Federal Artificial Intelligence Risk Management Act of 2026

[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [H.R. 8819 Introduced in House (IH)]

<DOC>

119th CONGRESS 2d Session H. R. 8819

To require Federal agencies to use the Artificial Intelligence Risk Management Framework developed by the National Institute of Standards and Technology with respect to the use of artificial intelligence.

_______________________________________________________________________

IN THE HOUSE OF REPRESENTATIVES

May 14, 2026

Mr. Lieu (for himself, Mr. Nunn of Iowa, and Mr. Beyer) introduced the following bill; which was referred to the Committee on Science, Space, and Technology

_______________________________________________________________________

A BILL

To require Federal agencies to use the Artificial Intelligence Risk Management Framework developed by the National Institute of Standards and Technology with respect to the use of artificial intelligence.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Federal Artificial Intelligence Risk Management Act of 2026''.

SEC. 2. STANDARDS FOR ARTIFICIAL INTELLIGENCE SYSTEMS.

(a) In General.--Title LIII of division E of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283) is amended by adding at the end the following new section:

``SEC. 5304. STANDARDS FOR ARTIFICIAL INTELLIGENCE SYSTEMS.

``(a) In General.--The Director of the National Institute of Standards and Technology, in consultation with the Director of the Office of Management and Budget and the heads of other Federal agencies, as appropriate, shall-- ``(1) develop Federal standards and guidelines, including minimum requirements, for artificial intelligence systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section 3552(b)(6) of title 44, United States Code); ``(2) develop standards and guidelines, including minimum requirements, for managing risks associated with the trustworthiness of artificial intelligence systems for all agency operations and assets, but such standards and guidelines shall not apply to national security systems; ``(3) develop standards and guidelines, including minimum requirements, for authenticating, tracking provenance of, and labeling synthetic content generated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems; and ``(4) conduct research and analysis pursuant to section 5301 of this Act to inform the development of standards and guidelines for activities described in this section. ``(b) Standards and Guidelines.--In developing the standards and guidelines required by subsections (a), the Director shall-- ``(1) provide standards, guidelines, and best practices consistent with the framework established under section 22A(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278h-1(c)), as appropriate, and tools that Federal agencies can use to leverage the framework to reduce risks caused by agency implementation in the development, procurement, and use of artificial intelligence systems; ``(2) to the extent practicable, provide standards and guidelines that-- ``(A) are consistent with the framework, successor document, or Federal standard that is functionally equivalent to the framework; ``(B) are consistent with Circular A-119 of the Office of Management and Budget; and ``(C) enable conformity assessment; ``(3) recommend training on standards and guidelines for each agency responsible for procuring artificial intelligence systems; ``(4) identify or develop, and as appropriate periodically revise, performance indicators and measures that support the implementation of standards and guidelines for agency artificial intelligence systems; ``(5) provide guidelines for developing profiles for agency use of artificial intelligence systems consistent with the framework; ``(6) evaluate policies and practices developed for artificial intelligence systems that are national security systems to assess potential application by agencies to strengthen risk management of artificial intelligence systems; and ``(7) periodically assess the effectiveness of standards and guidelines developed under this section and undertake revisions as appropriate. ``(c) Readiness.--For standards and guidelines developed pursuant to subsection (a) that are deemed by the Director to be at a readiness level sufficient for widespread adoption by Federal agencies, the Director-- ``(1) shall submit said Federal standards and guidelines to the Secretary of Commerce for promulgation under section 11331 of title 40, United States Code; ``(2) where practicable and appropriate, shall provide technical review and assistance to Federal agencies, including assisting Federal agencies in assessing the effectiveness and sufficiency of implementation of standards and guidelines developed under this section; and ``(3) shall evaluate the effectiveness and sufficiency of, and challenges to, Federal agencies implementation of Federal standards and guidelines developed under this section and Federal standards and guidelines promulgated under section 11331 of title 40, United States Code. ``(d) Testing and Evaluation of Artificial Intelligence Acquisitions.-- ``(1) Study.--Subject to the availability of appropriations, the Director shall conduct a gap analysis to review the existing and forthcoming voluntary technical standards for the testing, evaluation, verification, and validation related to acquisitions of an artificial intelligence system or service. ``(2) Standards for testing and evaluation.--After the date of the completion of the study required by paragraph (1), the Director shall-- ``(A) convene relevant stakeholders to facilitate the development of standards for the testing, evaluation, verification, and validation related to acquisitions of an artificial intelligence system or service; ``(B) develop and periodically update standards and guidelines for testing, evaluation, verification, and validation related to acquisitions of an artificial intelligence system or service pursuant to subsection (a); and ``(C) when determined by the Director to be at a readiness level sufficient for widespread adoption by Federal agencies, submit standards and guidelines to the Secretary of Commerce for promulgation under section 11331 of title 40, United States Code. ``(3) Report.--Not later than 90 days after the date on which the Director conducts the analysis described in paragraph (1), the Director shall submit a report to the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate that includes-- ``(A) the gap analysis described in paragraph (1); and ``(B) a plan for activities described in paragraph (2). ``(e) Definitions.--In this section: ``(1) Agency.--The term `agency' means any department, independent establishment, Government corporation, or other agency of the executive branch of the Federal Government. ``(2) Artificial intelligence system.--The term `artificial intelligence system' means-- ``(A) any system that meets the definition given the term `artificial intelligence' in section 5002 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (15 U.S.C. 9401); or ``(B) any data system, software, hardware, application, tool, or utility that operates, in whole or in part, using a system described by subparagraph (A). ``(4) Director.--The term `Director' means the Director of the National Institute of Standards and Technology. ``(5) Framework.--The term `framework' means document number NIST AI 100-1 of the National Institute of Standards and Technology entitled `Artificial Intelligence Risk Management Framework', or any successor document. ``(6) Profile.--The term `profile' means an implementation of the artificial intelligence risk management functions, categories, and subcategories for a specific setting or application based on the requirements, risk tolerance, and resources of the framework user. ``(7) Synthetic content.--The term `synthetic content' means information, such as images, videos, audio clips, and text, that has been significantly modified or generated by algorithms, including by artificial intelligence systems.''. (b) Clerical Amendment.--The table of contents in section 2 and title LIII of division E of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283) are each amended by inserting after the item relating to section 5303 the following new item:

``Sec. 5304. Standards for artificial intelligence systems.''. <all>