GenAI PROCUREMENT - 4986.9

(New: 02/2025)

 

Scope:

This Chapter of the GenAI Policy applies to all State Entities except as specifically exempted by statute or policy.

A.  Policy: GenAI Procurement

1. A State Entity shall consider procurement and enterprise use opportunities in which GenAI can improve efficiency, effectiveness, accessibility, and equity of government operations pursuant to CDT’s procurement policy.
2. A State Entity must comply with the State Contracting Manual (SCM), Volume 2, Chapter 23, GenAI Procurement Policy and Procedure, when procuring GenAI, as applicable, including but not limited to the mandatory GenAI procurement training.
3. A State Entity must include the following GenAI disclosure notification language in all solicitations and contracts for IT and telecommunication goods and services.
   
   “Contractor must notify the State in writing if it: (1) intends to provide GenAI as a deliverable to the State; or (2), intends to utilize GenAI, including GenAI from third parties, to complete all or a portion of any deliverable that materially impacts: (i) functionality of a State system, (ii) risk to the State, or (iii) Contract performance. For avoidance of doubt, the term “materially impacts” as used in this section shall have the same meaning set forth in the State Administrative Manual (SAM) § 4986.2 Definitions for GenAI.”
   
   
4. A State Entity must complete a Certification of Compliance with IT Policies, SIMM 71B.
5. For all IT, non-IT, and Telecommunication procurements, a State Entity must, prior to award, complete a SIMM 5305-F Generative Artificial Intelligence Risk Assessment to determine if the GenAI risk is low, moderate, or high. The State Entity shall submit the completed 5305-F to CDT for all risk levels.
   
   1. If a State Entity’s SIMM 5305-F assessment indicates a moderate or high-risk GenAI, the State Entity shall seek consultation with CDT prior to the award.
   2. If a State Entity’s SIMM 5305-F assessment indicates a low-risk GenAI, the State Entity may continue with procurement. For low-risk, CDT may require the State Entity to seek consultation.
   3. The following list of low-risk GenAI uses are exempt from the 5305-F risk assessment requirement:
      
      1. Mandatory California Prison Industry Authority (CALPIA) purchases of goods and services (See SCM Vol. 2, Chapter 5, Section 502).
      2. Mandatory services provided by Office of State Publishing (OSP).
      3. Mandatory services provided by CDT.
      4. Purchases from DGS Surplus Property.
      5. Real Property Transactions (e.g. leases, easements, rental agreements, licenses, amendments, etc.).
      6. Interagency agreements between CA state departments that do not include third party contracts.
      7. Commodity types that do not include a technology or service component. Examples include:
         1. Office, medical, and cleaning supplies (staplers, pens, masks, mops, etc.)
         2. Office furniture (chairs, desks, etc.)
         3. Non-IT hardware (hammer, nails, buckets, etc.)
      8. Cloud computing software licenses or subscriptions to access online content including news, training, digital publications, etc.
      9. Any other GenAI use determined by CDT to be low risk.
6. For all GenAI procurements, a State Entity must complete a SIMM 5310-C Privacy Threshold Assessment and Privacy Impact Assessment and provide it to CDT for review upon request.
7. A State Entity must have a multidisciplinary governance team to continuously oversee and monitor for new, ongoing, and changing security, privacy, and operational risks throughout the lifecycle of the GenAI use.

A. Contract Security Provisions

For moderate and high risk GenAI use, a State Entity must evaluate vendors and suppliers who provide GenAI for compliance with the SAM 5300, SIMM 5300 and the National Institute of Standards and Technology (NIST) Artificial Intelligence (AI) Risk Management Framework (RMF) and NIST 800-53. Security and Privacy Controls for Information Systems and Organizations for system controls and principles, including security, transparency, and ethical use of data, including but not limited to:

1. Verifying adherence to state policies, privacy laws, and bias mitigation practices.
2. Mandating incident reporting, logs, and cooperation in case of system failures or breaches.
3. Ensuring that vendors and suppliers have robust measures to protect confidential, proprietary, and sensitive data, including encryption, access controls, and compliance with data privacy regulations associated with the state entity’s industry.
4. Ensuring that vendors and suppliers provide documentation on the development, training, and operation of their GenAI systems, including details on the origin of datasets, algorithms, and any pre-trained models used.

References:

GC 11549.65(c); Purchasing Authority Standards 100.3; SCM Chapter 23; SIMM 19H; SIMM 71A; SIMM 71B; SIMM 5305-F; SIMM 5310-C