Congress Moves Forward with AI Measures in Key Defense Legislation

Introduction

On December 7, 2025, House and Senate Armed Services Committee leaders unveiled legislative text (House Amendment to S. 1071) for the fiscal year (FY) 2026 must-pass defense authorization bill, which contains a number of artificial intelligence (AI) provisions that will likely become law by the end of the year, setting the stage for an initial vote in the House this week, followed by expected action in the Senate ahead of the holiday recess.

The conference report is the product of bicameral negotiations to reconcile differences between the House and Senate versions of the bill. The House passed its version (H.R. 3838) of the National Defense Authorization Act (NDAA) in September, while the Senate passed its version (S. 2296) in October (see prior alert here).

The compromise package notably excludes federal preemption of state AI laws, an approach that had drawn bipartisan criticism from both state and federal policymakers. Following the release of the package, however, President Trump indicated he intends to issue an executive order (EO) in the coming days regarding national AI standards.

The final NDAA also excludes the GAIN AI Act, which would have required U.S. chipmakers to prioritize American customers before selling advanced AI chips to China and other arms-embargoed countries.

Below, please find a summary of key AI provisions in the compromise version of the defense bill.

U.S. Department of Defense

Title II: Research, Development, Test and Evaluation (RDT&E)

• Authorization of Appropriations (Subtitle A)
  • National Security and Defense AI Institute (Sec. 224): The provision, which was in the House bill, authorizes DoD to establish at least one National Security and Defense AI Institute at a U.S. eligible host institution. The Institute would focus on addressing cross-cutting challenges and foundational AI research for national security and defense, building partnerships across public and private organizations, fostering innovation ecosystems, supporting interdisciplinary research and developing the U.S. AI workforce.
• Biotechnology Matters (Subtitle C)
  • Biological Data for AI (Sec. 245): The provision, which was in the House bill, requires DoD to, within one year, develop and implement standards ensuring that biological data generated by Department–funded research is collected and stored to enable use in advanced computational methods, including AI. The requirements must define “qualified biological data resources” based on data type, size, funding, sensitivity or other factors; establish metrics and metadata for data quality, usability and interoperability; mandate tiered cybersecurity safeguards and access controls; provide exceptions for national security and protect individual privacy.

Title III: Operation and Maintenance

• Logistics and Sustainment (Subtitle C)
  • Integration of Commercially Available AI Capabilities into Logistics Operations (Sec. 347): The provision directs the Department to integrate commercial AI tools for logistics into two DoD exercises in FY 2026, prioritizing agile systems and small or nontraditional vendors while ensuring full data security and cybersecurity compliance. By March 1, 2026, the Department must brief Congress on the selected exercises, tools, timelines and evaluation metrics. Within 30 days after each exercise, commanders must report on the impact of AI on readiness and operations and recommend future use.
  • Pilot Program for Data-Enabled Ground Vehicle Maintenance (Sec. 350): Within 90 days of enactment, the provision directs each Secretary for the Army, Navy and Air Force to launch a pilot program using commercial AI to improve ground vehicle maintenance, in coordination with the DoD Chief Digital and AI Officer (CDAO). The program will evaluate effectiveness, cost savings and risks (including cybersecurity), with a report to Congress due within one year, and the authority would sunset on January 1, 2029.

Title V: Military Personnel Policy

• Member Training (Subtitle E)
  • Pilot Program for GAI and Spatial Computing for Performance Training and Proficiency Assessment (Sec. 547): The provision, which was in the House bill, requires the Navy to, within 90 days, develop and implement a pilot program to optimize the use of GAI and spatial computing for immersive training and proficiency assessment. The program would terminate one year after its establishment.

Title VII: Acquisition Policy, Acquisition Management and Related Matters

• Prohibitions and Limitations on Procurement (Subtitle E)

• BIOSECURE Act (Sec. 851): The legislation prohibits federal agencies from purchasing, using or contracting for biotechnology equipment or services produced by “biotechnology companies of concern,” and bars the use of federal grant or loan funds for such purposes. The Office of Management and Budget (OMB), working with national security and science agencies, must publish and regularly update a list of prohibited companies, based on their ties to foreign adversaries, involvement in biotech production and risks posed to U.S. national security. Limited waivers are allowed under strict national-security justifications, and several exceptions apply (including for intelligence activities and overseas health care services). The provision requires new guidance, updates to the Federal Acquisition Regulation (FAR), reporting on risks related to foreign access to U.S. multiomic data and annual intelligence reporting on nefarious activities by biotech companies handling such data.

