technology; or

"(ii) artificial intelligence capability is integrated into another system or agency business process, operational activity, or technology system; and

"(B) does not include any common commercial product within which artificial intelligence is embedded, such as a word processor or map navigation system.

"(5) Department.—The term 'Department' means the Department of Homeland Security.

"(6) Director.—The term 'Director' means the Director of the Office of Management and Budget.

"SEC. 7224. PRINCIPLES AND POLICIES FOR USE OF ARTIFICIAL INTELLIGENCE IN GOVERNMENT.

"(a) Guidance.—The Director shall, when developing the guidance required under section 104(a) of the AI in Government Act of 2020 (title I of division U of Public Law 116–260) [see note below], consider—

"(1) the considerations and recommended practices identified by the National Security Commission on Artificial Intelligence in the report entitled 'Key Considerations for the Responsible Development and Fielding of AI', as updated in April 2021;

"(2) the principles articulated in Executive Order 13960 (85 Fed. Reg. 78939 [40 U.S.C. 11301 note]; relating to promoting the use of trustworthy artificial intelligence in Government); and

"(3) the input of—

"(A) the Administrator of General Services;

"(B) relevant interagency councils, such as the Federal Privacy Council, the Chief Financial Officers Council, the Chief Information Officers Council, and the Chief Data Officers Council;

"(C) other governmental and nongovernmental privacy, civil rights, and civil liberties experts;

"(D) academia;

"(E) industry technology and data science experts; and

"(F) any other individual or entity the Director determines to be appropriate.

"(b) Department Policies and Processes for Procurement and Use of Artificial Intelligence-enabled Systems.—Not later than 180 days after the date of enactment of this Act [Dec. 23, 2022]—

"(1) the Secretary of Homeland Security, with the participation of the Chief Procurement Officer, the Chief Information Officer, the Chief Privacy Officer, and the Officer for Civil Rights and Civil Liberties of the Department and any other person determined to be relevant by the Secretary of Homeland Security, shall issue policies and procedures for the Department related to—

"(A) the acquisition and use of artificial intelligence; and

"(B) considerations for the risks and impacts related to artificial intelligence-enabled systems, including associated data of machine learning systems, to ensure that full consideration is given to—

"(i) the privacy, civil rights, and civil liberties impacts of artificial intelligence-enabled systems; and

"(ii) security against misuse, degradation, or rending inoperable of artificial intelligence-enabled systems; and

"(2) the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department shall report to Congress on any additional staffing or funding resources that may be required to carry out the requirements of this subsection.

"(c) Inspector General.—Not later than 180 days after the date of enactment of this Act, the Inspector General of the Department shall identify any training and investments needed to enable employees of the Office of the Inspector General to continually advance their understanding of—

"(1) artificial intelligence systems;

"(2) best practices for governance, oversight, and audits of the use of artificial intelligence systems; and

"(3) how the Office of the Inspector General is using artificial intelligence to enhance audit and investigative capabilities, including actions to—

"(A) ensure the integrity of audit and investigative results; and

"(B) guard against bias in the selection and conduct of audits and investigations.

"(d) Artificial Intelligence Hygiene and Protection of Government Information, Privacy, Civil Rights, and Civil Liberties.—

"(1) Establishment.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with a working group consisting of members selected by the Director from appropriate interagency councils, shall develop an initial means by which to—

"(A) ensure that contracts for the acquisition of an artificial intelligence system or service—

"(i) align with the guidance issued to the head of each agency under section 104(a) of the AI in Government Act of 2020 (title I of division U of Public Law 116–260);

"(ii) address protection of privacy, civil rights, and civil liberties;

"(iii) address the ownership and security of data and other information created, used, processed, stored, maintained, disseminated, disclosed, or disposed of by a contractor or subcontractor on behalf of the Federal Government; and

"(iv) include considerations for securing the training data, algorithms, and other components of any artificial intelligence system against misuse, unauthorized alteration, degradation, or rendering inoperable; and

"(B) address any other issue or concern determined to be relevant by the Director to ensure appropriate use and protection of privacy and Government data and other information.

"(2) Consultation.—In developing the considerations under paragraph (1)(A)(iv), the Director shall consult with the Secretary of Homeland Security, the Secretary of Energy, the Director of the National Institute of Standards and Technology, and the Director of National Intelligence.

"(3) Review.—The Director—

"(A) should continuously update the means developed under paragraph (1); and

"(B) not later than 2 years after the date of enactment of this Act and not less frequently than every 2 years thereafter, shall update the means developed under paragraph (1).

"(4) Briefing.—The Director shall brief the appropriate congressional committees—

"(A) not later than 90 days after the date of enactment of this Act and thereafter on a quarterly basis until the Director first implements the means developed under paragraph (1); and

"(B) annually thereafter on the implementation of this subsection.

"(5) Sunset.—This subsection shall cease to be effective on the date that is 5 years after the date of enactment of this Act.

"SEC. 7225. AGENCY INVENTORIES AND ARTIFICIAL INTELLIGENCE USE CASES.

"(a) Inventory.—Not later than 60 days after the date of enactment of this Act [Dec. 23, 2022], and continuously thereafter for a period of 5 years, the Director, in consultation with the Chief Information Officers Council, the Chief Data Officers Council, and other interagency bodies as determined to be appropriate by the Director, shall require the head of each agency to—

"(1) prepare and maintain an inventory of the artificial intelligence use cases of the agency, including current and planned uses;

"(2) share agency inventories with other agencies, to the extent practicable and consistent with applicable law and policy, including those concerning protection of privacy and of sensitive law enforcement, national security, and other protected information; and

"(3) make agency inventories available to the public, in a manner determined by the Director, and to the extent practicable and in accordance with applicable law and policy, including those concerning the protection of privacy and of sensitive law enforcement, national security, and other protected information.

"(b) Central Inventory.—The Director is encouraged to designate a host entity and ensure the creation and maintenance of an online public directory to—

"(1) make agency artificial intelligence use case information available to the public and those wishing to do business with the Federal Government; and

"(2) identify common use cases across agencies.

"(c) Sharing.—The sharing of agency inventories described in subsection (a)(2) may be coordinated through the Chief Information Officers Council, the Chief Data Officers Council, the Chief Financial Officers Council, the Chief Acquisition Officers Council, or other interagency bodies to improve interagency coordination and information sharing for common use cases.

"(d) Department of Defense.—Nothing in this section shall apply to the Department of Defense.

"SEC. 7226. RAPID PILOT, DEPLOYMENT AND SCALE OF APPLIED ARTIFICIAL INTELLIGENCE CAPABILITIES TO DEMONSTRATE MODERNIZATION ACTIVITIES RELATED TO USE CASES.

"(a) Identification of Use Cases.—Not later than 270 days after the date of enactment of this Act [Dec. 23, 2022], the Director, in consultation with the Chief Information Officers Council, the Chief Data Officers Council, the Chief Financial Officers Council, and other interagency bodies as determined to be appropriate by the Director, shall identify 4 new use cases for the application of artificial intelligence-enabled systems to support interagency or intra-agency modernization initiatives that require linking multiple siloed internal and external data sources, consistent with applicable laws and policies, including those relating to the protection of privacy and of sensitive law enforcement, national security, and other protected information.

"(b) Pilot Program.—

"(1) Purposes.—The purposes of the pilot program under this subsection include—

"(A) to enable agencies to operate across organizational boundaries, coordinating between existing established programs and silos to improve delivery of the agency mission;

"(B) to demonstrate the circumstances under which artificial intelligence can be used to modernize or assist in modernizing legacy agency systems; and

"(C) to leverage commercially available artificial intelligence technologies that—

"(i) operate in secure cloud environments that can deploy rapidly without the need to replace existing systems; and

"(ii) do not require extensive staff or training to build.

"(2) Deployment and pilot.—Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the heads of relevant agencies and Federal entities, including the Administrator of General Services, the Bureau of Fiscal Service of the Department of the Treasury, the Council of the Inspectors General on Integrity and Efficiency, and the Pandemic Response Accountability Committee, and other officials as the Director determines to be appropriate, shall ensure the initiation of the piloting of the 4 new artificial intelligence use case applications identified under subsection (a), leveraging commercially available technologies and systems to demonstrate scalable artificial intelligence-enabled capabilities to support the use cases identified under subsection (a).

"(3) Risk evaluation and mitigation plan.—In carrying out paragraph (2), the Director shall require the heads of agencies to—

"(A) evaluate risks in utilizing artificial intelligence systems; and

"(B) develop a risk mitigation plan to address those risks, including consideration of—

"(i) the artificial intelligence system not performing as expected or as designed;

"(ii) the quality and relevancy of the data resources used in the training of the algorithms used in an artificial intelligence system;

"(iii) the processes for training and testing, evaluating, validating, and modifying an artificial intelligence system; and

"(iv) the vulnerability of a utilized artificial intelligence system to unauthorized manipulation or misuse, including the use of data resources that substantially differ from the training data.

"(4) Prioritization.—In carrying out paragraph (2), the Director shall prioritize modernization projects that—

"(A) would benefit from commercially available privacy-preserving techniques, such as use of differential privacy, federated learning, and secure multiparty computing; and

"(B) otherwise take into account considerations of civil rights and civil liberties.

"(5) Privacy protections.—In carrying out paragraph (2), the Director shall require the heads of agencies to use privacy-preserving techniques when feasible, such as differential privacy, federated learning, and secure multiparty computing, to mitigate any risks to individual privacy or national security created by a project or data linkage.

"(6) Use case modernization application areas.—Use case modernization application areas described in paragraph (2) shall include not less than 1 from each of the following categories:

"(A) Applied artificial intelligence to drive agency productivity efficiencies in predictive supply chain and logistics, such as—

"(i) predictive food demand and optimized supply;

"(ii) predictive medical supplies and equipment demand and optimized supply; or

"(iii) predictive logistics to accelerate disaster preparedness, response, and recovery.

"(B) Applied artificial intelligence to accelerate agency investment return and address mission-oriented challenges, such as—

"(i) applied artificial intelligence portfolio management for agencies;

"(ii) workforce development and upskilling;

"(iii) redundant and laborious analyses;

"(iv) determining compliance with Government requirements, such as with Federal financial management and grants management, including implementation of chapter 64 of subtitle V of title 31, United States Code;

"(v) addressing fraud, waste, and abuse in agency programs and mitigating improper payments; or

"(vi) outcomes measurement to measure economic and social benefits.

"(7) Requirements.—Not later than 3 years after the date of enactment of this Act, the Director, in coordination with the heads of relevant agencies and other officials as the Director determines to be appropriate, shall establish an artificial intelligence capability within each of the 4 use case pilots under this subsection that—

"(A) solves data access and usability issues with automated technology and eliminates or minimizes the need for manual data cleansing and harmonization efforts;

"(B) continuously and automatically ingests data and updates domain models in near real-time to help identify new patterns and predict trends, to the extent possible, to help agency personnel to make better decisions and take faster actions;

"(C) organizes data for meaningful data visualization and analysis so the Government has predictive transparency for situational awareness to improve use case outcomes;

"(D) is rapidly configurable to support multiple applications and automatically adapts to dynamic conditions and evolving use case requirements, to the extent possible;

"(E) enables knowledge transfer and collaboration across agencies; and

"(F) preserves intellectual property rights to the data and output for benefit of the Federal Government and agencies and protects sensitive personally identifiable information.

"(c) Briefing.—Not earlier than 270 days but not later than 1 year after the date of enactment of this Act, and annually thereafter for 4 years, the Director shall brief the appropriate congressional committees on the activities carried out under this section and results of those activities.

"(d) Sunset.—The section shall cease to be effective on the date that is 5 years after the date of enactment of this Act.

"SEC. 7227. ENABLING ENTREPRENEURS AND AGENCY MISSIONS.

