Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · S. 2296 (Engrossed in Senate) — To authorize appropriations for fiscal year 2026 for military activities of the Department of Defense, for military c... · Sec. 1627

Sec. 1627. Physical and cybersecurity procurement requirements for artificial intelligence systems

800 words·~4 min read·/bill/119/s/2296/es/section-1627·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Secretary of Defense shall develop a framework for implementation of cybersecurity and physical security standards and best practices relating to covered artificial intelligence and machine learning technologies to mitigate risks to the Department of Defense from the use of such technologies. The framework developed under paragraph
(1)shall cover all relevant aspects of the security of artificial intelligence and machine learning systems, including the following: Workforce risks, such as insider threat risks. Training and workforce development requirements, including with respect to the following: Artificial intelligence security awareness. Artificial intelligence-specific threats and vulnerabilities. Continuum of professional development and education of artificial intelligence security expertise. Supply chain risks, such as counterfeit parts or data poisoning risks. Risks relating to adversarial tampering with artificial intelligence systems. Risks relating to unintended exposure or theft of artificial intelligence systems or data. Security posture management practices, including governance of security measures, continuous monitoring, and incident reporting procedures. An evaluation of commercially available platforms for continuous monitoring and assessment. The framework developed under paragraph
(1)shall be risk-based, with higher security levels corresponding proportionally to the national security or foreign policy risks posed by the covered artificial intelligence technology being stolen or tampered with. To the maximum extent feasible, the framework developed under paragraph
(1)shall— draw on existing cybersecurity references, such as the NIST Special Publication 800 series; and be implemented as an extension or augmentation of existing cybersecurity frameworks developed by the Department of Defense, such as the Cybersecurity Maturity Model Certification framework. The framework developed under paragraph
(1)shall take into account that the most highly capable artificial intelligence systems may be of great interest to the most highly capable cyber threat actors, such as intelligence and defense agencies of peer and near-peer nations. The Secretary shall ensure that cybersecurity frameworks provided for contractors contain security levels designed to mitigate risks posed by cyber threat actors described in subparagraph (A), with the highest levels being similar in scope to the level of protection offered by national security systems. To the extent feasible, any additional security levels developed under subparagraph
(B)shall be designed generally for all software systems, but may contain components designed specifically for highly capable artificial intelligence systems. The Secretary may amend the Defense Federal Acquisition Regulation Supplement, or take other similar action, to require covered entities to implement the best practices described in the framework developed under subsection (a). Requirements implemented in rules developed under paragraph
(1)shall be as narrowly tailored as practicable to the specific covered artificial intelligence and machine learning technologies developed, deployed, stored, or hosted by a covered entity, and shall be calibrated accordingly to the different tasks involved in development, deployment, storage, or hosting of components of those covered artificial intelligence and machine learning technologies. In implementing paragraph (1), the Secretary shall— consider the costs and benefits to the Department and to United States national security and technological leadership, of imposing security requirements on covered entities; and to the extent feasible, design requirements in a way that allows for transparent trade space analysis between competing requirements in order to minimize costs and maximize benefits. In carrying out subparagraph (A), the Secretary shall, in particular, weigh the costs of slowing down artificial intelligence and machine learning development and deployment against the benefits of mitigating national security risks and potential security risks to the Department of Defense from using commercial software. The framework required by subsection (a)(1) shall include a detailed implementation plan that— establishes timelines and milestones for achieving the objectives outlined in the framework; identifies resource requirements and funding mechanisms; and provides metrics for measuring progress and effectiveness. Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the congressional defense committees an update on the status of implementation of the requirements of this section. In this section: The term artificial intelligence has the meaning given such term in 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 ( Public Law 115–232 ; 10 U.S.C. note prec. 4061). The term covered artificial intelligence and machine learning technology means an artificial intelligence or machine learning system procured by the Department of Defense and all components of the development and deployment lifecycle of that artificial intelligence system, including source code, numerical parameters (such as model weights) of the trained artificial intelligence or machine learning system, details of any methods and algorithms used to develop that system, data used in the development of the system, and software used for evaluating the trustworthiness of the artificial intelligence or machine learning system during development or deployment. The term covered entity means an entity that enters into a Department of Defense contract that engages in the development, deployment, storage, or hosting of a covered artificial intelligence technology.
Connectionstraces to 1
Citation graph
cites case law
Sec. 1627
Physical and cybersecurity procurement requirements for artificial intelligence systems
Pub. L.Public Law 115-232
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.