AI Government Procurement Law: Federal Acquisition Rules and Legal Standards

Federal agencies acquiring artificial intelligence systems operate under a layered legal structure that combines the Federal Acquisition Regulation, agency-specific guidance, executive directives, and emerging statutory requirements. This page covers the rules governing how the U.S. federal government purchases AI tools and services, the legal standards vendors must satisfy, and the compliance boundaries that distinguish permissible from non-compliant procurements. Understanding this framework is foundational for agencies, contractors, and legal practitioners working at the intersection of AI and administrative law.

Definition and scope

AI government procurement law refers to the body of rules, regulations, and policy directives that control how federal departments and agencies acquire artificial intelligence capabilities — including software, algorithmic decision systems, data processing platforms, and AI-enabled services. The primary statutory foundation is the Federal Acquisition Regulation (FAR), codified at 48 C.F.R. Chapter 1, which governs all executive agency acquisitions above the micro-purchase threshold (set at $10,000 under 48 C.F.R. § 2.101).

AI procurement sits at the intersection of FAR requirements and sector-specific mandates. The National Defense Authorization Act (NDAA) for FY 2021 directed the Department of Defense to develop AI acquisition guidance and established the requirement that DoD AI systems align with the Department's Ethical Principles for AI. Civilian agencies follow supplemental regulations issued by their respective acquisition authorities — such as the Defense Federal Acquisition Regulation Supplement (DFARS) for defense contexts and the Health and Human Services Acquisition Regulation (HHSAR) for HHS programs.

The scope of covered acquisitions includes:

1. Commercial off-the-shelf (COTS) AI software licensed to federal agencies
2. Custom AI development contracts (fixed-price and cost-reimbursement)
3. AI-embedded services, including cloud-hosted machine learning platforms
4. Data annotation, model training, and AI validation services
5. AI systems integrated into critical infrastructure or law enforcement operations

Procurements below the simplified acquisition threshold of $250,000 (FAR § 2.101) follow streamlined procedures, but AI-specific risk assessments still apply under executive policy guidance.

How it works

Federal AI procurement follows a structured acquisition lifecycle governed by FAR Parts 7 through 17, with AI-specific overlays introduced through executive and agency-level directives.

Phase 1 — Requirements definition and risk classification. Agencies identify whether a proposed AI system is high-impact under Executive Order 13960 (2020), which required agencies to inventory AI use cases and apply transparency and accountability standards. High-impact systems — those affecting individual rights, benefits, or safety — require heightened documentation before solicitation.

Phase 2 — Market research and vendor qualification. Contracting officers conduct market research under FAR Part 10 to assess whether AI capabilities exist in the commercial marketplace. Vendors seeking federal AI contracts must hold applicable security clearances, comply with the Cybersecurity Maturity Model Certification (CMMC) framework for defense contracts (DoD CMMC), and satisfy data rights provisions under DFARS 252.227-7013 for technical data.

Phase 3 — Solicitation and evaluation. Requests for Proposals (RFPs) for AI systems must include data governance requirements, model explainability standards, and bias evaluation criteria consistent with NIST AI Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology in January 2023. Evaluation criteria assess performance reliability, security controls, and auditability.

Phase 4 — Contract award and compliance monitoring. AI contracts include deliverables tied to model documentation, incident reporting, and algorithm change notifications. The Office of Management and Budget (OMB) Memorandum M-21-06 established requirements for advancing equity in AI use, applying across contract performance. Post-award audits may involve the Government Accountability Office (GAO) or agency Inspectors General.

Common scenarios

Three procurement scenarios illustrate how these rules operate in practice, and connect to broader questions examined in the AI regulatory framework for the U.S..

Predictive analytics for benefits adjudication. An agency seeking to automate disability claims processing must classify the system as high-impact under EO 13960, conduct a bias audit against protected class outcomes, and publish the system in the agency's AI use case inventory. Failure to meet these requirements can trigger GAO bid protest remedies under 31 U.S.C. § 3551.

Facial recognition acquisition by law enforcement. Federal law enforcement agencies procuring facial recognition technology face requirements under the Facial Recognition and Biometric Technology Moratorium Act discussions, as well as existing Privacy Act obligations (5 U.S.C. § 552a) governing system of records notices. Procurement also intersects with Fourth Amendment surveillance law and agency-level use policies.

Defense AI software via Other Transaction Authority (OTA). DoD frequently uses Other Transaction Agreements authorized under 10 U.S.C. § 4022 to acquire prototype AI systems outside standard FAR constraints. OTAs allow faster acquisition cycles but require a competitive process and include mandatory transition-to-production clauses if the prototype succeeds.

Decision boundaries

Two critical classification distinctions determine which legal regime applies to a given AI procurement.

FAR-covered vs. OTA-covered acquisitions. Standard FAR procurements carry the full weight of competition requirements, cost accounting standards, and audit rights under the Truth in Negotiations Act (10 U.S.C. § 3701). OTA acquisitions bypass most FAR requirements but remain subject to statutory limitations on award value and scope. Defense AI prototypes exceeding $100 million require senior acquisition official approval under DoD policy.

High-impact vs. routine AI systems. Under the EO 13960 framework and subsequent OMB guidance on AI governance, AI systems affecting consequential individual decisions — parole, benefits, immigration status — receive heightened scrutiny compared to internal efficiency tools. This boundary directly intersects with due process concerns analyzed under algorithmic due process law.

Vendors and agencies alike must distinguish between these categories at the requirements phase. A system misclassified as routine that later affects individual rights determinations creates retroactive compliance exposure, potential False Claims Act liability under 31 U.S.C. § 3729, and grounds for contract termination for default under FAR 49.4. Legal practitioners advising on these matters should cross-reference the executive order AI legal implications analysis for the full directive landscape.

References

• Federal Acquisition Regulation (FAR), 48 C.F.R. Chapter 1
• NIST AI Risk Management Framework (AI RMF 1.0)
• Executive Order 13960 — Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government
• OMB Memorandum M-21-06
• DoD Cybersecurity Maturity Model Certification (CMMC)
• William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283 (effective January 2, 2021)
• Government Accountability Office — Bid Protest Regulations, 4 C.F.R. Part 21
• U.S. House of Representatives — U.S. Code, Title 10 § 4022 (Other Transactions)
• False Claims Act, 31 U.S.C. § 3729