This bill targets DoD procurement of cloud computing, data infrastructure, and foundation models by compelling competitive award processes and clarifying data ownership and security expectations. It defines key terms (AI, cloud computing, data infrastructure, multi-cloud, and foundation models) and sets thresholds for which providers must be considered in competition.
It also directs updates to protection regimes around government-furnished data and requires reporting on market dynamics and exemptions.
The goal is to bolster competition, reduce vendor lock-in, and ensure that government data remains under exclusive control while maintaining robust security. The bill signals a preference for modular open systems, clear data boundaries, and transparency in how exemptions are granted, with annual reporting to Congress to monitor progress and market concentration.
At a Glance
What It Does
Requires a competitive award process for DoD procurements of cloud, data infrastructure, and foundation models; ensures exclusive government access and use of government data; prioritizes multi-cloud and modular open systems when feasible; directs DFARS updates to protect government data in development and operation of AI products.
Who It Affects
Cloud providers, data infrastructure providers, and foundation model providers that have DoD contracts; DoD contracting and program offices; small businesses and nontraditional contractors seeking entry via open systems and competitive processes.
Why It Matters
Establishes a framework to preserve competition and prevent vendor lock-in in high-stakes AI and cloud deployments, while strengthening data rights and security for government operations. It also formalizes accountability through required reporting on market dynamics and exemptions.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a formal set of rules for how the Department of Defense buys cloud services, data infrastructure, and foundation AI models. It starts by defining core terms so everyone is speaking the same language: what counts as artificial intelligence, cloud computing, data infrastructure, and a foundation model (the large, generally self-supervised AI systems).
It then requires that contracts for these technologies go through competitive award processes, with the government retaining exclusive rights to access and use its data.
A core idea is to balance security and openness. The procurement framework encourages modular open systems and clearly delineates responsibilities and boundaries between the government and contractors.
It aims to reduce barriers to entry for small businesses and nontraditional vendors, and it prioritizes multi-cloud approaches unless national security needs dictate otherwise. The bill also tightens how data furnished by the government is used, stored, and protected, and it provides for exemptions in national-security cases with appropriate notification.Finally, the bill sets up regular reporting to Congress to assess competition, innovation, and market concentration in the AI space, including a transparent list of exemptions granted and recommendations for future action.
Taken together, these provisions are designed to promote competition, protect government data, and encourage interoperable, secure AI and cloud ecosystems for defense needs.
The Five Things You Need to Know
A 'covered provider' is a cloud, data infrastructure, or foundation model provider with at least $50 million in DoD contracts in any of the last five fiscal years.
Procurement provisions require a competitive award process for cloud, data infrastructure, or foundation model procurements.
Government data access remains exclusive to the government; data used to train or improve commercial products requires express authorization.
DFARS updates are directed to protect government data on vendor systems, with penalties for violations and a formal exemption mechanism for national security needs.
A reporting regime begins no later than Jan 15, 2027, with annual updates for four years to Congress on competition, innovation, and market power in AI.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
The act may be cited as the Protecting AI and Cloud Competition in Defense Act of 2025. This naming clause establishes the scope and reference point for all subsequent provisions.
Definitions
This section defines key terms: AI, cloud computing, cloud provider, data infrastructure, data infrastructure provider, foundation model, foundation model provider, multi-cloud technology, and the threshold for what constitutes a 'covered provider'. The definitions align procurement concepts with national security and economic competition considerations, ensuring consistent interpretation across DoD contracting.
Procurement requirements
The Secretary of Defense must embed a competitive award process in contracts with cloud, data infrastructure, and foundation model providers. The government must retain exclusive rights to access and use its data, and the procurement process should emphasize appropriate roles for government IP, data rights, security, interoperability, and auditability. The approach favors modular open systems and balanced work allocation while attempting to lower barriers for small and nontraditional vendors. Multi-cloud approaches are prioritized unless security or other national interests dictate otherwise.
Data training and use protection
The Chief Digital and AI Office is directed to update DFARS provisions so government-furnished data used for AI development remains under government control, cannot be disclosed or used by covered providers without authorization, and cannot be used to train or improve commercial products without permission. It also requires protection of government data stored on vendor systems, aligned with DoD data decrees and DAGIR principles, and imposes penalties for violations, including fines or contract termination. Exemptions can be issued for national security reasons with appropriate notification.
Reporting
The bill requires the Chairman of the Joint Chiefs of Staff, with the Under Secretary of Defense for Acquisition and Sustainment, to report annually to the congressional defense committees on competition, innovation, barriers to entry, and market concentration for AI-related procurement for four consecutive years, plus a public version of the report. The reporting framework increases transparency and informs future legislative or administrative action.
This bill is one of many.
Codify tracks hundreds of bills on Defense across all five countries.
Explore Defense in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small businesses and nontraditional contractors gain access to competition-friendly procurement processes and open-system approaches that lower entry barriers.
- Data infrastructure and foundation model providers able to participate in multi-cloud and modular open-system environments may win new DoD contracts.
- DoD program offices benefit from clearer data rights, interoperable standards, and improved oversight of AI and cloud acquisitions.
- Congressional defense committees receive regular, structured information on market dynamics and exemptions to guide policy decisions.
- End users within the DoD gain more secure, auditable, and interoperable AI and cloud solutions.
Who Bears the Cost
- Covered providers (cloud, data infrastructure, and foundation model vendors) face higher compliance overhead due to competitive processes and data-right protections.
- Contracting teams and program offices must implement DFARS updates, oversee exemptions, and manage compliance across complex multi-cloud environments.
- Entities seeking exemptions for national-security reasons incur additional administrative burdens to document justifications and notify the CADAI Office.
- Some incumbent vendors may experience pressure from heightened competition and potential shifts in data handling requirements.
- Public reporting requirements entail processes to summarize and publish sensitive information in a redacted or public form.
Key Issues
The Core Tension
The central dilemma is balancing robust data security and national security concerns with the goal of broad competition and innovation in AI and cloud services. Strong, centralized control over data and strict open-system preferences can safeguard interests but may slow interoperability, raise costs, and deter novel entrants if not implemented with reasonable flexibility.
The bill stakes a strong claim for competition and security by embedding a competitive process, tight data protections, and a preference for multi-cloud and modular open systems. In practice, this creates clear benefits for overlooked or smaller players who can compete on a level playing field and for DoD data governance.
However, the requirements also raise questions about potential friction with existing vendor ecosystems, integration timelines, and the cost of compliance across a broad set of cloud and data partners. The exemptions mechanism introduces a controlled lever for national-security exceptions, but it also risks eroding uniform protections if used too frequently or without rigorous justification.
Data rights protections, while strengthening government control over sensitive information, could complicate collaborative AI development if not carefully bounded.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.