"(a) Innovative Commercial Items.—[Amended section 880 of the National Defense Authorization Act for Fiscal Year 2017 (41 U.S.C. 3301 note).]

"(b) DHS Other Transaction Authority.—[Amended section 391 of Title 6, Domestic Security.]

"(c) Commercial Off the Shelf Supply Chain Risk Management Tools.—

"(1) In general.—The General Services Administration is encouraged to pilot commercial off the shelf supply chain risk management tools to improve the ability of the Federal Government to characterize, monitor, predict, and respond to specific supply chain threats and vulnerabilities that could inhibit future Federal acquisition operations.

"(2) Consultation.—In carrying out this subsection, the General Services Administration shall consult with the Federal Acquisition Security Council established under section 1322 of title 41, United States Code.

"SEC. 7228. INTELLIGENCE COMMUNITY EXCEPTION.

"Nothing in this subtitle shall apply to any element of the intelligence community, as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)."

AI in Government

Pub. L. 116–260, div. U, title I, Dec. 27, 2020, 134 Stat. 2286, provided that:

"SEC. 101. SHORT TITLE.

"This title may be cited as the 'AI in Government Act of 2020'.

"SEC. 102. DEFINITIONS.

"In this Act [probably means "this title"]—

"(1) the term 'Administrator' means the Administrator of General Services;

"(2) the term 'agency' has the meaning given the term in section 3502 of title 44, United States Code;

"(3) the term 'AI CoE' means the AI Center of Excellence described in section 103;

"(4) the term 'artificial intelligence' has the meaning given the term in section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (10 U.S.C. 2358 note);

"(5) the term 'Director' means the Director of the Office of Management and Budget;

"(6) the term 'institution of higher education' has the meaning given the term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001); and

"(7) the term 'nonprofit organization' means an organization described in section 501(c)(3)of [sic] the Internal Revenue Code of 1986 [26 U.S.C. 501(c)(3)] and exempt from taxation under section 501(a) of that Code [26 U.S.C. 501(a)].

"SEC. 103. AI CENTER OF EXCELLENCE.

"(a) In General.—There is created within the General Services Administration a program to be known as the 'AI Center of Excellence', which shall—

"(1) facilitate the adoption of artificial intelligence technologies in the Federal Government;

"(2) improve cohesion and competency in the adoption and use of artificial intelligence within the Federal Government; and

"(3) carry out paragraphs (1) and (2) for the purposes of benefitting the public and enhancing the productivity and efficiency of Federal Government operations.

"(b) Duties.—The duties of the AI CoE shall include—

"(1) regularly convening individuals from agencies, industry, Federal laboratories, nonprofit organizations, institutions of higher education, and other entities to discuss recent developments in artificial intelligence, including the dissemination of information regarding programs, pilots, and other initiatives at agencies, as well as recent trends and relevant information on the understanding, adoption, and use of artificial intelligence;

"(2) collecting, aggregating, and publishing on a publicly available website information regarding programs, pilots, and other initiatives led by other agencies and any other information determined appropriate by the Administrator;

"(3) advising the Administrator, the Director, and agencies on the acquisition and use of artificial intelligence through technical insight and expertise, as needed;

"(4) assist agencies in applying Federal policies regarding the management and use of data in applications of artificial intelligence;

"(5) consulting with agencies, including the Department of Defense, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Office of Management and Budget, the Office of the Director of National Intelligence, and the National Science Foundation, that operate programs, create standards and guidelines, or otherwise fund internal projects or coordinate between the public and private sectors relating to artificial intelligence;

"(6) advising the Director on developing policy related to the use of artificial intelligence by agencies; and

"(7) advising the Director of the Office of Science and Technology Policy on developing policy related to research and national investment in artificial intelligence.

"(c) Staff.—

"(1) In general.—The Administrator shall provide necessary staff, resources, and administrative support for the AI CoE.

"(2) Shared staff.—To the maximum extent practicable, the Administrator shall meet the requirements described under paragraph (1) by using staff of the General Services Administration, including those from other agency centers of excellence, and detailees, on a reimbursable or nonreimbursable basis, from other agencies.

"(3) Fellows.—The Administrator may, to the maximum extent practicable, appoint fellows to participate in the AI CoE from nonprofit organizations, think tanks, institutions of higher education, and industry.

"(d) Sunset.—This section shall cease to be effective on the date that is 5 years after the date of enactment of this Act [Dec. 27, 2020].

"SEC. 104. GUIDANCE FOR AGENCY USE OF ARTIFICIAL INTELLIGENCE.

"(a) Guidance.—Not later than 270 days after the date of enactment of this Act [Dec. 27, 2020], the Director, in coordination with the Director of the Office of Science and Technology Policy in consultation with the Administrator and any other relevant agencies and key stakeholders as determined by the Director, shall issue a memorandum to the head of each agency that shall—

"(1) inform the development of policies regarding Federal acquisition and use by agencies regarding technologies that are empowered or enabled by artificial intelligence, including an identification of the responsibilities of agency officials managing the use of such technology;

"(2) recommend approaches to remove barriers for use by agencies of artificial intelligence technologies in order to promote the innovative application of those technologies while protecting civil liberties, civil rights, and economic and national security;

"(3) identify best practices for identifying, assessing, and mitigating any discriminatory impact or bias on the basis of any classification protected under Federal nondiscrimination laws, or any unintended consequence of the use of artificial intelligence, including policies to identify data used to train artificial intelligence algorithms as well as the data analyzed by artificial intelligence used by the agencies; and

"(4) provide a template of the required contents of the agency plans described in subsection (c).

"(b) Public Comment.—To help ensure public trust in the applications of artificial intelligence technologies, the Director shall issue a draft version of the memorandum required under subsection (a) for public comment not later than 180 days after [the] date of enactment of this Act.

"(c) Plans.—Not later than 180 days after the date on which the Director issues the memorandum required under subsection (a) or an update to the memorandum required under subsection (d), the head of each agency shall submit to the Director and post on a publicly available page on the website of the agency—

"(1) a plan to achieve consistency with the memorandum; or

"(2) a written determination that the agency does not use and does not anticipate using artificial intelligence.

"(d) Updates.—Not later than 2 years after the date on which the Director issues the memorandum required under subsection (a), and every 2 years thereafter for 10 years, the Director shall issue updates to the memorandum.

"SEC. 105. UPDATE OF OCCUPATIONAL SERIES FOR ARTIFICIAL INTELLIGENCE.

"(a) In General.—Not later than 18 months after the date of enactment of this Act [Dec. 27, 2020], and in accordance with chapter 51 of title 5, United States Code, the Director of the Office of Personnel Management shall—

"(1) identify key skills and competencies needed for positions related to artificial intelligence;

"(2) establish an occupational series, or update and improve an existing occupational job series, to include positions the primary duties of which relate to artificial intelligence;

"(3) to the extent appropriate, establish an estimate of the number of Federal employees in positions related to artificial intelligence, by each agency; and

"(4) using the estimate established in paragraph (3), prepare a 2-year and 5-year forecast of the number of Federal employees in positions related to artificial intelligence that each agency will need to employ.

"(b) Plan.—Not later than 120 days after the date of enactment of this Act, the Director of the Office of Personnel Management shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform [now Committee on Oversight and Accountability] of the House of Representatives a comprehensive plan with a timeline to complete requirements described in subsection (a)."

GSA Modernization Centers of Excellence Program

Pub. L. 116–194, §2, Dec. 3, 2020, 134 Stat. 981, provided that:

"(a) Definitions.—In this section:

"(1) Cloud computing.—The term 'cloud computing' has the meaning given the term in section 1076 of the National Defense Authorization Act for Fiscal Year 2018 [Pub. L. 115–91] (40 U.S.C. 11301 note) [set out below].

"(2) Executive agency.—The term 'executive agency' has the meaning given the term 'Executive agency' in section 105 of title 5, United States Code.

"(3) Program.—The term 'Program' means the Information Technology Modernization Centers of Excellence Program established under subsection (b).

"(b) Establishment.—The Administrator of General Services shall establish a program to be known as the Information Technology Modernization Centers of Excellence Program to facilitate the adoption of modern technology by executive agencies on a reimbursable basis.

"(c) Responsibilities.—The Program shall have the following responsibilities:

"(1) To encourage the modernization of information technology used by an executive agency and how a customer interacts with an executive agency.

"(2) To improve cooperation between commercial and executive agency information technology sectors.

"(3) To the extent practicable, encourage the adoption of commercial items in accordance with section 3307 of title 41, United States Code.

"(4) Upon request by the executive agency, to assist executive agencies with planning and adoption of technology in focus areas designated by the Administrator, which may include the following:

"(A) A commercial cloud computing system that includes—

"(i) end-to-end migration planning and an assessment of progress towards modernization; and

"(ii) a cybersecurity and governance framework that promotes industry and government risk management best practice approaches, prioritizing efforts based on risk, impact, and consequences.

"(B) Tools to help an individual receive support from and communicate with an executive agency.

"(C) Contact centers and other related customer supports.

"(D) Efficient use of data management, analysis, and reporting.

"(E) The optimization of infrastructure, including for data centers, and the reduction of operating costs.

"(F) Artificial intelligence.

"(5) To share best practices and expertise with executive agencies.

"(6) Other responsibilities the Administrator may identify.

"(d) Coordination.—The Administrator shall coordinate with the Secretary of Homeland Security in establishing the Program to ensure that the technology, tools, and frameworks facilitated for executive agencies by the Program provide sufficient cybersecurity and maintain the integrity, confidentiality, and availability of Federal information.

"(e) Program Reporting.—Not later than 1 year after the date of enactment of this Act [Dec. 3, 2020], and every year thereafter, the Administrator shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform [now Committee on Oversight and Accountability] of the House of Representatives a report on the Program, which shall include the following:

"(1) A description of the reimbursable agreements, statements of work, and associated project schedules and deliverables for the Program.

"(2) Details on the total amount of the reimbursable agreements.

"(3) Any additional information the Administrator determines necessary.

"(f) Sunset.—This Act shall cease to have effect on the date that is 7 years after the date of enactment of this Act.

"(g) Rule of Construction.—Nothing in this Act shall be construed to impair or otherwise affect the authority delegated by law to an executive agency or the head of an executive agency."

Modernizing Government Technology

Pub. L. 115–91, div. A, title X, subtitle G, Dec. 12, 2017, 131 Stat. 1586, provided that:

"SEC. 1076. DEFINITIONS.

"In this subtitle:

"(1) Administrator.—The term 'Administrator' means the Administrator of General Services.

"(2) Board.—The term 'Board' means the Technology Modernization Board established under section 1094(c)(1).

"(3) Cloud computing.—The term 'cloud computing' has the meaning given the term by the National Institute of Standards and Technology in NIST Special Publication 800–145 and any amendatory or superseding document thereto.

"(4) Director.—The term 'Director' means the Director of the Office of Management and Budget.

"(5) Fund.—The term 'Fund' means the Technology Modernization Fund established under section 1094(b)(1) [probably should be "1078(b)(1)"].

"(6) Information technology.—The term 'information technology' has the meaning given the term in section 3502 of title 44, United States Code.

"(7) IT working capital fund.—The term 'IT working capital fund' means an information technology system modernization and working capital fund established under section 1093(b)(1) [probably should be "1077(b)(1)"].

"(8) Legacy information technology system.—The term 'legacy information technology system' means an outdated or obsolete system of information technology.

"SEC. 1077. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS MODERNIZATION AND WORKING CAPITAL FUNDS.

"(a) Definition.—In this section, the term 'covered agency' means each agency listed in section 901(b) of title 31, United States Code.

