Summary of AI Provisions from the National Defense Authorization Act 2023
On December 15, 2022, the U.S. Senate passed the James M. Inhofe National Defense Authorization Act (NDAA) for Fiscal Year 2023, following the House’s approval of the legislation the week prior. The legislation now goes to President Biden for his signature. The NDAA is an annual bill that Congress passes specifying the budget, expenditures, and policies of the U.S. Department of Defense (DOD). The 2023 version contains many provisions directly relevant to artificial intelligence (AI) for both the DOD and for non-DOD federal agencies. We identified and summarized the provisions related to AI and AI-related technologies that could impact the U.S. strategy and advancement of AI in this 4408-page bill.
On the non-DOD front, the NDAA directs agencies like the Office of Management and Budget and the Department of Homeland Security to develop policies to implement AI and assess risks to privacy and civil rights, take inventory of existing AI uses cases, and identify new ones in support of interagency or intra-agency modernization initiatives. On the DOD front, the NDAA requires the defense and intelligence communities to better integrate AI systems and capabilities into intelligence collection and analysis, cyber offense, cyber defense, and Coast Guard operations. The bill also contains requirements to limit the procurement of semiconductors covered by U.S. export controls and to assess foreign adversaries’ semiconductor production capacity and AI development progress.
Non-DOD-Related AI Provisions
Principles and Policies for Use of Artificial Intelligence in Government (Title LXXII, Sec. 7224)
The Director of the Office of Management and Budget (OMB) shall, when developing recommendations for federal AI use as part of the AI in Government Act of 2020, consider the National Security Commission on Artificial Intelligence’s April 2021 report recommendations. They shall also consider the principles articulated in Executive Order 13960 (Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government) and the input of the Administrator of General Services, interagency councils such as the Federal Privacy Council and the Chief Data Officers Council, governmental and nongovernmental experts, academia, industry technology and data science experts, and any other individuals the OMB Director deems appropriate.
No later than 180 days after the NDAA’s enactment, the Secretary of Homeland Security shall issue policies and procedures for AI acquisition and use and the consideration of risks and impacts associated with AI use—including full consideration of privacy, civil rights, and civil liberties impacts and misuse, degradation, and non-operability risks. The Department of Homeland Security’s Chief Privacy Officer and its Officer for Civil Rights and Civil Liberties shall report to Congress on any additional staffing or funding resources required.
No later than 180 days after the NDAA’s enactment, the Department’s Inspector General will identify training and investments needed to enable Office of the Inspector General employees to advance their understanding of AI systems; the best practices around AI system governance, oversight, and auditing; and how the Office of the Inspector General is using AI to enhance audit and investigative capabilities.
Within one year of the NDAA’s enactment, the OMB Director shall ensure federal contracts for AI acquisition align with proper guidance, include considerations for securing algorithms and their training data, and address relevant privacy and other issues, among other things. The OMB Director shall continuously update these means and shall brief, no later than 90 days after the NDAA’s enactment and on a quarterly basis for the next five years, appropriate Congressional committees on these contract considerations.
Agency Inventories and Artificial Intelligence Use Cases (Title LXXII, Sec. 7225)
No later than 60 days after the NDAA’s enactment, and continuously after that for five years, the OMB Director shall require each federal agency head to maintain an inventory of AI use cases, share them with other agencies as consistent with applicable law and policy, and make them publicly available as consistent with applicable law and policy. The OMB Director is encouraged to designate a host entity that will host and maintain an online public directory of federal agency AI use cases. None of this applies to the DOD.
Rapid Pilot, Deployment, and Scale of Applied Artificial Intelligence Capabilities to Demonstrate Modernization Activities Related to Use Cases (Title LXXII, Sec. 7226)
No later than 270 days after the NDAA’s enactment, the OMB Director will lead a pilot program that identifies four new use cases for AI in support of interagency or intra-agency modernization initiatives—and that require linking multiple siloed data sources. Then, no later than one year after the NDAA’s enactment, the OMB Director shall coordinate with other federal entities to initiate the piloting of the four AI use cases.
