Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Learn

AI & Government Contracts

A plain-English guide to artificial intelligence for government contractors — the new federal AI rules, how AI overlaps with the cybersecurity duties you already have, and what to watch when AI shows up in a contract, whether you are using it or selling it.

Why AI is suddenly a contracting issue

A few years ago, artificial intelligence — software that can write, summarize, predict, or make decisions on its own — was something most contractors only read about. Today it shows up in everyday work: people use AI to draft proposals, write code, sort resumes, answer help-desk questions, and review documents. At the same time, federal agencies are buying AI products and services of their own, from chatbots to fraud-detection systems.

That creates two separate questions for a contractor. First: what happens when I use AI to do my federal work? Second: what happens when I sell AI, or AI-powered services, to the government? The answers are different, and this page walks through both. The good news is that most of the rules are extensions of duties you may already have around protecting data and being honest about how you perform a contract.

## The new rules you should know

The federal approach to AI shifted in 2025. In January 2025, the White House issued Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence," aimed at speeding up government use of AI while keeping it responsible.

To carry that out, the Office of Management and Budget (OMB) released two key memos on April 3, 2025. M-25-21 tells agencies how to use AI responsibly inside their own walls. M-25-22, "Driving Efficient Acquisition of Artificial Intelligence in Government," tells agencies how to buy AI — and it is the one contractors should watch most closely. Its requirements apply to contracts from solicitations issued on or after September 30, 2025, and to options renewed or extended on or after October 1, 2025.

M-25-22 pushes agencies to favor AI built in the United States, to track how well an AI tool actually performs after purchase, and to write contracts that protect the government's data and rights. It also tells agencies to bar vendors from using non-public government data to train commercial AI models without the government's clear permission.

Two more developments matter. In April 2025, Executive Order 14275 directed a broad rewrite of the Federal Acquisition Regulation (FAR); as it is updated, new AI-related clauses are expected to appear over time. And the National Defense Authorization Act (NDAA) for FY2026 directs the Department of Defense to build a security framework for the AI and machine-learning tools it buys and to fold that framework into DFARS and CMMC — an idea some call "CMMC for AI." If you work on defense contracts, expect AI security to become part of the same certification process you already deal with.

## When you use AI in your own work

This is where most contractors will feel AI first — not by selling it, but by using it. And this is exactly where AI runs into the cybersecurity rules you already follow.

Federal contracts protect two main kinds of information. Federal Contract Information (FCI) is information the government gives you, or that you create for it, that is not meant to be public. Controlled Unclassified Information (CUI) is more sensitive information with special handling rules. If you handle either, you have a duty to keep it safe. (Our Cybersecurity 101 page explains both in more detail.)

Here is the trap. Many popular AI tools are public services running on someone else's computers. When you paste text into one, that text may be stored, reviewed by the company, or used to train the AI further. If the text is FCI or CUI, you may have just sent protected government information to an outside system that is not approved to hold it — breaking the same safeguarding rules that already apply to your email and file servers. Security experts call this risk "data leakage," and the government's own AI guidance lists it as a top concern.

The National Institute of Standards and Technology (NIST) published an AI Risk Management Framework to help organizations use AI safely. It is voluntary but is becoming the common language for AI governance, and it warns about risks that matter to contractors: AI tools can leak sensitive data, can "confabulate" (state false things with confidence), and can be tricked through prompt injection. The lesson is simple — before you put any government information into an AI tool, make sure the tool is approved to hold that kind of data, and check whether your contract requires you to disclose that you used AI at all.

## When you sell or build AI for the government

If your company offers AI products, or services that rely on AI, the new acquisition rules shape the deal in ways that may surprise you. Three issues come up again and again.

### Data rights and training

Agencies are told to write contracts that clearly state who owns the data and who owns the results. Most importantly, M-25-22 directs agencies to stop vendors from using the government's non-public data to train commercial or public AI models without explicit consent. If your business model depends on learning from customer data, read these terms closely — the default answer is now "no."

### Performance and lock-in

The government wants to avoid getting stuck with a tool that does not work or that it cannot leave. Agencies are told to measure how an AI tool actually performs after purchase and to protect "data portability" — the ability to take their data and move to a different vendor. Be ready to show real results and to support a clean exit.

### Buy American and accountability

M-25-22 favors AI developed and produced in the United States and expects agencies to manage AI risk across the life of the contract. Auditors are watching too: the Government Accountability Office (GAO) has urged agencies to collect and apply lessons learned from past AI buys. Expect more questions about where your technology comes from and how you keep it safe.

## When AI makes or shapes decisions

Cybersecurity rules ask whether your data is protected. A second wave of rules asks whether your algorithms are accountable. When an AI system makes or heavily influences a decision about a person, three obligations are converging across federal policy and state privacy law: transparency (telling people an automated system is used), explanation (being able to say why a decision was reached), and a right to contest (a path to human review). A caution worth internalizing: human oversight is not a cure-all — nominal review often rubber-stamps automated outputs unless the human has real information, time, and authority to override. If a contract requires human oversight of an AI system, build it so the human can actually exercise judgment.

## What to do now

You do not need to be an AI expert to stay out of trouble. Treat any AI tool like a new subcontractor: know what it does, know where your data goes, and write down how you use it. Never paste FCI or CUI into a public AI tool unless it is approved for that information. Check each contract for clauses about AI use, disclosure, and data rights, and ask your contracting officer if anything is unclear. If you build or sell AI, get your data-rights and training terms reviewed before you sign. And if you work in defense, start watching how AI security folds into DFARS and CMMC, because it is coming.

## Authoritative references

## Where to go next

  • Cybersecurity 101 — start here if FCI, CUI, NIST 800-171, and CMMC are unfamiliar; every AI rule on this page builds on those basics.
  • Glossary — look up any acronym used here, in plain English.
  • Find My Requirements — get the specific rules and frameworks that apply to your work.
Was this page helpful?