OMB M-25-21 & M-25-22: What Federal Agencies Need to Know About AI Acquisition

In April 2025, the Office of Management and Budget issued two memoranda — M-25-21 and M-25-22 — that together replace the prior administration's M-24-10 and restructure how federal agencies use, govern, and acquire artificial intelligence. For agency CIOs, contracting officers, and program managers, the new guidance changes the playbook on AI investment decisions. This brief summarizes what changed, what's required, and what to do about it.

Background: from M-24-10 to the new framework

OMB Memorandum M-24-10, issued under the prior administration, established the first comprehensive federal AI governance regime. It required agencies to designate Chief AI Officers, inventory AI use cases, identify "rights-impacting" and "safety-impacting" AI, and apply specific minimum practices to high-risk systems. The memo was widely cited but also widely criticized as procedurally burdensome.

The 2025 framework retains the core risk-management posture but reorganizes it into two complementary memoranda: M-25-21 governs the use of AI inside federal agencies, and M-25-22 governs the acquisition of AI products and services. The split is deliberate — the new approach distinguishes between agency self-development and procurement, applying different controls to each.

What M-25-21 covers

M-25-21 — "Accelerating Federal Use of AI through Innovation, Governance, and Public Trust" — is the use-side memorandum. Its central tension is in the title: agencies are expected to accelerate AI adoption while strengthening the governance scaffolding around it.

Key provisions include the requirement that agencies maintain a current inventory of AI use cases with risk categorization; appoint or sustain a Chief AI Officer with budgetary and operational authority; designate AI use cases as "high-impact" when they materially affect rights, safety, access to government services, or significant agency operations; and apply minimum risk-management practices — testing, monitoring, transparency, human oversight — to high-impact AI before deployment and on an ongoing basis.

Compared to M-24-10, the practical effect for agency program managers is a clearer decision tree: low-risk AI (productivity tools, internal copilots, document summarization) faces lighter governance overhead; high-impact AI (benefits adjudication, public-facing decisions, safety-critical systems) requires documented risk management, independent evaluation, and continuous monitoring.

What M-25-22 covers

M-25-22 — "Driving Efficient Acquisition of Artificial Intelligence in Government" — restructures how federal agencies buy AI. It targets a real problem: agencies have been purchasing AI products without consistent contracting practices, leaving the government exposed on data ownership, model retraining rights, evaluation criteria, and exit strategies.

The memorandum directs agencies to incorporate specific clauses into AI acquisitions covering vendor transparency on training data and model architecture; government rights to outputs, embeddings, and fine-tuning artifacts; clear exit-strategy provisions to prevent vendor lock-in; performance evaluation tied to mission outcomes rather than vendor-reported metrics; and security requirements aligned with NIST guidance for the relevant impact level.

The memo also encourages the use of competitive vehicles — GSA MAS, government-wide acquisition contracts, and category-management approaches — for AI services, while preserving set-aside authorities for small business socioeconomic programs.

What changed practically

For agency staff who lived through M-24-10 compliance, three things are most different under the new framework.

First, the inventory and risk-categorization process is preserved but lightly streamlined. Agencies with mature M-24-10 inventories can largely carry them forward, updating categorization where impact levels have changed.

Second, acquisition is now an explicit lever of governance. Under M-24-10, AI governance was largely a use-side concern; M-25-22 treats vendor selection and contract structure as primary controls. Contracting officers play a larger role in the AI lifecycle than before.

Third, the policy bias has shifted toward acceleration. Where M-24-10 read as a cautionary risk-management framework, M-25-21/22 read as an enabling framework that wants more federal AI deployed faster, with risk management as the price of admission rather than the obstacle to entry.

What agencies need to do now

Five action items follow directly from the memoranda.

Update the AI use case inventory. Re-validate every entry against the new impact criteria. New high-impact designations should trigger the documented risk-management workflow before continued operation.

Refresh AI acquisition templates. Standard clauses, evaluation criteria, and statement-of-work templates should be updated to reflect M-25-22 requirements on transparency, data rights, and exit provisions.

Train contracting officers. COs are now on the front line of AI governance. They need to know what to ask vendors, what to write into solicitations, and what to monitor during performance.

Confirm CAIO authority and resourcing. A Chief AI Officer without budget, staff, or veto power is a paper position. The memoranda assume real authority; agencies should validate that their CAIO actually has it.

Strengthen vendor diligence. M-25-22 raises the bar on what vendors must demonstrate. Agencies should expect to ask harder questions and to walk away from vendors who can't answer them.

What it means for AI vendors selling to government

For vendors, the new framework rewards transparency and discipline. Vendors that can demonstrate NIST AI RMF alignment, articulate clear data-handling and exit-strategy positions, support government performance evaluation rather than relying on vendor-reported claims, and bring small-business credentials where applicable will find shorter paths to award. Vendors who rely on opacity, perpetual vendor lock-in, or vague claims of "AI capability" will find the path harder.

The bottom line

M-25-21 and M-25-22 don't repeal federal AI governance — they restructure it. Agencies that have already built M-24-10 compliance muscle can carry most of it forward; the lift is concentrated in acquisition practices and in clarifying the boundary between low-risk and high-impact systems. The deeper signal is one of acceleration: the federal government wants more AI in production, and the contracting officers, program managers, and vendors who internalize the new framework will move faster than those waiting for further guidance.

Need help applying this in your agency?

Legion Implementation Group is a veteran-owned AI implementation partner for federal, state, and local agencies (SBA VetCert SDVOSB certification in progress). A 30-minute call is usually enough to know whether we can help.

Request a Capabilities Briefing →