"(b) Information Technology System Modernization and Working Capital Funds.—

"(1) Establishment.—The head of a covered agency may establish within the covered agency an information technology system modernization and working capital fund for necessary expenses described in paragraph (3).

"(2) Source of funds.—The following amounts may be deposited into an IT working capital fund:

"(A) Reprogramming and transfer of funds made available in appropriations Acts enacted after the date of enactment of this Act [Dec. 12, 2017], including the transfer of any funds for the operation and maintenance of legacy information technology systems, in compliance with any applicable reprogramming law or guidelines of the Committees on Appropriations of the Senate and the House of Representatives or transfer authority specifically provided in appropriations law.

"(B) Amounts made available to the IT working capital fund through discretionary appropriations made available after the date of enactment of this Act.

"(3) Use of funds.—An IT working capital fund established under paragraph (1) may only be used—

"(A) to improve, retire, or replace existing information technology systems in the covered agency to enhance cybersecurity and to improve efficiency and effectiveness across the life of a given workload, procured using full and open competition among all commercial items to the greatest extent practicable;

"(B) to transition legacy information technology systems at the covered agency to commercial cloud computing and other innovative commercial platforms and technologies, including those serving more than 1 covered agency with common requirements;

"(C) to assist and support covered agency efforts to provide adequate, risk-based, and cost-effective information technology capabilities that address evolving threats to information security;

"(D) to reimburse funds transferred to the covered agency from the Fund with the approval of the Chief Information Officer, in consultation with the Chief Financial Officer, of the covered agency; and

"(E) for a program, project, or activity or to increase funds for any program, project, or activity that has not been denied or restricted by Congress.

"(4) Existing funds.—An IT working capital fund may not be used to supplant funds provided for the operation and maintenance of any system within an appropriation for the covered agency at the time of establishment of the IT working capital fund.

"(5) Prioritization of funds.—The head of each covered agency—

"(A) shall prioritize funds within the IT working capital fund of the covered agency to be used initially for cost savings activities approved by the Chief Information Officer of the covered agency; and

"(B) may reprogram and transfer any amounts saved as a direct result of the cost savings activities approved under clause (i) [probably should be "subparagraph (A)"] for deposit into the IT working capital fund of the covered agency, consistent with paragraph (2)(A).

"(6) Availability of funds.—

"(A) In general.—Any funds deposited into an IT working capital fund shall be available for obligation for the 3-year period beginning on the last day of the fiscal year in which the funds were deposited.

"(B) Transfer of unobligated amounts.—Any amounts in an IT working capital fund that are unobligated at the end of the 3-year period described in subparagraph (A) shall be transferred to the general fund of the Treasury.

"(7) Agency cio responsibilities.—In evaluating projects to be funded by the IT working capital fund of a covered agency, the Chief Information Officer of the covered agency shall consider, to the extent applicable, guidance issued under section 1094(b)(1) [probably should be "1078(b)(1)"] to evaluate applications for funding from the Fund that include factors including a strong business case, technical design, consideration of commercial off-the-shelf products and services, procurement strategy (including adequate use of rapid, iterative software development practices), and program management.

"(c) Reporting Requirement.—

"(1) In general.—Not later than 1 year after the date of enactment of this Act, and every 6 months thereafter, the head of each covered agency shall submit to the Director, with respect to the IT working capital fund of the covered agency—

"(A) a list of each information technology investment funded, including the estimated cost and completion date for each investment; and

"(B) a summary by fiscal year of obligations, expenditures, and unused balances.

"(2) Public availability.—The Director shall make the information submitted under paragraph (1) publicly available on a website.

"SEC. 1078. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND AND BOARD.

"(a) Definition.—In this section, the term 'agency' has the meaning given the term in section 551 of title 5, United States Code.

"(b) Technology Modernization Fund.—

"(1) Establishment.—There is established in the Treasury a Technology Modernization Fund for technology-related activities, to improve information technology, to enhance cybersecurity across the Federal Government, and to be administered in accordance with guidance issued by the Director.

"(2) Administration of fund.—The Administrator, in consultation with the Chief Information Officers Council and with the approval of the Director, shall administer the Fund in accordance with this subsection.

"(3) Use of funds.—The Administrator shall, in accordance with recommendations from the Board, use amounts in the Fund—

"(A) to transfer such amounts, to remain available until expended, to the head of an agency for the acquisition of products and services, or the development of such products and services when more efficient and cost effective, to improve, retire, or replace existing Federal information technology systems to enhance cybersecurity and privacy and improve long-term efficiency and effectiveness;

"(B) to transfer such amounts, to remain available until expended, to the head of an agency for the operation and procurement of information technology products and services, or the development of such products and services when more efficient and cost effective, and acquisition vehicles for use by agencies to improve Governmentwide efficiency and cybersecurity in accordance with the requirements of the agencies;

"(C) to provide services or work performed in support of—

"(i) the activities described in subparagraph (A) or (B); and

"(ii) the Board and the Director in carrying out the responsibilities described in subsection (c)(2); and

"(D) to fund only programs, projects, or activities or to fund increases for any programs, projects, or activities that have not been denied or restricted by Congress.

"(4) Authorization of appropriations; credits; availability of funds.—

"(A) Authorization of appropriations.—There is authorized to be appropriated to the Fund $250,000,000 for each of fiscal years 2018 and 2019.

"(B) Credits.—In addition to any funds otherwise appropriated, the Fund shall be credited with all reimbursements, advances, or refunds or recoveries relating to information technology or services provided for the purposes described in paragraph (3).

"(C) Availability of funds.—Amounts deposited, credited, or otherwise made available to the Fund shall be available until expended for the purposes described in paragraph (3).

"(5) Reimbursement.—

"(A) Reimbursement by agency.—

"(i) In general.—The head of an agency shall reimburse the Fund for any transfer made under subparagraph (A) or (B) of paragraph (3), including any services or work performed in support of the transfer under paragraph (3)(C), in accordance with the terms established in a written agreement described in paragraph (6).

"(ii) Reimbursement from subsequent appropriations.—Notwithstanding any other provision of law, an agency may make a reimbursement required under clause (i) from any appropriation made available after the date of enactment of this Act [Dec. 12, 2017] for information technology activities, consistent with any applicable reprogramming law or guidelines of the Committees on Appropriations of the Senate and the House of Representatives.

"(iii) Recording of obligation.—Notwithstanding section 1501 of title 31, United States Code, an obligation to make a payment under a written agreement described in paragraph (6) in a fiscal year after the date of enactment of this Act shall be recorded in the fiscal year in which the payment is due.

"(B) Prices fixed by administrator.—

"(i) In general.—The Administrator, in consultation with the Director, shall establish amounts to be paid by an agency under this paragraph and the terms of repayment for activities funded under paragraph (3), including any services or work performed in support of that development under paragraph (3)(C), at levels sufficient to ensure the solvency of the Fund, including operating expenses.

"(ii) Review and approval.—Before making any changes to the established amounts and terms of repayment, the Administrator shall conduct a review and obtain approval from the Director.

"(C) Failure to make timely reimbursement.—The Administrator may obtain reimbursement from an agency under this paragraph by the issuance of transfer and counterwarrants, or other lawful transfer documents, supported by itemized bills, if payment is not made by the agency during the 90-day period beginning after the expiration of a repayment period described in a written agreement described in paragraph (6).

"(6) Written agreement.—

"(A) In general.—Before the transfer of funds to an agency under subparagraphs (A) and (B) of paragraph (3), the Administrator, in consultation with the Director, and the head of the agency shall enter into a written agreement—

"(i) documenting the purpose for which the funds will be used and the terms of repayment, which may not exceed 5 years unless approved by the Director; and

"(ii) which shall be recorded as an obligation as provided in paragraph (5)(A).

"(B) Requirement for use of incremental funding, commercial products and services, and rapid, iterative development practices.—The Administrator shall ensure—

"(i) for any funds transferred to an agency under paragraph (3)(A), in the absence of compelling circumstances documented by the Administrator at the time of transfer, that such funds shall be transferred only on an incremental basis, tied to metric-based development milestones achieved by the agency through the use of rapid, iterative, development processes; and

"(ii) that the use of commercial products and services are incorporated to the greatest extent practicable in activities funded under subparagraphs (A) and (B) of paragraph (3), and that the written agreement required under paragraph (6) documents this preference.

"(7) Reporting requirements.—

"(A) List of projects.—

"(i) In general.—Not later than 6 months after the date of enactment of this Act, the Director shall maintain a list of each project funded by the Fund, to be updated not less than quarterly, that includes a description of the project, project status (including any schedule delay and cost overruns), financial expenditure data related to the project, and the extent to which the project is using commercial products and services, including if applicable, a justification of why commercial products and services were not used and the associated development and integration costs of custom development.

"(ii) Public availability.—The list required under clause (i) shall be published on a public website in a manner that is, to the greatest extent possible, consistent with applicable law on the protection of classified information, sources, and methods.

"(B) Comptroller general reports.—Not later than 2 years after the date of enactment of this Act, and every 2 years thereafter, the Comptroller General of the United States shall submit to Congress and make publically available a report assessing—

"(i) the costs associated with establishing the Fund and maintaining the oversight structure associated with the Fund compared with the cost savings associated with the projects funded both annually and over the life of the acquired products and services by the Fund;

"(ii) the reliability of the cost savings estimated by agencies associated with projects funded by the Fund;

"(iii) whether agencies receiving transfers of funds from the Fund used full and open competition to acquire the custom development of information technology products or services; and

"(iv) the number of IT procurement, development, and modernization programs, offices, and entities in the Federal Government, including 18F and the United States Digital Services, the roles, responsibilities, and goals of those programs and entities, and the extent to which they duplicate work.

"(c) Technology Modernization Board.—

"(1) Establishment.—There is established a Technology Modernization Board to evaluate proposals submitted by agencies for funding authorized under the Fund.

"(2) Responsibilities.—The responsibilities of the Board are—

"(A) to provide input to the Director for the development of processes for agencies to submit modernization proposals to the Board and to establish the criteria by which those proposals are evaluated, which shall include—

"(i) addressing the greatest security, privacy, and operational risks;

"(ii) having the greatest Governmentwide impact; and

"(iii) having a high probability of success based on factors including a strong business case, technical design, consideration of commercial off-the-shelf products and services, procurement strategy (including adequate use of rapid, agile iterative software development practices), and program management;

"(B) to make recommendations to the Administrator to assist agencies in the further development and refinement of select submitted modernization proposals, based on an initial evaluation performed with the assistance of the Administrator;

"(C) to review and prioritize, with the assistance of the Administrator and the Director, modernization proposals based on criteria established pursuant to subparagraph (A);

"(D) to identify, with the assistance of the Administrator, opportunities to improve or replace multiple information technology systems with a smaller number of information technology services common to multiple agencies;

"(E) to recommend the funding of modernization projects, in accordance with the uses described in subsection (b)(3), to the Administrator;

"(F) to monitor, in consultation with the Administrator, progress and performance in executing approved projects and, if necessary, recommend the suspension or termination of funding for projects based on factors including the failure to meet the terms of a written agreement described in subsection (b)(6); and

"(G) to monitor the operating costs of the Fund.

"(3) Membership.—The Board shall consist of 7 voting members.

"(4) Chair.—The Chair of the Board shall be the Administrator of the Office of Electronic Government.

"(5) Permanent members.—The permanent members of the Board shall be—

"(A) the Administrator of the Office of Electronic Government; and

"(B) a senior official from the General Services Administration having technical expertise in information technology development, appointed by the Administrator, with the approval of the Director.

"(6) Additional members of the board.—

"(A) Appointment.—The other members of the Board shall be—

"(i) 1 employee of the National Protection and Programs Directorate [now Cybersecurity and Infrastructure Security Agency] of the Department of Homeland Security, appointed by the Secretary of Homeland Security; and

"(ii) 4 employees of the Federal Government primarily having technical expertise in information technology development, financial management, cybersecurity and privacy, and acquisition, appointed by the Director.