The Director shall prioritize modernization projects that would benefit from commercially available, privacy-preserving techniques (such as differential privacy, federated learning, and secure multiparty computing) and otherwise would account for civil rights and civil liberties considerations. There must be at least one AI use case focused on applied AI to drive agency productivity efficiencies in supply chain and logistics—such as predictive food demand and supply, predictive medical supply demand and supply, and predictive disaster response logistics—and there must be at least one AI use case focused on applied AI to accelerate agency investment return and address mission-oriented challenges—such as workforce development and upskilling.
Within four years of the NDAA’s enactment, the Director shall establish capabilities for each of these AI use case pilots. Between 270 days and one year after the NDAA’s enactment, and then annually for the subsequent four years, the OMB Director shall brief the appropriate Congressional committees on these activities.
DOD-Related AI Provisions
Clarification of Role of Senior Official with Principal Responsibility for Artificial Intelligence and Machine Learning (Title II, Sec. 212)
The bill amends the NDAA language to describe a DOD official with the principal responsibility for AI and machine learning, rather than the director of the DOD Joint Artificial Intelligence Center. (This is to reflect the fact that, in June, the Pentagon eliminated the Joint AI Center and subsumed it into the new Chief Digital and Artificial Intelligence Office.) The Secretary of Defense will designate this official, and the Secretary will assign to other DOD officials the roles and responsibilities for research, development, prototyping, testing, procurement of, requirements for, and using AI technologies. This list will include the Under Secretary for Research and Engineering, the Under Secretary for Acquisition and Sustainment, and at least one official in each military department (e.g., Army, Navy).
Additionally, the Secretary of Defense shall establish data repositories with DOD datasets relevant to AI software and technology development—and will allow “appropriate” public- and private-sector organizations to access the data to develop AI and ML capabilities for DOD procurement. On or before July 1, 2023, the Secretary will brief Congressional defense committees on the data repositories and their progress.
Establishing Projects for Data Management, Artificial Intelligence, and Digital Solutions (Title XV, Sec. 1513)
The Secretary of Defense will establish priority enterprise projects for data management and AI to increase efficiency and enhance warfighting capabilities. The Deputy Secretary will hold the heads of DOD components accountable, including for developing, implementing, and reporting about data management and AI capabilities, and developing and implementing cybersecurity and AI security solutions.
No later than 180 days after the NDAA’s passage, and every year after until the end of 2025, the Deputy Secretary shall brief the Congressional defense committees on the status of these actions.
Roadmap and Implementation Plan for Cyber Adoption of Artificial Intelligence (Title XV, Sec. 1554)
No later than 270 days after the NDAA’s enactment, the Commander of Cyber Command and the DOD Chief Information Officer will develop a five-year roadmap and implementation plan for adopting AI systems and data management processes for DOD’s cyber operations forces. The roadmap shall include identifying and prioritizing AI systems within DOD and to ameliorate threats from AI—including advancing DOD cybersecurity with AI, using AI for cyber effects operations, and defending against adversary AI-based cyber attacks—as well as plans to acquire relevant AI systems and the relevant roles and responsibilities for different DOD entities.
The roadmap will also include identifying long-term DOD technology gaps, to be addressed by AI-related research, and assessing in partnership with the Defense Intelligence Agency the threats foreign adversaries pose to DOD through AI use. No later than 30 days after the Cyber Command Commander and DOD CIO complete the roadmap, they must provide a classified briefing on the roadmap to Congressional defense committees.
Prohibition on Certain Semiconductor Products and Services (Title LIX, Sec. 5949)
Beginning five years after the NDAA’s enactment, executive branch agency heads cannot procure, obtain, extend, or renew a contract for electronics containing semiconductor products or services covered by U.S. export controls and restrictions. If a waiver is in the interest of national security, the Secretary of Defense, the Director of National Intelligence (DNI), and the Secretaries of Commerce, Homeland Security, and Energy may provide one—and must notify Congress within 30 days.
