Federal AI/ADS procurement governance

Latest finding: GSA’s Alliant 2 program page explicitly frames Alliant 2’s scope as including “artificial intelligence” (among other emerging technologies), making it a plausible high-volume pathway for AI/ADS-related obligations that should be separable in downstream spend analysis. ([gsa.gov](https://www.gsa.gov/node/93921)) GSA eLibrary “Contractor Information” pages show that vehicle attribution can be done by combining (a) the eLibrary Source Title/source-code labeling and (b) contract-number patterns: in an Alliant 2 example, the same contractor page lists an Alliant 2 contract number (47QTCK18D0060) under source code “ALIAN2” and separately lists a MAS contract number (47QTCA21D001Y), indicating that contract-number prefixes like 47QTCK18D… (Alliant 2) vs 47QTCA… (MAS) matter to avoid misclassifying obligations by vehicle. ([gsaelibrary.gsa.gov](https://www.gsaelibrary.gsa.gov/ElibMain/home.do/contractorInfo.do?contractNumber=47QTCK18D0060&contractorName=SALIENT+CRGT%2C+INC.&executeQuery=YES)) In an OASIS+ example, the page lists an OASIS+ SB contract number (47QRCA25DSE13) under “OASIS+ SB” (source code “OASIS+SB”) and also lists a MAS contract number (47QTCA25D001Q), supporting the inference that 47QRCA… is a usable OASIS+ PIID prefix for building an OASIS+ IDV PIID set for later obligations rollups. ([gsaelibrary.gsa.gov](https://www.gsaelibrary.gsa.gov/ElibMain/home.do/contractorInfo.do?contractNumber=47QRCA25DSE13&contractorName=QSA-LLC&executeQuery=YES))

Latest finding: DOJ’s PIA for EOUSA’s “USA Advanced Analytics Platform (USA-P-AAP)” (approved May 29, 2025) identifies the privacy-approval chain on the cover page (Issued by Kevin Krebs, “Senior Component Official for Privacy”; approved by Christina Baptista, Senior Counsel, Office of Privacy and Civil Liberties) and describes the system as EOUSA’s instance of “Splunk Enterprise” used as a SIEM/audit-log analytics platform. ([justice.gov](https://www.justice.gov/opcl/media/1427661/dl)) The same PIA states the system is covered by SORN DOJ-002 and provides a citation to the DOJ-002 Federal Register publication, and it also cites SORN JUSTICE/JMD-026. ([justice.gov](https://www.justice.gov/opcl/media/1427661/dl)) In the republished DOJ-002 SORN (86 FR 37188; July 14, 2021), the ‘SYSTEM MANAGER(S)’ is listed as the DOJ Chief Information Security Officer (with address/phone at 145 N Street NE, Washington, DC 20530), and the notice further states responsibilities are delegated to component-level CIOs/CISOs subject to oversight of DOJ CIO and/or DOJ CISO. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2021-07-14/pdf/2021-14986.pdf)) The JUSTICE/JMD-026 notice likewise lists the ‘SYSTEM MANAGER(S)’ as the DOJ Chief Information Security Officer and, in the ‘FOR FURTHER INFORMATION CONTACT’ line, names Nickolous Ward as DOJ Chief Information Security Officer at the same address/phone. ([public-inspection.federalregister.gov](https://public-inspection.federalregister.gov/2021-15883.pdf)) Separately, corporate-control records show that as of March 18, 2024 Splunk became a wholly owned subsidiary of Cisco: Cisco’s Form 8-K states Cisco completed the Splunk transaction and that Splunk survived the merger as a wholly owned subsidiary of Cisco. ([sec.gov](https://www.sec.gov/Archives/edgar/data/858877/000119312524070175/d783088d8k.htm)) Taken together, these governance records identify a DOJ CISO-led system-manager oversight locus (DOJ-002 / JMD-026), but the PIA itself does not name a specific contracting office or a specific procurement award/contract identifier for the Splunk/related tooling referenced, limiting a direct FPDS/USAspending crosswalk from the PIA/SORN to a contracting-office record based on these artifacts alone. ([justice.gov](https://www.justice.gov/opcl/media/1427661/dl))

Latest finding: FPDS’s ezSearch PDF export for PIID 47QTCK18D0004 identifies the record as a GWAC and lists Booz Allen Hamilton Inc. (CAGE 17038) as the legal business name on the PIID’s modification history, establishing Booz Allen as a named Alliant 2 contract-holder in the FPDS record for that PIID. HigherGov’s compiled contract view for delivery order 47QTCK18D0004-47QFCA20F0032 (described as JAIC/JWNMI AI-enabled work under Alliant II) lists multiple disclosed subcontracts under that prime award, including (at least) L3Harris Technologies ($17,727,115.60; most recent action June 21, 2024), Aviture ($4,899,824.00; most recent action Oct. 1, 2024), and Edge Case Research ($49,952.96; most recent action Nov. 15, 2024).