"(B) Term.—Each member of the Board described in paragraph (A) shall serve a term of 1 year, which shall be renewable not more than 4 times at the discretion of the appointing Secretary or Director, as applicable.

"(7) Prohibition on compensation.—Members of the Board may not receive additional pay, allowances, or benefits by reason of their service on the Board.

"(8) Staff.—Upon request of the Chair of the Board, the Director and the Administrator may detail, on a reimbursable or nonreimbursable basis, any employee of the Federal Government to the Board to assist the Board in carrying out the functions of the Board.

"(d) Responsibilities of Administrator.—

"(1) In general.—In addition to the responsibilities described in subsection (b), the Administrator shall support the activities of the Board and provide technical support to, and, with the concurrence of the Director, oversight of, agencies that receive transfers from the Fund.

"(2) Responsibilities.—The responsibilities of the Administrator are—

"(A) to provide direct technical support in the form of personnel services or otherwise to agencies transferred amounts under subsection (b)(3)(A) and for products, services, and acquisition vehicles funded under subsection (b)(3)(B);

"(B) to assist the Board with the evaluation, prioritization, and development of agency modernization proposals.

"(C) to perform regular project oversight and monitoring of approved agency modernization projects, in consultation with the Board and the Director, to increase the likelihood of successful implementation and reduce waste; and

"(D) to provide the Director with information necessary to meet the requirements of subsection (b)(7).

"(e) Effective Date.—This section shall take effect on the date that is 90 days after the date of enactment of this Act.

"(f) Sunset.—

"(1) In general.—On and after the date that is 2 years after the date on which the Comptroller General of the United States issues the third report required under subsection (b)(7)(B), the Administrator may not award or transfer funds from the Fund for any project that is not already in progress as of such date.

"(2) Transfer of unobligated amounts.—Not later than 90 days after the date on which all projects that received an award from the Fund are completed, any amounts in the Fund shall be transferred to the general fund of the Treasury and shall be used for deficit reduction.

"(3) Termination of technology modernization board.—Not later than 90 days after the date on which all projects that received an award from the Fund are completed, the Technology Modernization Board and all the authorities of subsection (c) shall terminate."

Executive Documents

Ex. Ord. No. 13960. Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government

Ex. Ord. No. 13960, Dec. 3, 2020, 85 F.R. 78939, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Purpose. Artificial intelligence (AI) promises to drive the growth of the United States economy and improve the quality of life of all Americans. In alignment with Executive Order 13859 of February 11, 2019 (Maintaining American Leadership in Artificial Intelligence) [42 U.S.C. 6601 note], executive departments and agencies (agencies) have recognized the power of AI to improve their operations, processes, and procedures; meet strategic goals; reduce costs; enhance oversight of the use of taxpayer funds; increase efficiency and mission effectiveness; improve quality of services; improve safety; train workforces; and support decision making by the Federal workforce, among other positive developments. Given the broad applicability of AI, nearly every agency and those served by those agencies can benefit from the appropriate use of AI.

Agencies are already leading the way in the use of AI by applying it to accelerate regulatory reform; review Federal solicitations for regulatory compliance; combat fraud, waste, and abuse committed against taxpayers; identify information security threats and assess trends in related illicit activities; enhance the security and interoperability of Federal Government information systems; facilitate review of large datasets; streamline processes for grant applications; model weather patterns; facilitate predictive maintenance; and much more.

Agencies are encouraged to continue to use AI, when appropriate, to benefit the American people. The ongoing adoption and acceptance of AI will depend significantly on public trust. Agencies must therefore design, develop, acquire, and use AI in a manner that fosters public trust and confidence while protecting privacy, civil rights, civil liberties, and American values, consistent with applicable law and the goals of Executive Order 13859.

Certain agencies have already adopted guidelines and principles for the use of AI for national security or defense purposes, such as the Department of Defense's Ethical Principles for Artificial Intelligence (February 24, 2020), and the Office of the Director of National Intelligence's Principles of Artificial Intelligence Ethics for the Intelligence Community (July 23, 2020) and its Artificial Intelligence Ethics Framework for the Intelligence Community (July 23, 2020). Such guidelines and principles ensure that the use of AI in those contexts will benefit the American people and be worthy of their trust.

Section 3 of this order establishes additional principles (Principles) for the use of AI in the Federal Government for purposes other than national security and defense, to similarly ensure that such uses are consistent with our Nation's values and are beneficial to the public. This order further establishes a process for implementing these Principles through common policy guidance across agencies.

Sec. 2. Policy. (a) It is the policy of the United States to promote the innovation and use of AI, where appropriate, to improve Government operations and services in a manner that fosters public trust, builds confidence in AI, protects our Nation's values, and remains consistent with all applicable laws, including those related to privacy, civil rights, and civil liberties.

(b) It is the policy of the United States that responsible agencies, as defined in section 8 of this order, shall, when considering the design, development, acquisition, and use of AI in Government, be guided by the common set of Principles set forth in section 3 of this order, which are designed to foster public trust and confidence in the use of AI, protect our Nation's values, and ensure that the use of AI remains consistent with all applicable laws, including those related to privacy, civil rights, and civil liberties.

(c) It is the policy of the United States that the Principles for the use of AI in Government shall be governed by common policy guidance issued by the Office of Management and Budget (OMB) as outlined in section 4 of this order, consistent with applicable law.

Sec. 3. Principles for Use of AI in Government. When designing, developing, acquiring, and using AI in the Federal Government, agencies shall adhere to the following Principles:

(a) Lawful and respectful of our Nation's values. Agencies shall design, develop, acquire, and use AI in a manner that exhibits due respect for our Nation's values and is consistent with the Constitution and all other applicable laws and policies, including those addressing privacy, civil rights, and civil liberties.

(b) Purposeful and performance-driven. Agencies shall seek opportunities for designing, developing, acquiring, and using AI, where the benefits of doing so significantly outweigh the risks, and the risks can be assessed and managed.

(c) Accurate, reliable, and effective. Agencies shall ensure that their application of AI is consistent with the use cases for which that AI was trained, and such use is accurate, reliable, and effective.

(d) Safe, secure, and resilient. Agencies shall ensure the safety, security, and resiliency of their AI applications, including resilience when confronted with systematic vulnerabilities, adversarial manipulation, and other malicious exploitation.

(e) Understandable. Agencies shall ensure that the operations and outcomes of their AI applications are sufficiently understandable by subject matter experts, users, and others, as appropriate.

(f) Responsible and traceable. Agencies shall ensure that human roles and responsibilities are clearly defined, understood, and appropriately assigned for the design, development, acquisition, and use of AI. Agencies shall ensure that AI is used in a manner consistent with these Principles and the purposes for which each use of AI is intended. The design, development, acquisition, and use of AI, as well as relevant inputs and outputs of particular AI applications, should be well documented and traceable, as appropriate and to the extent practicable.

(g) Regularly monitored. Agencies shall ensure that their AI applications are regularly tested against these Principles. Mechanisms should be maintained to supersede, disengage, or deactivate existing applications of AI that demonstrate performance or outcomes that are inconsistent with their intended use or this order.

(h) Transparent. Agencies shall be transparent in disclosing relevant information regarding their use of AI to appropriate stakeholders, including the Congress and the public, to the extent practicable and in accordance with applicable laws and policies, including with respect to the protection of privacy and of sensitive law enforcement, national security, and other protected information.

(i) Accountable. Agencies shall be accountable for implementing and enforcing appropriate safeguards for the proper use and functioning of their applications of AI, and shall monitor, audit, and document compliance with those safeguards. Agencies shall provide appropriate training to all agency personnel responsible for the design, development, acquisition, and use of AI.

Sec. 4. Implementation of Principles. (a) Existing OMB policies currently address many aspects of information and information technology design, development, acquisition, and use that apply, but are not unique, to AI. To the extent they are consistent with the Principles set forth in this order and applicable law, these existing policies shall continue to apply to relevant aspects of AI use in Government.

(b) Within 180 days of the date of this order [Dec. 3, 2020], the Director of OMB (Director), in coordination with key stakeholders identified by the Director, shall publicly post a roadmap for the policy guidance that OMB intends to create or revise to better support the use of AI, consistent with this order. This roadmap shall include, where appropriate, a schedule for engaging with the public and timelines for finalizing relevant policy guidance. In addressing novel aspects of the use of AI in Government, OMB shall consider updates to the breadth of its policy guidance, including OMB Circulars and Management Memoranda.

(c) Agencies shall continue to use voluntary consensus standards developed with industry participation, where available, when such use would not be inconsistent with applicable law or otherwise impracticable. Such standards shall also be taken into consideration by OMB when revising or developing AI guidance.

Sec. 5. Agency Inventory of AI Use Cases. (a) Within 60 days of the date of this order, the Federal Chief Information Officers Council (CIO Council), in coordination with other interagency bodies as it deems appropriate, shall identify, provide guidance on, and make publicly available the criteria, format, and mechanisms for agency inventories of non-classified and non-sensitive use cases of AI by agencies.

(b) Within 180 days of the CIO Council's completion of the directive in section 5(a) of this order, and annually thereafter, each agency shall prepare an inventory of its non-classified and non-sensitive use cases of AI, within the scope defined by section 9 of this order, including current and planned uses, consistent with the agency's mission.

(c) As part of their respective inventories of AI use cases, agencies shall identify, review, and assess existing AI deployed and operating in support of agency missions for any inconsistencies with this order.

(i) Within 120 days of completing their respective inventories, agencies shall develop plans either to achieve consistency with this order for each AI application or to retire AI applications found to be developed or used in a manner that is not consistent with this order. These plans must be approved by the agency-designated responsible official(s), as described in section 8 of this order, within this same 120-day time period.

(ii) In coordination with the Agency Data Governance Body and relevant officials from agencies not represented within that body, agencies shall strive to implement the approved plans within 180 days of plan approval, subject to existing resource levels.

(d) Within 60 days of the completion of their respective inventories of use cases of AI, agencies shall share their inventories with other agencies, to the extent practicable and consistent with applicable law and policy, including those concerning protection of privacy and of sensitive law enforcement, national security, and other protected information. This sharing shall be coordinated through the CIO and Chief Data Officer Councils, as well as other interagency bodies, as appropriate, to improve interagency coordination and information sharing for common use cases.

(e) Within 120 days of the completion of their inventories, agencies shall make their inventories available to the public, to the extent practicable and in accordance with applicable law and policy, including those concerning the protection of privacy and of sensitive law enforcement, national security, and other protected information.

Sec. 6. Interagency Coordination. Agencies are expected to participate in interagency bodies for the purpose of advancing the implementation of the Principles and the use of AI consistent with this order. Within 45 days of this order, the CIO Council shall publish a list of recommended interagency bodies and forums in which agencies may elect to participate, as appropriate and consistent with their respective authorities and missions.

Sec. 7. AI Implementation Expertise. (a) Within 90 days of the date of this order, the Presidential Innovation Fellows (PIF) program, administered by the General Services Administration (GSA) in collaboration with other agencies, shall identify priority areas of expertise and establish an AI track to attract experts from industry and academia to undertake a period of work at an agency. These PIF experts will work within agencies to further the design, development, acquisition, and use of AI in Government, consistent with this order.

(b) Within 45 days of the date of this order, the Office of Personnel Management (OPM), in coordination with GSA and relevant agencies, shall create an inventory of Federal Government rotational programs and determine how these programs can be used to expand the number of employees with AI expertise at the agencies.