Title X: General Provisions

• Financial Matters (Subtitle A)
  • Use of Technology Using AI to Facilitate DoD Financial Audits (Sec. 1007): The provision, which was in the House bill, directs DoD and the service secretaries to encourage, to the greatest extent practicable, the use of AI and ML technologies to support audits of the Department’s financial statements.
• Naval Vessels and Shipyards (Subtitle C)
• Strategy for Navy Investment in and Support for the Maritime Industrial Base (Sec. 1019): Within 180 days of enactment, directs the Secretary of the Navy to implement a strategy to invest in and support the maritime industrial base to address cost and schedule problems in surface and submarine shipbuilding. The strategy must ensure reliable supplies of critical components, establish performance metrics, centralize industrial base data and use AI to monitor and predict supply chain risks and disruptions.

• Other Matters (Subtitle G)

• Framework for Reforming Technology Transfer and Foreign Disclosure Policies (Sec. 1086): Within 180 days of enactment, directs the Secretary of Defense to create and submit to Congress a framework to update DoD technology transfer and foreign disclosure policies, balancing protection of sensitive technology with sharing to allies. The framework must address emerging technologies such as AI and hypersonics, streamline approvals, improve transparency, update governance, establish performance metrics and require audits of denied transfer requests. The military departments must implement these changes within one year, with ongoing industry consultation and annual reporting to Congress.

Title XII: Matters Relating to Foreign Nations

• Matters Relating to Israel (Subtitle D

• Research, Development, Test and Evaluation of Emerging Technologies to Further the Warfighting Capabilities of the United States and Certain Partner Countries (Sec. 1234): The provision authorizes the Secretary of Defense, at the request of a covered partner country and in coordination with other federal agencies, to jointly conduct research, development, testing and evaluation of emerging technologies such as AI, cybersecurity, robotics and quantum systems, subject to export control laws and strong information security protections. No such activities may begin until a formal cost-sharing and security agreement is reported to Congress, including safeguards against access by adversaries like China. The Department must submit semiannual reports to Congress and designate a lead DoD office after the first approval. The term ‘‘covered partner country’’ means a country that, as of June 1, 2025, has signed a bilateral agreement with the United States that is managed by the Irregular Warfare Technology Support Directorate of the Department of Defense.