Latest finding: GAO’s 2026 AI acquisitions review (GAO-26-107859) documents a cross-agency governance gap: officials at DOD, DHS, GSA, and VA told GAO they were not systematically collecting lessons learned from AI acquisitions, and GAO reports this left them unprepared to share knowledge through the GSA repository described in OMB AI acquisition guidance—creating risk that future AI procurements will repeat avoidable mistakes. In the same report, GAO attributes recurring procurement challenge themes to multiple agencies and groups them into six challenge areas (strategic: access to subject matter experts; protections for government data and intellectual property rights; traditional acquisition time frames and contract approaches; programmatic: requirements definition and contract terms; early testing and continuous evaluation; AI pricing and overall cost). GAO-26-107859 also anchors these themes to specific exemplars by naming 13 AI acquisitions (e.g., DHS TSA PreCheck Touchless Identity Solution; DOD Maven and Project Linchpin; GSA USAi; VA Automated Decision Support) and notes (as an example of government-wide AI acquisition strategy) that GSA reported entering agreements with OpenAI, Anthropic, and Google for government-wide use in August 2025. Earlier GAO work shows the same governance pattern evolving but persisting: GAO-23-105850 reports DOD lacked department-wide AI acquisition guidance (with Tradewind cited as an acquisition ecosystem and IP/data-rights considerations emphasized), while GAO-24-105980 reports the absence of government-wide AI acquisition-and-use guidance and identifies completeness/accuracy issues in agency AI inventories—setting up the 2026 finding that, even after OMB issued acquisition guidance (M-25-22), agencies still lacked systematic internal mechanisms (lessons-learned capture/knowledge sharing) needed to prevent repeat problems.

Latest finding: The solicitation document for W52P1J-21-R-0029 (Amendment 0001 dated February 26, 2021) states DoD’s intent to establish multiple BPAs for AI Test & Evaluation services that are “open for ordering” across the U.S. Government and structured for decentralized ordering over a five-year ordering period. ([imlive.s3.amazonaws.com](https://imlive.s3.amazonaws.com/Federal%20Government/ID151922140063916450446479915674517979637/W52P1J21R0029-0001%2026Feb21.pdf)) Defense News reports JAIC confirmed awards to 79 vendors under this AI T&E BPA on February 10, 2022 (describing the BPA as a mechanism to standardize AI T&E criteria/metrics/standards and noting each award worth up to $15M). ([defensenews.com](https://www.defensenews.com/artificial-intelligence/2022/02/10/pentagons-ai-center-awards-contracts-to-79-companies-in-new-test-and-evaluation-agreement/)) A DoD-hosted one-pager later describes the (CDAO) T&E BPA as an interagency, streamlined procurement path for independent AI T&E services once the BPA is in place. ([media.defense.gov](https://media.defense.gov/2024/Oct/24/2003570985/-1/-1/0/2023-12-TRADEWINDS-TEST-EVALUATION-ONE-PAGER.PDF))

Latest finding: In a GovTribe-hosted copy of a ‘Federal Contract Opportunity’ solicitation package for U.S. Embassy Athens (solicitation 19GR1026Q0020), the included DOSAR 652.239-803 ‘Artificial Intelligence Clause (Deviation) (Sep 2025)’ requires that, for ‘high-impact use cases,’ contractors comply with ‘minimum AI risk management practices … as required by OMB M-25-21,’ and the clause enumerates those practices to include ‘Applying the NIST AI Risk Management Framework,’ along with agency-led impact assessments and transparency of system design/data lineage/decision logic. ([govtribe.com](https://govtribe.com/file/government-file/19gr1026q0020-solicitation-document-dot-pdf)) A second Embassy Athens solicitation package (19GR1026Q0005) repeats the same DOSAR deviation clause set (including 652.239-802 and 652.239-803), suggesting this is a reusable, standardized solicitation/contract language pattern within that acquisition context. ([govtribe.com](https://govtribe.com/file/government-file/19gr1026q0005-19gr1026q0005-dot-pdf))

Latest finding: U.S. Senate LDA LD-2 filings for Technology Network AKA TechNet show disclosed lobbying that explicitly names AI governance topics and procurement-adjacent governance mechanisms. In a filing showing reporting year 2020 (digitally signed January 20, 2021; expenses $100,000), TechNet lists under specific lobbying issues: "Issues regarding artificial intelligence" and also explicitly lists "FedRAMP reform," along with multiple AI-related bills including "S. 3890/HR 7096, National AI Research Resource Task Force Act of 2020." ([lda.senate.gov](https://lda.senate.gov/filings/public/filing/fc77cf59-b199-43e6-a57f-7d8fb5130b9e/print/)) In a filing showing reporting year 2025 (digitally signed July 20, 2025; expenses $510,000), TechNet lists "Artificial Intelligence" among its technology issue-area topics and separately lists science-budget related items including "National AI Research Resource (NAIRR)" and "The U.S. AI Safety Institute," with listed government entities contacted including OSTP and, for a budget issue area, OMB. ([lda.senate.gov](https://lda.senate.gov/filings/public/filing/3091b3a6-f293-4f76-9ca8-317dc8405edc/print/))