(c) Within 180 days of the creation of the inventory of Government rotational programs described in section 7(b) of this order, OPM shall issue a report with recommendations for how the programs in the inventory can be best used to expand the number of employees with AI expertise at the agencies. This report shall be shared with the interagency coordination bodies identified pursuant to section 6 of this order, enabling agencies to better use these programs for the use of AI, consistent with this order.

Sec. 8. Responsible Agencies and Officials. (a) For purposes of this order, the term "agency" refers to all agencies described in section 3502, subsection (1), of title 44, United States Code, except for the agencies described in section 3502, subsection (5), of title 44.

(b) This order applies to agencies that have use cases for AI that fall within the scope defined in section 9 of this order, and excludes the Department of Defense and those agencies and agency components with functions that lie wholly within the Intelligence Community. The term "Intelligence Community" has the meaning given the term in section 3003 of title 50, United States Code.

(c) Within 30 days of the date of this order, each agency shall specify the responsible official(s) at that agency who will coordinate implementation of the Principles set forth in section 3 of this order with the Agency Data Governance Body and other relevant officials and will collaborate with the interagency coordination bodies identified pursuant to section 6 of this order.

Sec. 9. Scope of Application. (a) This order uses the definition of AI set forth in section 238(g) of the [John S. McCain] National Defense Authorization Act for Fiscal Year 2019 [Pub. L. 115–232, 10 U.S.C. 2358 note] as a reference point. As Federal Government use of AI matures and evolves, OMB guidance developed or revised pursuant to section 4 of this order shall include such definitions as are necessary to ensure the application of the Principles in this order to appropriate use cases.

(b) Except for the exclusions set forth in section 9(d) of this order, or provided for by applicable law, the Principles and implementation guidance in this order shall apply to AI designed, developed, acquired, or used specifically to advance the execution of agencies' missions, enhance decision making, or provide the public with a specified benefit.

(c) This order applies to both existing and new uses of AI; both stand-alone AI and AI embedded within other systems or applications; AI developed both by the agency or by third parties on behalf of agencies for the fulfilment of specific agency missions, including relevant data inputs used to train AI and outputs used in support of decision making; and agencies' procurement of AI applications.

(d) This order does not apply to:

(i) AI used in defense or national security systems (as defined in 44 U.S.C. 3552(b)(6) or as determined by the agency), in whole or in part, although agencies shall adhere to other applicable guidelines and principles for defense and national security purposes, such as those adopted by the Department of Defense and the Office of the Director of National Intelligence;

(ii) AI embedded within common commercial products, such as word processors or map navigation systems, while noting that Government use of such products must nevertheless comply with applicable law and policy to assure the protection of safety, security, privacy, civil rights, civil liberties, and American values; and

(iii) AI research and development (R&D) activities, although the Principles and OMB implementation guidance should inform any R&D directed at potential future applications of AI in the Federal Government.

Sec. 10. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director relating to budgetary, administrative, or legislative proposals.

(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Donald J. Trump.      

§11302. Capital planning and investment control

(a) Federal Information Technology.—The Director of the Office of Management and Budget shall perform the responsibilities set forth in this section in fulfilling the responsibilities under section 3504(h) of title 44.

(b) Use of Information Technology in Federal Programs.—The Director shall promote and improve the acquisition, use, security, and disposal of information technology by the Federal Government to improve the productivity, efficiency, and effectiveness of federal programs, including through dissemination of public information and the reduction of information collection burdens on the public.

(c) Use of Budget Process.—

(1) Definitions.—In this subsection:

(A) The term "covered agency" means an agency listed in section 901(b)(1) or 901(b)(2) of title 31.

(B) The term "major information technology investment" means an investment within a covered agency information technology investment portfolio that is designated by the covered agency as major, in accordance with capital planning guidance issued by the Director.

(C) The term "national security system" has the meaning provided in section 3542 of title 44.¹

(2) Analyzing, tracking, and evaluating capital investments.—As part of the budget process, the Director shall develop a process for analyzing, tracking, and evaluating the risks, including information security risks, and results of all major capital investments made by an executive agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security risks, associated with the investments.

(3) Public availability.—

(A) In general.—The Director shall make available to the public a list of each major information technology investment, without regard to whether the investments are for new information technology acquisitions or for operations and maintenance of existing information technology, including data on cost, schedule, and performance.

(B) Agency information.—

(i) The Director shall issue guidance to each covered agency for reporting of data required by subparagraph (A) that provides a standardized data template that can be incorporated into existing, required data reporting formats and processes. Such guidance shall integrate the reporting process into current budget reporting that each covered agency provides to the Office of Management and Budget, to minimize additional workload. Such guidance shall also clearly specify that the investment evaluation required under subparagraph (C) adequately reflect the investment's cost and schedule performance and employ incremental development approaches in appropriate cases.

(ii) The Chief Information Officer of each covered agency shall provide the Director with the information described in subparagraph (A) on at least a semi-annual basis for each major information technology investment, using existing data systems and processes.

(C) Investment evaluation.—For each major information technology investment listed under subparagraph (A), the Chief Information Officer of the covered agency, in consultation with other appropriate agency officials, shall categorize the investment according to risk, in accordance with guidance issued by the Director.

(D) Continuous improvement.—If either the Director or the Chief Information Officer of a covered agency determines that the information made available from the agency's existing data systems and processes as required by subparagraph (B) is not timely and reliable, the Chief Information Officer, in consultation with the Director and the head of the agency, shall establish a program for the improvement of such data systems and processes.

(E) Waiver or limitation authority.—The applicability of subparagraph (A) may be waived or the extent of the information may be limited by the Director, if the Director determines that such a waiver or limitation is in the national security interests of the United States.

(F) Additional limitation.—The requirements of subparagraph (A) shall not apply to national security systems or to telecommunications or information technology that is fully funded by amounts made available—

(i) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 (50 U.S.C. 3003(6));

(ii) under the Military Intelligence Program or any successor program or programs; or

(iii) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).

(4) Risk management.—For each major information technology investment listed under paragraph (3)(A) that receives a high risk rating, as described in paragraph (3)(C), for 4 consecutive quarters—

(A) the Chief Information Officer of the covered agency and the program manager of the investment within the covered agency, in consultation with the Administrator of the Office of Electronic Government, shall conduct a review of the investment that shall identify—

(i) the root causes of the high level of risk of the investment;

(ii) the extent to which these causes can be addressed; and

(iii) the probability of future success;

(B) the Administrator of the Office of Electronic Government shall communicate the results of the review under subparagraph (A) to—

(i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;

(ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and

(iii) the committees of the Senate and the House of Representatives with primary jurisdiction over the agency;

(C) in the case of a major information technology investment of the Department of Defense, the assessment required by subparagraph (A) may be accomplished in accordance with section 2445c ¹ of title 10, provided that the results of the review are provided to the Administrator of the Office of Electronic Government upon request and to the committees identified in subsection (B); and

(D) for a covered agency other than the Department of Defense, if on the date that is one year after the date of completion of the review required under subsection (A), the investment is rated as high risk under paragraph (3)(C), the Director shall deny any request for additional development, modernization, or enhancement funding for the investment until the date on which the Chief Information Officer of the covered agency determines that the root causes of the high level of risk of the investment have been addressed, and there is sufficient capability to deliver the remaining planned increments within the planned cost and schedule.

(5) Report to congress.—At the same time that the President submits the budget for a fiscal year to Congress under section 1105(a) of title 31, the Director shall submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by executive agencies for information systems and how the benefits relate to the accomplishment of the goals of the executive agencies.

(d) Information Technology Standards.—The Director shall oversee the development and implementation of standards and guidelines pertaining to federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 11331 of this title ¹ and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

(e) Designation of Executive Agents for Acquisitions.—The Director shall designate the head of one or more executive agencies, as the Director considers appropriate, as executive agent for Government-wide acquisitions of information technology.

(f) Use of Best Practices in Acquisitions.—The Director shall encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology.

(g) Assessment of Other Models for Managing Information Technology.—On a continuing basis, the Director shall assess the experiences of executive agencies, state and local governments, international organizations, and the private sector in managing information technology.

(h) Comparison of Agency Uses of Information Technology.—The Director shall compare the performances of the executive agencies in using information technology and shall disseminate the comparisons to the heads of the executive agencies.

(i) Monitoring Training.—The Director shall monitor the development and implementation of training in information resources management for executive agency personnel.

(j) Informing Congress.—The Director shall keep Congress fully informed on the extent to which the executive agencies are improving the performance of agency programs and the accomplishment of the agency missions through the use of the best practices in information resources management.

(k) Coordination of Policy Development and Review.—The Director shall coordinate with the Office of Federal Procurement Policy the development and review by the Administrator of the Office of Information and Regulatory Affairs of policy associated with federal acquisition of information technology.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1237; Pub. L. 108–458, title VIII, §8401(1), (2), Dec. 17, 2004, 118 Stat. 3869; Pub. L. 113–291, div. A, title VIII, §832, Dec. 19, 2014, 128 Stat. 3440; Pub. L. 115–88, §2, Nov. 21, 2017, 131 Stat. 1278; Pub. L. 115–91, div. A, title VIII, §819(a), Dec. 12, 2017, 131 Stat. 1464.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11302	40:1412.	Pub. L. 104–106, div. E, title LI, §5112, Feb. 10, 1996, 110 Stat. 680.

Editorial Notes

References in Text

Section 3542 of title 44, referred to in subsec. (c)(1)(C), was repealed by Pub. L. 113–283, §2(a), Dec. 18, 2014, 128 Stat. 3073. See section 3552 of Title 44, Public Printing and Documents.

Section 2445c of title 10, referred to in subsec. (c)(4)(C), was repealed by Pub. L. 114–328, div. A, title VIII, §846(1), Dec. 23, 2016, 130 Stat. 2292.

The text of section 11331 of this title, referred to in subsec. (d), was generally amended by Pub. L. 117–167, div. B, title II, §10246(f), Aug. 9, 2022, 136 Stat. 1492, so as to provide for the prescription by the Secretary of Commerce of standards and guidelines pertaining to Federal information systems.

Amendments

2017—Subsec. (c)(5). Pub. L. 115–88 and Pub. L. 115–91 amended subsec. (c) identically, striking out par. (5) relating to sunset of certain provisions. Text read as follows: "Paragraphs (1), (3), and (4) shall not be in effect on and after the date that is 5 years after the date of the enactment of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015."

2014—Subsec. (c). Pub. L. 113–291 added pars. (1), (3), (4), and par. (5) relating to sunset of certain provisions and redesignated former pars. (1) and (2) as par. (2) and par. (5) relating to report to Congress, respectively.

2004—Subsec. (b). Pub. L. 108–458, §8401(1), inserted "security," after "use,".

Subsec. (c)(1). Pub. L. 108–458, §8401(2), inserted ", including information security risks," after "evaluating the risks" and "costs, benefits, and risks".

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

Management of Software Licenses

Pub. L. 114–210, July 29, 2016, 130 Stat. 824, provided that:

"SECTION 1. SHORT TITLE.

"This Act may be cited as the 'Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016' or the 'MEGABYTE Act of 2016'.

"SEC. 2. OMB DIRECTIVE ON MANAGEMENT OF SOFTWARE LICENSES.

"(a) Definition.—In this section—

"(1) the term 'Director' means the Director of the Office of Management and Budget; and

"(2) the term 'executive agency' has the meaning given that term in section 105 of title 5, United States Code.

"(b) OMB Directive.—The Director shall issue a directive to require the Chief Information Officer of each executive agency to develop a comprehensive software licensing policy, which shall—

"(1) identify clear roles, responsibilities, and central oversight authority within the executive agency for managing enterprise software license agreements and commercial software licenses; and

"(2) require the Chief Information Officer of each executive agency to—

"(A) establish a comprehensive inventory, including 80 percent of software license spending and enterprise licenses in the executive agency, by identifying and collecting information about software license agreements using automated discovery and inventory tools;

"(B) regularly track and maintain software licenses to assist the executive agency in implementing decisions throughout the software license management life cycle;

"(C) analyze software usage and other data to make cost-effective decisions;

"(D) provide training relevant to software license management;

"(E) establish goals and objectives of the software license management program of the executive agency; and

"(F) consider the software license management life cycle phases, including the requisition, reception, deployment and maintenance, retirement, and disposal phases, to implement effective decisionmaking and incorporate existing standards, processes, and metrics.