Title XV: Cyberspace-Related Matters

• Cybersecurity (Subtitle B)
  • AI and ML Security in DoD (Sec. 1512): Within 180 days of enactment, the provision directs DoD to establish a Department-wide cybersecurity and governance policy for AI and machine learning (ML), addressing lifecycle security, industry standards, workforce training and protections against AI-specific threats such as model tampering and data leakage. The Department must then conduct a comprehensive review of its AI/ML cybersecurity practices and report the findings to Congress by August 31, 2026.
  • Physical and Cybersecurity Procurement Requirements for AI Systems (Sec. 1513): The provision, which was in the Senate bill, requires DoD to develop a comprehensive, risk-based framework for implementing cybersecurity and physical security standards for covered AI and ML systems. The framework must address workforce risks, AI-specific threats and vulnerabilities, supply chain risks, adversarial tampering, data theft, and security posture management, while leveraging existing frameworks, including the National Institute of Standards and Technology (NIST) Special Publication 800 series and the Cybersecurity Maturity Model Certification (CMMC) framework. Higher security levels are required for AI systems of greatest national security concern, including protection against highly capable cyber threat actors, with additional components designed specifically for advanced AI systems. The Secretary may amend the Defense Federal Acquisition Regulation Supplement (DFARS) or take similar actions to mandate adoption of best practices by covered entities. The framework must include a detailed implementation plan with timelines, resource requirements and progress metrics. The Secretary must report to congressional defense committees on implementation within 180 days of enactment. Covered AI and ML technologies include all aspects of the system lifecycle, and covered entities are those contracted by DoD to develop, deploy, store or host such systems.
  • Incorporation of AI Considerations into Cybersecurity Training (Sec. 1515): The provision, which was in the House bill, requires the Chief Information Officer (CIO) to, within one year, revise the mandatory annual cybersecurity training for Armed Forces members and civilian employees to include content addressing the unique cyber challenges posed by AI.
• Artificial Intelligence (Subtitle D)
  • Modification of High-Performance Computing Roadmap (Sec. 1531): The provision, which was in the Senate bill, expands the scope of the DoD high-performance computing roadmap to include both DoD-owned and maintained computing assets, as well as commercially procured cloud services or other infrastructure-as-a-service contracts. For any new or expanded data centers on military installations, the roadmap must provide estimates of additional needs, including physical space, electricity and water usage, impacts on the installation and surrounding community, mitigation measures and strategies to prevent local utility disruptions while coordinating with local, state and federal agencies.
  • Guidance and Prohibition on Use of Certain AI (Sec. 1532): The provision, which was in the Senate bill, requires DoD to mandate that all Department offices and components exclude or remove “covered AI” from all DoD systems and devices within 30 days of enactment, and to consider issuing broader guidance to ban additional high-risk AI. Contractors are likewise barred from using such AI in DoD contracts unless a waiver is granted. Waivers may be issued only for limited national security–related purposes (such as research, testing or mission-critical functions) and must include risk-mitigation measures. “Covered AI” includes AI developed by specific foreign companies (DeepSeek, High Flyer) and related entities.
  • AI Model Assessment and Oversight (Sec. 1533): The provision, which was in the Senate bill, directs DoD to establish a cross-functional team, led by the Chief Digital and AI Officer, to create a standardized, Department-wide framework for assessing, governing and approving the development, testing and deployment of AI models. The team will set performance, security, documentation, ethical and testing standards, designate functional leads for AI applications and assess all major DoD AI systems using the framework. The team must be operational by June 1, 2026; complete system assessments by January 1, 2028; brief Congress on progress and transition its duties to a successor organization before sunset in 2030.
  • Digital Sandbox Environments for AI (Sec. 1534): The provision, which was in the Senate bill, requires DoD to, by April 1, 2026, establish a Task Force co-chaired by the CDAO and the Chief Information Officer (CIO) to develop and coordinate “AI sandbox” environments across the Department. The platforms would support AI experimentation, training and model development for users of all technical levels. The Task Force will identify shared requirements, inventory existing tools, streamline approval processes and issue guidance on responsible use. A briefing to Congress is due by August 1, 2026, and the Task Force would terminate on January 1, 2030.
  • AI Futures Steering Committee (Sec. 1535): The provision directs DoD to, by April 1, 2026, establish the AI Futures Steering Committee, co-chaired by the Deputy Secretary of Defense and the Vice Chairman of the Joint Chiefs, and composed of senior DoD leaders. The committee will analyze advanced and potentially general-purpose AI, assess adversary AI developments, evaluate operational and infrastructure impacts and develop a risk-informed strategy for AI adoption, safeguards and oversight. It must meet quarterly and submit a public report to Congress by January 31, 2027, with the committee set to terminate on December 31, 2027.

Title XVIII: Acquisition Reform

• Modifications to Strengthen the Industrial Base (Subtitle E)
  • Collaborative Forum to Address Challenges to and Limitations of the Defense Industrial Base (Sec. 1844): Within 120 days of enactment, the Secretary of Defense must designate one or more consortia to serve as a collaborative forum among government, industry, academia and nonprofits to address challenges facing the defense industrial base. The consortia will focus on removing acquisition barriers, reducing supply chain vulnerabilities, expanding domestic manufacturing through advanced technologies (including AI) and developing a skilled workforce. The Secretary must consider the consortia’s recommendations in DoD policy updates and provide annual briefings to Congress through 2029.

U.S. Department of Energy (DOE)

Title XXXI: Department of Energy National Security Programs

• Program Authorizations, Restrictions and Limitations (Subtitle B)
  • Appropriate Scoping of AI Research within the Administration (Sec. 3117): The provision, a version of which was in the Senate bill, limits use of funds for AI research, development, program execution or associated computing infrastructure within the Administration to activities that directly support its nuclear security missions. It also clarifies that this limitation does not prevent the establishment of enduring national security AI research and development (R&D) programs in other DOE components or federal agencies.