Within three years of the NDAA’s enactment, the Federal Acquisition Regulatory Council must prescribe regulations that incorporate these semiconductor prohibitions into federal contractors’ contracting language.
No later than 180 days after the NDAA’s enactment, the Secretary of Commerce along with the Secretaries of Defense, Homeland Security, and Energy and the DNI must analyze whether semiconductor design and production capacity in the United States and allied or partner countries meets U.S. needs. Within 270 days of the NDAA’s enactment, the head of the Office of Management and Budget (OMB) must submit a report to Congress on the progress of the semiconductor prohibitions and the effectiveness and utility of the waiver authority.
No later than two years after the NDAA’s enactment, the Secretaries of Commerce, Defense, and Homeland Security, the DNI, the Director of OMB, and the Director of the Office of Science and Technology Policy will establish a microelectronics traceability and diversification initiative, in consultation with industry, to analyze and respond to supply chain vulnerabilities.
Assessment of Production of Semiconductors by the People’s Republic of China (Title LXV, Sec. 6505)
No later than 60 days after the NDAA’s enactment, and then annually for three years after, the DNI shall submit a report to Congress on China’s global semiconductor competitiveness. This list of recipient committees will include the Congressional intelligence committees and the House and Senate committees on Armed Services, Foreign Affairs/Foreign Relations (respectively), Homeland Security/Homeland Security and Governmental Affairs (respectively), and
Appropriations, among others. The report shall focus on progress in Chinese semiconductor self-sufficiency, progress in developing indigenous or acquiring foreign intellectual property related to semiconductors, any observed Chinese stockpiling efforts, Chinese recruitment activity targeting semiconductor manufacturing engineers and managers, and more. The DNI shall also submit each of these reports to the Secretary of Commerce to inform implementation activities related to the CHIPS Act.
Policy on Required User Adoption Metrics in Certain Contracts for Artificial Intelligence and Emerging Technology Software Products (Title LXVII Sec. 6717)
No later than 180 days after the NDAA’s enactment, the DNI shall establish a policy for including adoption metrics in contracts and other agreements to procure AI and emerging technology software products—to gather and assess metrics on the product’s success. No later than 60 days after that policy is in place, the DNI shall submit the policy to the Congressional intelligence committees, the Senate Appropriation Committee’s Subcommittee on Defense, and the House Appropriation Committee’s Subcommittee on Defense.
Reports on Integration of Artificial Intelligence Within the Intelligence Community (Title LXVII, Sec. 6721)
No later than 180 days after the NDAA’s enactment, designated intelligence officials per 6702(b) shall each submit a report to the Congressional intelligence committees, the Senate Appropriation Committee’s Subcommittee on Defense, and the House Appropriation Committee’s Subcommittee on Defense on efforts to develop, acquire, adopt, and maintain AI to improve intelligence collection and analysis and optimize internal workflows. The report will include descriptions of authorities related to the use of AI, lists of resources or authorities necessary to accelerate the adoption of AI in the corresponding intelligence agency, and a description of the agency’s existing roles, responsibilities, and authorities to accelerate AI adoption.
No later than two years after the NDAA’s enactment, each of the inspector generals with oversight of an intelligence community agency will conduct an audit on the agency’s AI adoption, the agency’s efforts to adopt AI, and the administrative or technical barriers to adoption. They will brief the findings of these audits to the same, aforementioned group of Congressional committees. The audit of the Office of the Director of National Intelligence shall also assess the DNI’s coordination of AI-related best practice-sharing, information-sharing, efficient resource use, and contracting vehicle-sharing for products and services that meet common intelligence requirements.