"(c) Report on Software License Management.—

"(1) In general.—Beginning in the first fiscal year beginning after the date of enactment of this Act [July 29, 2016], and in each of the following 5 fiscal years, the Chief Information Officer of each executive agency shall submit to the Director a report on the financial savings or avoidance of spending that resulted from improved software license management.

"(2) Availability.—The Director shall make each report submitted under paragraph (1) publically available."

Appropriate Use of Requirements Regarding Experience and Education of Contractor Personnel in the Procurement of Information Technology Services

Pub. L. 106–398, §1 [[div. A], title VIII, §813], Oct. 30, 2000, 114 Stat. 1654, 1654A-214, provided that:

"(a) Amendment of the Federal Acquisition Regulation.—Not later than 180 days after the date of the enactment of this Act [Oct. 30, 2000], the Federal Acquisition Regulation issued in accordance with sections 6 and 25 of the Office of Federal Procurement Policy Act ([former] 41 U.S.C. 405 and 421) [see 41 U.S.C. 1121, 1303] shall be amended to address the use, in the procurement of information technology services, of requirements regarding the experience and education of contractor personnel.

"(b) Content of Amendment.—The amendment issued pursuant to subsection (a) shall, at a minimum, provide that solicitations for the procurement of information technology services shall not set forth any minimum experience or educational requirement for proposed contractor personnel in order for a bidder to be eligible for award of a contract unless—

"(1) the contracting officer first determines that the needs of the executive agency cannot be met without any such requirement; or

"(2) the needs of the executive agency require the use of a type of contract other than a performance-based contract.

"(c) GAO Report.—Not later than one year after the date on which the regulations required by subsection (a) are published in the Federal Register, the Comptroller General shall submit to Congress an evaluation of—

"(1) executive agency compliance with the regulations; and

"(2) conformance of the regulations with existing law, together with any recommendations that the Comptroller General considers appropriate.

"(d) Definitions.—In this section:

"(1) The term 'executive agency' has the meaning given that term in section 4(1) of the Office of Federal Procurement Policy Act (former 41 U.S.C. 403(1)) [now 41 U.S.C. 133].

"(2) The term 'information technology' has the meaning given that term in section 5002(3) of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401(3)) [now 40 U.S.C. 11101(6)].

"(3) The term 'performance-based', with respect to a contract, means that the contract includes the use of performance work statements that set forth contract requirements in clear, specific, and objective terms with measurable outcomes."

¹ See References in Text note below.

§11303. Performance-based and results-based management

(a) In General.—The Director of the Office of Management and Budget shall encourage the use of performance-based and results-based management in fulfilling the responsibilities assigned under section 3504(h) of title 44.

(b) Evaluation of Agency Programs and Investments.—

(1) Requirement.—The Director shall evaluate the information resources management practices of the executive agencies with respect to the performance and results of the investments made by the executive agencies in information technology.

(2) Direction for executive agency action.—The Director shall issue to the head of each executive agency clear and concise direction that the head of each agency shall—

(A) establish effective and efficient capital planning processes for selecting, managing, and evaluating the results of all of its major investments in information systems;

(B) determine, before making an investment in a new information system—

(i) whether the function to be supported by the system should be performed by the private sector and, if so, whether any component of the executive agency performing that function should be converted from a governmental organization to a private sector organization; or

(ii) whether the function should be performed by the executive agency and, if so, whether the function should be performed by a private sector source under contract or by executive agency personnel;

(C) analyze the missions of the executive agency and, based on the analysis, revise the executive agency's mission-related processes and administrative processes, as appropriate, before making significant investments in information technology to be used in support of those missions; and

(D) ensure that the information security policies, procedures, and practices are adequate.

(3) Guidance for multiagency investments.—The direction issued under paragraph (2) shall include guidance for undertaking efficiently and effectively interagency and Federal Government-wide investments in information technology to improve the accomplishment of missions that are common to the executive agencies.

(4) Periodic reviews.—The Director shall implement through the budget process periodic reviews of selected information resources management activities of the executive agencies to ascertain the efficiency and effectiveness of information technology in improving the performance of the executive agency and the accomplishment of the missions of the executive agency.

(5) Enforcement of accountability.—

(A) In general.—The Director may take any action that the Director considers appropriate, including an action involving the budgetary process or appropriations management process, to enforce accountability of the head of an executive agency for information resources management and for the investments made by the executive agency in information technology.

(B) Specific actions.—Actions taken by the Director may include—

(i) recommending a reduction or an increase in the amount for information resources that the head of the executive agency proposes for the budget submitted to Congress under section 1105(a) of title 31;

(ii) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources;

(iii) using other administrative controls over appropriations to restrict the availability of amounts for information resources; and

(iv) designating for the executive agency an executive agent to contract with private sector sources for the performance of information resources management or the acquisition of information technology.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1238.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11303	40:1413.	Pub. L. 104–106, div. E, title LI, §5113, Feb. 10, 1996, 110 Stat. 681.

SUBCHAPTER II—EXECUTIVE AGENCIES

§11311. Responsibilities

In fulfilling the responsibilities assigned under chapter 35 of title 44, the head of each executive agency shall comply with this subchapter with respect to the specific matters covered by this subchapter.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1239.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11311	40:1421.	Pub. L. 104–106, div. E, title LI, §5121, Feb. 10, 1996, 110 Stat. 683.

Statutory Notes and Related Subsidiaries

Procurement of Automatic Data Processing Equipment for Tax Systems Modernization Program; Delegation of Authority

Pub. L. 104–52, title V, §526, Nov. 19, 1995, 109 Stat. 495, provided that: "Notwithstanding any other provision of law, the Administrator of General Services shall delegate the authority to procure automatic data processing equipment for the Tax Systems Modernization Program to the Secretary of the Treasury: Provided, That the Director of the Office of Management and Budget shall have the authority to revoke such delegation upon the written recommendation of the Administrator that the Secretary's actions under such delegation are inconsistent with the goals of economic and efficient procurement and utilization of automatic data processing equipment: Provided further, That for all other purposes, a procurement conducted under such delegation shall be treated as if made under a delegation by the Administrator pursuant to [former] 40 U.S.C. 759."

§11312. Capital planning and investment control

(a) Design of Process.—In fulfilling the responsibilities assigned under section 3506(h) of title 44, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value, and assessing and managing the risks, of the information technology acquisitions of the executive agency.

(b) Content of Process.—The process of an executive agency shall—

(1) provide for the selection of investments in information technology (including information security needs) to be made by the executive agency, the management of those investments, and the evaluation of the results of those investments;

(2) be integrated with the processes for making budget, financial, and program management decisions in the executive agency;

(3) include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, including criteria related to the quantitatively expressed projected net, risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects;

(4) identify information systems investments that would result in shared benefits or costs for other federal agencies or state or local governments;

(5) identify quantifiable measurements for determining the net benefits and risks of a proposed investment; and

(6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1239; Pub. L. 108–458, title VIII, §8401(3), Dec. 17, 2004, 118 Stat. 3869.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11312	40:1422.	Pub. L. 104–106, div. E, title LI, §5122, Feb. 10, 1996, 110 Stat. 683.

Editorial Notes

Amendments

2004—Subsec. (b)(1). Pub. L. 108–458 substituted "investments in information technology (including information security needs)" for "information technology investments".

§11313. Performance and results-based management

In fulfilling the responsibilities under section 3506(h) of title 44, the head of an executive agency shall—

(1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology;

(2) prepare an annual report, to be included in the executive agency's budget submission to Congress, on the progress in achieving the goals;

(3) ensure that performance measurements—

(A) are prescribed for information technology used by, or to be acquired for, the executive agency; and

(B) measure how well the information technology supports programs of the executive agency;

(4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against those processes in terms of cost, speed, productivity, and quality of outputs and outcomes;

(5) analyze the missions of the executive agency and, based on the analysis, revise the executive agency's mission-related processes and administrative processes as appropriate before making significant investments in information technology to be used in support of the performance of those missions; and

(6) ensure that the information security policies, procedures, and practices of the executive agency are adequate.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1240.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11313	40:1423.	Pub. L. 104–106, div. E, title LI, §5123, Feb. 10, 1996, 110 Stat. 683.

§11314. Authority to acquire and manage information technology

(a) In General.—The authority of the head of an executive agency to acquire information technology includes—

(1) acquiring information technology as authorized by law;

(2) making a contract that provides for multiagency acquisitions of information technology in accordance with guidance issued by the Director of the Office of Management and Budget; and

(3) if the Director finds that it would be advantageous for the Federal Government to do so, making a multiagency contract for procurement of commercial products of information technology that requires each executive agency covered by the contract, when procuring those products, to procure the products under that contract or to justify an alternative procurement of the products.

(b) FTS 2000 Program.—The Administrator of General Services shall continue to manage the FTS 2000 program, and to coordinate the follow-on to that program, for and with the advice of the heads of executive agencies.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1241; Pub. L. 115–232, div. A, title VIII, §836(g)(7)(B), Aug. 13, 2018, 132 Stat. 1874.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11314	40:1424.	Pub. L. 104–106, div. E, title LI, §5124, Feb. 10, 1996, 110 Stat. 684.

In subsection (b), the words "Notwithstanding any other provision of this or any other law" are omitted as unnecessary.

Editorial Notes

Amendments

2018—Subsec. (a)(3). Pub. L. 115–232 substituted "products" for "items" wherever appearing.

Statutory Notes and Related Subsidiaries

Effective Date of 2018 Amendment

Amendment by Pub. L. 115–232 effective Jan. 1, 2020, subject to a savings provision, see section 836(h) of Pub. L. 115–232, set out as an Effective Date of 2018 Amendment; Savings Provision note under section 453b of Title 6, Domestic Security.

§11315. Agency Chief Information Officer

(a) Definition.—In this section, the term "information technology architecture", with respect to an executive agency, means an integrated framework for evolving or maintaining existing information technology and acquiring new information technology to achieve the agency's strategic goals and information resources management goals.

(b) General Responsibilities.—The Chief Information Officer of an executive agency is responsible for—

(1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed for the executive agency in a manner that implements the policies and procedures of this subtitle, consistent with chapter 35 of title 44 and the priorities established by the head of the executive agency;

(2) developing, maintaining, and facilitating the implementation of a sound, secure, and integrated information technology architecture for the executive agency; and

(3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.

(c) Duties and Qualifications.—The Chief Information Officer of an agency listed in section 901(b) of title 31—

(1) has information resources management duties as that official's primary duty;

(2) monitors the performance of information technology programs of the agency, evaluates the performance of those programs on the basis of the applicable performance measurements, and advises the head of the agency regarding whether to continue, modify, or terminate a program or project; and

(3) annually, as part of the strategic planning and performance evaluation process required (subject to section 1117 of title 31) under section 306 of title 5 and sections 1105(a)(28), 1115–1117, and 9703 (as added by section 5(a) of the Government Performance and Results Act of 1993 (Public Law 103–62, 107 Stat. 289)) of title 31—

(A) assesses the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of those requirements for facilitating the achievement of the performance goals established for information resources management;

(B) assesses the extent to which the positions and personnel at the executive level of the agency and the positions and personnel at management level of the agency below the executive level meet those requirements;

(C) develops strategies and specific plans for hiring, training, and professional development to rectify any deficiency in meeting those requirements; and

(D) reports to the head of the agency on the progress made in improving information resources management capability.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1241; Pub. L. 108–458, title VIII, §8401(4), Dec. 17, 2004, 118 Stat. 3869.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11315	40:1425(b)–(d).	Pub. L. 104–106, div. E, title LI, §5125(b)–(d), Feb. 10, 1996, 110 Stat. 685.

