Federal AI procurement has a new compliance framework. OMB Memorandum M-25-22, Driving Efficient Acquisition of Artificial Intelligence in Government, was issued April 3, 2025, as part of a two-memoranda package alongside M-25-21. M-25-22 is the operational document for AI vendors: it specifies what federal agencies must require from AI vendors, how they must evaluate AI systems before acquisition, and what accountability mechanisms must be built into AI contracts.
The applicability date is specific and consequential: M-25-22 requirements apply to contracts awarded from solicitations issued on or after October 1, 2025. That date has passed. If you are pursuing federal AI contracts today, M-25-22 documentation requirements are part of your competitive landscape.
What Federal Agencies Must Now Require from AI Vendors
Under M-25-22, contracting officers and program managers are directed to require vendors to provide documentation addressing specific accountability and transparency dimensions before award. These requirements represent a significant elevation of the due diligence standard for AI procurement compared to prior practice.
- Training data provenance: Vendors must describe the sources, composition, and quality controls applied to the data used to train their AI systems. This is particularly significant for vendors using large datasets scraped from public web sources.
- Model performance documentation: Vendors must provide quantified performance metrics, including accuracy, precision, recall, and relevant domain-specific measures. Performance must be reported across demographic subgroups where applicable.
- Known limitations: Vendors must document the known failure modes, operational constraints, and contexts in which their AI system performs below acceptable thresholds.
- Bias and fairness assessment: Vendors must describe how they assessed their AI system for bias and what mitigation steps were applied. This applies to both the training process and the output evaluation.
- Security practices: Vendors must describe their AI system's security architecture, including data handling, model access controls, and adversarial robustness testing.
- Monitoring capabilities: Vendors must explain how their system supports ongoing monitoring for performance degradation, output drift, and unexpected behavior in production.
The Responsible AI Documentation Package
The practical implication of M-25-22 for AI vendors is the need to maintain what practitioners are calling a Responsible AI documentation package: a set of standardized documents that address the requirements above and can be submitted as part of proposal responses or early in the acquisition process. This is analogous to what ISO certifications and SOC 2 reports became for information security: a baseline documentation standard that sophisticated buyers expect.
The documentation package should include a model card or AI system card describing the system's purpose, capabilities, and limitations; a data sheet describing training data sources and quality controls; a bias assessment report describing how fairness was evaluated and what mitigations were applied; and a security assessment describing the system's threat model and security controls. Vendors who have already developed these documents for non-federal purposes will find them readily adaptable to M-25-22 requirements.
How M-25-22 Changes the Competitive Landscape
Before M-25-22, federal AI procurement decisions were made largely on functional capability and price. Vendors with mature AI governance documentation practices had limited competitive advantage over vendors with none, because agencies lacked a framework for evaluating governance maturity. M-25-22 changes this by giving contracting officers specific criteria to evaluate and specific documentation to require.
Vendors who have invested in responsible AI practices and can produce high-quality governance documentation will be objectively better positioned in federal source selections than vendors who cannot. Conversely, vendors who make unsupported claims about their AI systems' fairness, accuracy, or security face increased scrutiny and potential disqualification if those claims cannot be substantiated.
Risk-Tiered Evaluation Under M-25-22
M-25-22 maintains the risk-tiered approach from prior federal AI guidance. AI systems that affect rights, safety, or civil liberties face more stringent evaluation requirements than lower-risk applications. Agencies must categorize AI systems before procurement using a risk classification framework and apply evaluation requirements proportional to that risk level.
For vendors, this means understanding where your AI system falls in the risk tier before the solicitation stage. If your system handles decisions that affect public benefits, employment, or law enforcement outcomes, you are almost certainly in a high-risk tier that requires comprehensive governance documentation. Knowing this in advance allows you to prepare rather than scramble when the solicitation drops.
Practical Steps for AI Vendors
- Develop your standard Responsible AI documentation package now. Do not wait for a specific solicitation to require it.
- Conduct a bias and fairness assessment on your AI system if you have not already. This is now a baseline expectation, not a differentiator.
- Map your AI system to the M-25-22 risk tier framework. Know your risk classification before pursuing a federal opportunity.
- Review your training data documentation. Agencies will ask. If your answer is incomplete, that is a competitive weakness.
- Build monitoring and performance reporting into your product. Agencies must be able to monitor AI systems in production. Vendors who make this easy will win.
M-25-22 is not a compliance burden for vendors who have already invested in responsible AI practices. It is a competitive advantage. The barrier it creates is specifically for vendors who have not.