Within a year of the NDAA’s enactment, and for three successive years after, the DNI shall submit to the same, aforementioned Congressional committees a classified report on AI adoption within the intelligence community. This document will include a detailed description of each intelligence organization’s progress in adopting and maintaining AI; a description of new intelligence community policies around AI (and compliance with those policies); recommendations to accelerate intelligence community adoption of AI (including new industry advances to leverage); an overview of foreign adversaries’ advances in AI; and resource, authority, administrative, or technical barriers to intelligence community AI adoption. For each of these DNI reports, the intelligence community’s Chief Data Officer shall discuss the criteria (e.g., intelligence community progress in AI adoption, foreign adversaries’ AI advances, etc.) with respect to the intelligence community’s organization of data to accelerate the adoption of AI.
Code-Free Artificial Intelligence Enablement Tools Policy (Title LXVII, Sec. 6742)
No later than one year after the NDAA’s enactment, the DNI, in consultation with other specified intelligence community organization heads, shall draft a potential policy to promote the intelligence community’s use of code-free AI enablement tools. The policy shall include the objective for the use of these tools, a detailed set of incentives for using these tools, and a plan to ensure coordination throughout the intelligence community. No later than 180 days after the NDAA’s enactment, the DNI shall submit the draft policy—along with recommendations for implementation; a specified plan and timeline; and an assessment of needed budget, personnel, and resources—to the Congressional intelligence committees, the Senate Appropriation Committee’s Subcommittee on Defense, and the House Appropriation Committee’s Subcommittee on Defense.
Establishment of Unmanned System Program and Autonomous Control and Computer Vision Technology Project (Title CXII Sec. 11225)
No later than two years after the NDAA’s enactment, the DOD Secretary shall establish a program that the Coast Guard Commandant will control for the use of land-based, cutter-based, and aircraft-based unmanned systems. The Commandant will retrofit two or more existing Coast Guard small boats with commercially available autonomous control and computer vision technology—as well as sensors and communication methods to control and assist in conducting search and rescue, surveillance, and interdiction missions. The Commandant will collect and evaluate data from the retrofits.
No later than 180 days after the retrofitting is completed, the Commandant will brief the Senate Committee on Commerce, Science, and Transportation and the House Committee on Transportation and Infrastructure on the project. Within that same window, the Commandant will submit to the two committees a detailed description of the Coast Guard’s strategy to implement unmanned systems across its mission areas.
Within one year after the NDAA’s enactment, the Commandant will provide Congress with an estimate of costs associated with these provisions.
Artificial Intelligence Strategy (Title CXII, Sec. 11226)
The Commandant of the Coast Guard shall coordinate data and AI activities related to identifying, demonstrating, and transitioning to operational use of AI to enhance its mission capability or performance.
No later than one year after the NDAA’s enactment, the Commandant will designate a senior official with principal responsibility for this coordination of AI. That designated official will regularly convene other Coast Guard officials to functionally integrate the Coast Guard’s data and AI activities, ensure its data and AI capabilities are efficient, and continue to facilitate policy and process development. Said official will also develop a strategic AI plan covering a roadmap for coordinating the Coast Guard’s data and AI activities; continuously evaluating and adapting its AI capabilities; and consideration of how to identify, adopt, and procure AI technologies to support operations and missions.
No later than two years after the NDAA’s enactment, the designated official will submit this plan to the Commandant of the Coast Guard and to the Senate Committee on Commerce, Science, and Transportation, and the House Committee on Transportation and Infrastructure.
Review of Artificial Intelligence Applications and Establishment of Performance Metrics (Title CXII, Sec. 11227)
No later than two years after the NDAA’s enactment, the Commandant will review the Coast Guard’s potential applications of AI and digital technology; identify the resources necessary to improve their use; and establish performance objectives and metrics to incorporate them into Coast Guard platforms, processes, and operations. This will include an assessment of relevant Coast Guard skills gaps and investment in AI modernization. No later than 180 days after the completion of the review, the Commandant will submit it to the Senate Committee on Commerce, Science, and Transportation, and the House Committee on Transportation and Infrastructure.