In subsection (c)(3), before subclause (A), the reference to 31:1105(a)(29) is changed to 1105(a)(28) because of the redesignation of 1105(a)(29) as 1105(a)(28) by section 4(1) of the Act of October 11, 1996, (Public Law 104–287, 110 Stat. 3388). The words "as added by section 5(a) of the Government Performance and Results Act of 1993 (Public Law 103–62, 107 Stat. 289)" are added for clarity because there is another 31:9703.

Editorial Notes

Amendments

2004—Subsec. (b)(2). Pub. L. 108–458 inserted ", secure," after "sound".

Executive Documents

Ex Ord. No. 13833. Enhancing the Effectiveness of Agency Chief Information Officers

Ex. Ord. No. 13833, May 15, 2018, 83 F.R. 23345, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Purpose. The Federal Government spends more than $90 billion annually on information technology (IT). The vast majority of this sum is consumed in maintaining legacy IT infrastructure that is often ineffective and more costly than modern technologies. Modern IT systems would enable agencies to reduce costs, mitigate cybersecurity risks, and deliver improved services to the American people. While the recently enacted Modernizing Government Technology Act [probably means subtitle G of title X of div. A of Pub. L. 115–91, set out as a note under section 11301 of this title] will provide needed financial resources to help transition agencies to more effective, efficient, and secure technologies, more can be done to improve management of IT resources. Department and agency (agency) Chief Information Officers (CIOs) generally do not have adequate visibility into, or control over, their agencies' IT resources, resulting in duplication, waste, and poor service delivery. Enhancing the effectiveness of agency CIOs will better position agencies to modernize their IT systems, execute IT programs more efficiently, reduce cybersecurity risks, and serve the American people well.

Sec. 2. Policy. It is the policy of the executive branch to:

(a) empower agency CIOs to ensure that agency IT systems are secure, efficient, accessible, and effective, and that such systems enable agencies to accomplish their missions;

(b) modernize IT infrastructure within the executive branch and meaningfully improve the delivery of digital services; and

(c) improve the management, acquisition, and oversight of Federal IT.

Sec. 3. Definitions. For purposes of this order:

(a) the term "covered agency" means an agency listed in 31 U.S.C. 901(b), other than the Department of Defense or any agency considered to be an "independent regulatory agency" as defined in 44 U.S.C. 3502(5);

(b) the term "information technology" has the meaning given that term in 40 U.S.C. 11101(6);

(c) the term "Chief Information Officer" or "CIO" means the individual within a covered agency as described in 40 U.S.C. 11315;

(d) the term "component Chief Information Officer" or "component CIO" means an individual in a covered agency, other than the CIO referred to in subsection (c) of this section, who has the title Chief Information Officer, or who functions in the capacity of a CIO, and has IT management authorities over a component of the agency similar to those the CIO has over the entire agency;

(e) the term "IT position" means a position within the job family standard for the Information Technology Management Series, GS–2210, as defined by the Office of Personnel Management (OPM) in the Handbook of Occupational Groups and Families and related guidance.

Sec. 4. Emphasizing Chief Information Officer Duties and Responsibilities. The head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) consistent with 44 U.S.C. 3506(a)(2), the CIO of the covered agency reports directly to the agency head, such that the CIO has direct access to the agency head regarding all programs that include IT;

(b) consistent with 40 U.S.C. 11315(b), and to promote the effective, efficient, and secure use of IT to accomplish the agency's mission, the CIO serves as the primary strategic advisor to the agency head concerning the use of IT;

(c) consistent with 40 U.S.C. 11319(b)(1)(A), the CIO has a significant role, including, as appropriate, as lead advisor, in all annual and multi-year planning, programming, budgeting, and execution decisions, as well as in all management, governance, and oversight processes related to IT; and

(d) consistent with 40 U.S.C. 11319(b)(2) and other applicable law, the CIO of the covered agency approves the appointment of any component CIO in that agency.

Sec. 5. Agency-wide IT Consolidation. Consistent with the purposes of Executive Order 13781 of March 13, 2017 (Comprehensive Plan for Reorganizing the Executive Branch) [82 F.R. 13959], the head of each covered agency shall take all necessary and appropriate action to:

(a) eliminate unnecessary IT management functions;

(b) merge or reorganize agency IT functions to promote agency-wide consolidation of the agency's IT infrastructure, taking into account any recommendations of the relevant agency CIO; and

(c) increase use of industry best practices, such as the shared use of IT solutions within agencies and across the executive branch.

Sec. 6. Strengthening Cybersecurity. Consistent with the purposes of Executive Order 13800 of May 11, 2017 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure) [6 U.S.C. note prec. 1500], the head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) the CIO, as the principal advisor to the agency head for the management of IT resources, works closely with an integrated team of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources to implement appropriate risk management measures; and

(b) the agency prioritizes procurement of shared IT services, including modern email and other cloud-based services, where possible and to the extent permitted by law.

Sec. 7. Knowledge and Skill Standards for IT Personnel. The head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) consistent with 40 U.S.C. 11315(c)(3), the CIO assesses and advises the agency head regarding knowledge and skill standards established for agency IT personnel;

(b) the established knowledge and skill standards are included in the performance standards and reflected in the performance evaluations of all component CIOs, and that the CIO is responsible for that portion of the evaluation; and

(c) all component CIOs apply those standards within their own components.

Sec. 8. Chief Information Officer Role on IT Governance Boards. Wherever appropriate and consistent with applicable law, the head of each covered agency shall ensure that the CIO shall be a member of any investment or related board of the agency with purview over IT, or any board responsible for setting agency-wide IT standards. The head of each covered agency shall also, as appropriate and consistent with applicable law, direct the CIO to chair any such board. To the extent any such board operates through member votes, the head of each covered agency shall also, as appropriate and consistent with applicable law, direct the CIO to fulfill the role of voting member.

Sec. 9. Chief Information Officer Hiring Authorities. The Director of OPM (Director) shall publish a proposed rule delegating to the head of each covered agency authority to determine whether there is a severe shortage of candidates (or, with respect to the Department of Veterans Affairs, that there exists a severe shortage of highly qualified candidates), or that a critical hiring need exists, for IT positions at the covered agency pursuant to 5 U.S.C. 3304(a)(3), under criteria established by OPM.

(a) Such proposed rule shall provide that, upon an affirmative determination by the head of a covered agency that there is a severe shortage of candidates (or, with respect to the Department of Veterans Affairs, that there exists a severe shortage of highly qualified candidates), or that a critical hiring need exists for IT positions, under the criteria established by OPM, the Director shall, within 30 days, grant that agency direct hiring authority for IT positions.

(b) Such proposed rule shall further provide that employees hired using this authority may not be transferred to positions that are not IT positions; that the employees shall initially be given term appointments not to exceed 4 years; and that the terms of such employees may be extended up to 4 additional years at the discretion of the hiring agency.

(c) The Director shall submit the proposed rule for publication within 30 days of the date of this order [May 15, 2018].

Sec. 10. Guidance. The Director of the Office of Management and Budget shall amend or replace relevant guidance, as appropriate, to agencies to reflect the requirements of this order.

Sec. 11. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Donald J. Trump.      

§11316. Accountability

The head of each executive agency, in consultation with the Chief Information Officer and the Chief Financial Officer of that executive agency (or, in the case of an executive agency without a chief financial officer, any comparable official), shall establish policies and procedures to ensure that—

(1) the accounting, financial, asset management, and other information systems of the executive agency are designed, developed, maintained, and used effectively to provide financial or program performance data for financial statements of the executive agency;

(2) financial and related program performance data are provided on a reliable, consistent, and timely basis to executive agency financial management systems; and

(3) financial statements support—

(A) assessments and revisions of mission-related processes and administrative processes of the executive agency; and

(B) measurement of the performance of investments made by the agency in information systems.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11316	40:1426.	Pub. L. 104–106, div. E, title LI, §5126, Feb. 10, 1996, 110 Stat. 686.

§11317. Significant deviations

The head of each executive agency shall identify in the strategic information resources management plan required under section 3506(b)(2) of title 44 any major information technology acquisition program, or any phase or increment of that program, that has significantly deviated from the cost, performance, or schedule goals established for the program.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11317	40:1427.	Pub. L. 104–106, div. E, title LI, §5127, Feb. 10, 1996, 110 Stat. 687.

§11318. Interagency support

The head of an executive agency may use amounts available to the agency for oversight, acquisition, and procurement of information technology to support jointly with other executive agencies the activities of interagency groups that are established to advise the Director of the Office of Management and Budget in carrying out the Director's responsibilities under this chapter. The use of those amounts for that purpose is subject to requirements and limitations on uses and amounts that the Director may prescribe. The Director shall prescribe the requirements and limitations during the Director's review of the executive agency's proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11318	40:1428.	Pub. L. 104–106, div. E, title LI, §5128, Feb. 10, 1996, 110 Stat. 687.

§11319. Resources, planning, and portfolio management

(a) Definitions.—In this section:

(1) The term "covered agency" means each agency listed in section 901(b)(1) or 901(b)(2) of title 31.

(2) The term "information technology" has the meaning given that term under capital planning guidance issued by the Office of Management and Budget.

(b) Additional Authorities for Chief Information Officers.—

(1) Planning, programming, budgeting, and execution authorities for cios.—

(A) In general.—The head of each covered agency other than the Department of Defense shall ensure that the Chief Information Officer of the agency has a significant role in—

(i) the decision processes for all annual and multi-year planning, programming, budgeting, and execution decisions, related reporting requirements, and reports related to information technology; and

(ii) the management, governance, and oversight processes related to information technology.

(B) Budget formulation.—The Director of the Office of Management and Budget shall require in the annual information technology capital planning guidance of the Office of Management and Budget the following:

(i) That the Chief Information Officer of each covered agency other than the Department of Defense approve the information technology budget request of the covered agency, and that the Chief Information Officer of the Department of Defense review and provide recommendations to the Secretary of Defense on the information technology budget request of the Department.

(ii) That the Chief Information Officer of each covered agency certify that information technology investments are adequately implementing incremental development, as defined in capital planning guidance issued by the Office of Management and Budget.

(C) Review.—

(i) In general.—A covered agency other than the Department of Defense—

(I) may not enter into a contract or other agreement for information technology or information technology services, unless the contract or other agreement has been reviewed and approved by the Chief Information Officer of the agency;

(II) may not request the reprogramming of any funds made available for information technology programs, unless the request has been reviewed and approved by the Chief Information Officer of the agency; and

(III) may use the governance processes of the agency to approve such a contract or other agreement if the Chief Information Officer of the agency is included as a full participant in the governance processes.

(ii) Delegation.—

(I) In general.—Except as provided in subclause (II), the duties of a Chief Information Officer under clause (i) are not delegable.

(II) Non-major information technology investments.—For a contract or agreement for a non-major information technology investment, as defined in the annual information technology capital planning guidance of the Office of Management and Budget, the Chief Information Officer of a covered agency other than the Department of Defense may delegate the approval of the contract or agreement under clause (i) to an individual who reports directly to the Chief Information Officer.

(2) Personnel-related authority.—Notwithstanding any other provision of law, for each covered agency other than the Department of Defense, the Chief Information Officer of the covered agency shall approve the appointment of any other employee with the title of Chief Information Officer, or who functions in the capacity of a Chief Information Officer, for any component organization within the covered agency.