Intelligence Community

Title LXVI: AI and Other Emerging Technologies

• Artificial Intelligence (Subtitle A)
  • AI Security Guidance (Sec. 6601): The provision assigns the Director of the National Security Agency (NSA) responsibility for developing security guidance to protect AI technologies from theft, sabotage and cyber threats by nation-state adversaries. The guidance must identify key vulnerabilities, supply-chain and lifecycle risks and strategies to detect, protect against, respond to and recover from AI-related cyber threats. The NSA may collaborate with government, research and private sector partners and publish guidance at classified or unclassified levels as appropriate.
  • AI Development and Usage by Intelligence Community (Sec. 6602): The provision, which was in the Senate bill, requires the Intelligence Community (IC) to, within one year of enactment, identify commonly used AI systems and functions that have high potential for reuse across IC elements. Chiefs of AI for each IC element must implement policies to share custom-developed code, models and model weights while protecting intelligence sources and methods. The CIO of the IC will provide model contract terms to prevent vendor lock-in and encourage competition with interoperable AI products.
  • Sec. 6603. Application of AI Policies of the Intelligence Community to Publicly Available Models Hosted in Classified Environments: The provision, which was in the Senate bill, extends IC AI policies to publicly available AI models when used for intelligence purposes in classified environments. ODNI must ensure that existing IC AI policies apply to such models to the greatest extent possible. The Chief AI Officer (CAIO) of the IC, or a designated provider, must establish common testing standards and benchmarks for AI models across common use cases, with higher standards for high-impact use cases, including tasks with potential lethal application.

• Prohibition on Use of DeepSeek on Intelligence Community Systems (Sec. 6604): The provision directs the Director of National Intelligence to, within 60 days of enactment, issue standards requiring the removal of the DeepSeek application (and any successor) from all national security systems operated by the IC or its contractors. These standards must comply with federal information security law and may include limited national security or research exceptions with required risk-mitigation measures.

Title LXXXV: Comprehensive Outbound Investment National Security Act of 2025

• General Matters, Sanctions, Prohibition and Notification on Investments Relating to Covered National Security Transactions and Securities and Related Matters (Subtitles A-D)

• Comprehensive Outbound Investment National Security Act (Sec. 8501-8607): The legislation authorizes $150 million per year for two years at the U.S. Department of the Treasury, along with limited-term direct-hire authority, to implement a new outbound-investment and sanctions framework, with funds available for joint outreach and administration with the U.S. Department of Commerce. It expresses Congress’s view that restricting certain U.S. investments in strategic, dual-use technologies in a “country of concern” (the People’s Republic of China) is necessary to protect U.S. national security and foreign policy and urges the President to use these authorities accordingly. The legislation authorizes the President to use International Emergency Economic Powers Act (IEEPA) tools to prohibit U.S. persons from investing in, or purchasing significant equity or debt of “covered foreign persons” linked to China’s defense or surveillance technology sectors. The provision carries IEEPA civil and criminal penalties, requires annual certification to Congress on whether listed Chinese military-industrial companies meet the statutory criteria and preserves all existing presidential sanctions authorities. It also includes narrow exceptions for intelligence and law-enforcement activities and for official U.S. government business. The statute expressly excludes import restrictions from the scope of sanctions authorities.

U.S. Department of State

Title I: Organization and Operations

• Other Matters (Subtitle D)

• Strengthening Enterprise Governance (Sec. 5174): Directs the CIO and the CDAO to work together to strengthen DoD enterprise governance and report directly to the Deputy Secretary of Defense. Any unresolved budget or management disputes between them should be decided by the Deputy Secretary.

Title III: Information Security and Cyber Diplomacy

• Post Data Pilot Program (Sec. 5301): The provision authorizes the Secretary of State to establish a Post Data Program, overseen by the CDAO, to promote data and AI culture, integration with State Department headquarters and operational efficiency at U.S. diplomatic posts worldwide. Within 180 days of enactment, the Secretary must submit an implementation plan addressing goals, staffing of data and AI officers at posts and resource needs. Progress reports must be submitted to Congress annually for three years.

• Reports on Technology Transformation Projects at the Department (Sec. 5303): The provision requires the Department to submit detailed annual reports to Congress on all covered “technology transformation projects,” defined to include any new or significantly modified technology deployed by the Department with the purpose of improving diplomatic, consular, administrative or security operations (including AI, cloud, cybersecurity and data platforms), with performance, cost, security and adoption metrics. The Department must also publish an unclassified public summary of each report. The Government Accountability Office (GAO) must independently evaluate these efforts every two years and recommend improvements to oversight and implementation.

Conclusion

Akin’s lobbying & public policy practice continues to closely monitor congressional, White House and industry activity on AI, and will continue to keep clients apprised of noteworthy advancements.