(c) Limitation.—None of the authorities provided in this section shall apply to telecommunications or information technology that is fully funded by amounts made available—

(1) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 (50 U.S.C. 3003(6));

(2) under the Military Intelligence Program or any successor program or programs; or

(3) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).

(d) Information Technology Portfolio, Program, and Resource Reviews.—

(1) Process.—The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall implement a process to assist covered agencies in reviewing their portfolio of information technology investments—

(A) to identify or develop ways to increase the efficiency and effectiveness of the information technology investments of the covered agency;

(B) to identify or develop opportunities to consolidate the acquisition and management of information technology services, and increase the use of shared-service delivery models;

(C) to identify potential duplication and waste;

(D) to identify potential cost savings;

(E) to develop plans for actions to optimize the information technology portfolio, programs, and resources of the covered agency;

(F) to develop ways to better align the information technology portfolio, programs, and financial resources of the covered agency to any multi-year funding requirements or strategic plans required by law;

(G) to develop a multi-year strategy to identify and reduce duplication and waste within the information technology portfolio of the covered agency, including component-level investments and to identify projected cost savings resulting from such strategy; and

(H) to carry out any other goals that the Director may establish.

(2) Metrics and performance indicators.—The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall develop standardized cost savings and cost avoidance metrics and performance indicators for use by agencies for the process implemented under paragraph (1).

(3) Annual review.—The Chief Information Officer of each covered agency, in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) of the covered agency and the Administrator of the Office of Electronic Government, shall conduct an annual review of the information technology portfolio of the covered agency.

(4) Applicability to the department of defense.—In the case of the Department of Defense, processes established pursuant to this subsection shall apply only to the business systems information technology portfolio of the Department of Defense and not to national security systems as defined by section 11103(a) of this title. The annual review required by paragraph (3) shall be carried out by the Chief Information Officer of the Department of Defense, in consultation with the Under Secretary of Defense for Acquisition and Sustainment and other appropriate Department of Defense officials. The Secretary of Defense may designate an existing investment or management review process to fulfill the requirement for the annual review required by paragraph (3), in consultation with the Administrator of the Office of Electronic Government.

(5) Quarterly reports.—

(A) In general.—The Administrator of the Office of Electronic Government shall submit a quarterly report on the cost savings and reductions in duplicative information technology investments identified through the review required by paragraph (3) to—

(i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;

(ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and

(iii) upon a request by any committee of Congress, to that committee.

(B) Inclusion in other reports.—The reports required under subparagraph (A) may be included as part of another report submitted to the committees of Congress described in clauses (i), (ii), and (iii) of subparagraph (A).

(Added and amended Pub. L. 113–291, div. A, title VIII, §§831(a), 833, title IX, §901(n)(1), Dec. 19, 2014, 128 Stat. 3438, 3442, 3469; Pub. L. 115–88, §3, Nov. 21, 2017, 131 Stat. 1278; Pub. L. 115–91, div. A, title VIII, §819(b), title X, §1081(b)(1)(D), Dec. 12, 2017, 131 Stat. 1464, 1597; Pub. L. 115–232, div. A, title X, §1081(f)(1)(A)(iii), Aug. 13, 2018, 132 Stat. 1986; Pub. L. 116–92, div. A, title IX, §902(87), Dec. 20, 2019, 133 Stat. 1554; Pub. L. 118–31, div. A, title IX, §901(f), Dec. 22, 2023, 137 Stat. 355.)

Editorial Notes

Amendments

2023—Subsec. (d)(4). Pub. L. 118–31 substituted "the Chief Information Officer of the Department of Defense, in consultation with the Under Secretary of Defense for Acquisition and Sustainment and" for "the Chief Management Officer of the Department of Defense (or any successor to such Officer), in consultation with the Chief Information Officer, the Under Secretary of Defense for Acquisition and Sustainment, and".

2019—Subsec. (d)(4). Pub. L. 116–92 substituted "Under Secretary of Defense for Acquisition and Sustainment" for "Under Secretary of Defense for Acquisition, Technology, and Logistics".

2018—Subsec. (d)(4). Pub. L. 115–232 substituted "Chief Management Officer" for "Deputy Chief Management Officer".

2017—Subsecs. (c), (d). Pub. L. 115–88, §3(1), and Pub. L. 115–91, §819(b)(1), amended section identically, redesignating subsec. (c) relating to information technology portfolio, program, and resource reviews as (d).

Subsec. (d)(6). Pub. L. 115–88, §3(2), and Pub. L. 115–91, §819(b)(2), amended subsec. (d) identically, striking out par. (6). Text read as follows: "This subsection shall not be in effect on and after the date that is 5 years after the date of the enactment of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015."

2014—Subsec. (c). Pub. L. 113–291, §833, added subsec. (c) relating to information technology portfolio, program, and resource reviews.

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

SUBCHAPTER III—OTHER RESPONSIBILITIES

§11331. Responsibilities for Federal information systems standards

(a) Standards and Guidelines.—

(1) Authority to prescribe.—Except as provided under paragraph (2), the Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), prescribe standards and guidelines pertaining to Federal information systems.

(2) National security systems.—Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.

(b) Mandatory Requirements.—

(1) Authority to make mandatory.—Except as provided under paragraph (2), the Secretary of Commerce shall make standards prescribed under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of Federal information systems.

(2) Required mandatory standards.—

(A) In general.—Standards prescribed under subsection (a)(1) shall include information security standards that—

(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b)); and

(ii) are otherwise necessary to improve the security of Federal information and information systems.

(B) Requirement.—Information security standards described in subparagraph (A) shall be compulsory and binding.

(c) Authority to Disapprove or Modify.—The President may disapprove or modify the standards and guidelines referred to in subsection (a)(1) if the President determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.

(d) Exercise of Authority.—To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

(e) Application of More Stringent Standards.—The head of an executive agency may employ standards for the cost-effective information security for Federal information systems within or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards—

(1) contain at least the applicable standards made compulsory and binding by the Secretary of Commerce; and

(2) are otherwise consistent with policies and guidelines issued under section 3553 of title 44.

(f) Decisions on Promulgation of Standards.—The decision by the Secretary of Commerce regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

(g) Definitions.—In this section:

(1) Federal information system.—The term "Federal information system" means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

(2) Information security.—The term "information security" has the meaning given that term in section 3552(b)(3) of title 44.

(3) National security system.—The term "national security system" has the meaning given that term in section 3552(b)(6) of title 44.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1243; Pub. L. 107–296, title X, §1002(a), Nov. 25, 2002, 116 Stat. 2268; Pub. L. 107–347, title III, §302(a), Dec. 17, 2002, 116 Stat. 2956; Pub. L. 117–167, div. B, title II, §10246(f), Aug. 9, 2022, 136 Stat. 1492.)

Historical and Revision Notes

Revised Section	Source (U.S. Code)	Source (Statutes at Large)
11331	40:1441.	Pub. L. 104–106, div. E, title LI, §5131(a)–(d), Feb. 10, 1996, 110 Stat. 687.

Editorial Notes

Amendments

2022—Pub. L. 117–167 amended text generally. Prior to amendment, text related to the definition of "information security", in subsec. (a); the requirement that the Director of the Office of Management and Budget promulgate information security standards, in subsec. (b); the application of more stringent standards by heads of agencies, in subsec. (c); and requirements regarding decisions by the Director, in subsec. (d).

2002—Pub. L. 107–296 amended text generally. Prior to amendment, text, as amended generally by Pub. L. 107–347, read as follows:

"(a) Standards and Guidelines.—

"(1) Authority to prescribe.—Except as provided under paragraph (2), the Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), prescribe standards and guidelines pertaining to Federal information systems.

"(2) National security systems.—Standards and guidelines for national security systems (as defined under this section) shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.

"(b) Mandatory Requirements.—

"(1) Authority to make mandatory.—Except as provided under paragraph (2), the Secretary shall make standards prescribed under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of Federal information systems.

"(2) Required mandatory standards.—(A) Standards prescribed under subsection (a)(1) shall include information security standards that—

"(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b)); and

"(ii) are otherwise necessary to improve the security of Federal information and information systems.

"(B) Information security standards described in subparagraph (A) shall be compulsory and binding.

"(c) Authority to Disapprove or Modify.—The President may disapprove or modify the standards and guidelines referred to in subsection (a)(1) if the President determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.

"(d) Exercise of Authority.—To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

"(e) Application of More Stringent Standards.—The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards—

"(1) contain at least the applicable standards made compulsory and binding by the Secretary; and

"(2) are otherwise consistent with policies and guidelines issued under section 3543 of title 44.

"(f) Decisions on Promulgation of Standards.—The decision by the Secretary regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

"(g) Definitions.—In this section:

"(1) Federal information system.—The term 'Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

"(2) Information security.—The term 'information security' has the meaning given that term in section 3542(b)(1) of title 44.

"(3) National security system.—The term 'national security system' has the meaning given that term in section 3542(b)(2) of title 44."

Pub. L. 107–347 substituted "Responsibilities for Federal information systems standards" for "Responsibilities regarding efficiency, security, and privacy of federal computer systems" in section catchline and amended text generally. Prior to amendment, text read as follows:

"(a) Definitions.—In this section, the terms 'federal computer system' and 'operator of a federal computer system' have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)).

"(b) Standards and Guidelines.—

"(1) Authority to prescribe and disapprove or modify.—

"(A) Authority to prescribe.—On the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the Act (15 U.S.C. 278g–3(a)(2), (3)), the Secretary of Commerce shall prescribe standards and guidelines pertaining to federal computer systems. The Secretary shall make those standards compulsory and binding to the extent the Secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems.

"(B) Authority to disapprove or modify.—The President may disapprove or modify those standards and guidelines if the President determines that action to be in the public interest. The President's authority to disapprove or modify those standards and guidelines may not be delegated. Notice of disapproval or modification shall be published promptly in the Federal Register. On receiving notice of disapproval or modification, the Secretary shall immediately rescind or modify those standards or guidelines as directed by the President.

"(2) Exercise of authority.—To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

"(c) Application of More Stringent Standards.—The head of a federal agency may employ standards for the cost-effective security and privacy of sensitive information in a federal computer system in or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards contain at least the applicable standards the Secretary makes compulsory and binding.

"(d) Waiver of Standards.—

"(1) Authority of the secretary.—The Secretary may waive in writing compulsory and binding standards under subsection (b) if the Secretary determines that compliance would—

"(A) adversely affect the accomplishment of the mission of an operator of a federal computer system; or

"(B) cause a major adverse financial impact on the operator that is not offset by Federal Government-wide savings.

"(2) Delegation of waiver authority.—The Secretary may delegate to the head of one or more federal agencies authority to waive those standards to the extent the Secretary determines that action to be necessary and desirable to allow for timely and effective implementation of federal computer system standards. The head of the agency may redelegate that authority only to a chief information officer designated pursuant to section 3506 of title 44.

"(3) Notice.—Notice of each waiver and delegation shall be transmitted promptly to Congress and published promptly in the Federal Register."

Statutory Notes and Related Subsidiaries

Effective Date of 2002 Amendments

Amendment by Pub. L. 107–347 effective Dec. 17, 2002, see section 402(b) of Pub. L. 107–347, set out as a note under section 3504 of Title 44, Public Printing and Documents.

Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.

[§11332. Repealed. Pub. L. 107–296, title X, §1005(a)(1), Nov. 25, 2002, 116 Stat. 2272; Pub. L. 107–347, title III, §305(a), Dec. 17, 2002, 116 Stat. 2960]

Section, Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1244, related to Federal computer system security training and plan.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Repeal effective Dec. 17, 2002, see section 402(b) of Pub. L. 107–347, set out as an Effective Date of 2002 Amendments note under section 3504 of Title 44, Public Printing and Documents.

Repeal by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.