Section 1513 of the FY2024 NDAA directs the Department of Defense to develop AI-specific guidance and contractor requirements. The implementing regulations have not yet been published as of writing — meaning there is no single statutory drop-dead date in the law itself. What is real and active now is the preparation work: defense contractors who treat Section 1513 as a future problem are likely to be unprepared when DoD’s implementing rules land, and the underlying inventory, governance, and oversight artifacts the statute will rely on are the same artifacts CMMC and the CMMC compliance flowdown under DFARS 252.204-7021 already require.
This post breaks down what Section 1513 actually mandates today, what readiness work contractors should be doing in parallel with CMMC compliance, what formal attestation and disclosure are likely to look like when implementing rules issue, and how the statute layers onto the rest of the defense regulatory stack. The specific milestone dates below are illustrative readiness targets Brine recommends — not statutory deadlines fixed by Section 1513 itself.
What NDAA Section 1513 Actually Requires of Defense Contractors
Section 1513 of the FY2024 NDAA directs the Department of Defense to establish requirements for contractors using AI systems in the performance of covered defense contracts. The NDAA AI requirements for defense contractors center on three core obligations: identifying AI systems used in contract performance, demonstrating that those systems meet applicable trustworthiness and safety standards, and maintaining documentation sufficient to support government review.
“AI system” under the statute is defined broadly. It captures machine learning models, automated decision-support tools, and AI-enabled software components — not just purpose-built defense AI. If your organization uses AI to process controlled unclassified information, support logistics, conduct quality inspection, or assist in contract deliverables, those systems are in scope.
The NDAA Section 1513 AI governance framework the statute calls for is not a one-time checkbox. It requires ongoing oversight mechanisms: policies governing AI system selection and deployment, accountability structures identifying who owns AI risk, and processes for detecting and responding to AI system failures or misuse. The DoD’s implementing guidance has made clear that contractors cannot simply point to a vendor’s AI trustworthiness certification — the obligation sits with the contractor using the system.
Critically, Section 1513 applies to prime contractors and flows down to subcontractors performing work where AI systems are used. That flowdown dimension is addressed in more detail in Section 4 below.
A Recommended Readiness Timeline (Illustrative, Not Statutory)
Important caveat: Section 1513 itself does not fix a specific date by which contractors must complete attestations. The timeline below is a Brine-recommended readiness cadence that contractors can use to be ready when DoD publishes implementing rules. Match it against your own contract calendar, your CMMC assessment timeline, and any prime-contractor flowdown letters you receive.
Q3 2025 — AI System Inventory Complete. Before you can attest to anything, you need a complete inventory of AI systems in scope. This means cataloging every AI tool used in contract performance, mapping it to the contracts and CUI it touches, and classifying each system by risk tier. Organizations that have not started this inventory are already behind.
Q4 2025 — Governance Policies and Accountability Structures Finalized. Section 1513 requires documented governance — not informal practices. By the end of 2025, contractors should have written AI use policies, defined roles (who approves AI system deployment, who monitors it, who escalates anomalies), and a documented risk assessment process. These documents will form the backbone of any attestation package.
Q1 2026 — Internal Audit and Gap Remediation. With policies in place, the first quarter of 2026 is the window for internal audit against the Section 1513 requirements and any DoD implementing guidance issued by that point. Gaps identified here need remediation time before attestation.
Q2 2026 — Attestation Package Ready. By this point, contractors should have a complete attestation package assembled and ready to deliver if DoD’s implementing rules issue or a prime contractor requests an AI flowdown attestation. The documentation needs to be complete, signed by an authorized official, and defensible under audit — even though the precise statutory submission mechanism may not be finalized yet.
Ongoing Post-June 2026 — Continuous Monitoring. Compliance is not a point-in-time event under Section 1513. Contractors will need to maintain their AI governance programs and update attestations when material changes occur — new AI systems deployed, existing systems modified, or new contracts awarded.
Attestation and Disclosure Obligations Under Section 1513
Once DoD’s Section 1513 implementing rules issue, the most likely attestation structure (based on parallel DFARS attestation regimes and the legislative text) is one where a responsible company official — typically at the VP, C-suite, or equivalent level — formally attests that the contractor’s AI systems used in contract performance meet the applicable standards. This will not be a technical certification from an IT team. It will be a legal attestation, and inaccurate attestations on federal contracts have historically carried False Claims Act exposure.
What the attestation must cover:
- Scope statement: Which AI systems are in use, on which contracts, and in what capacity
- Standards conformance: How each system meets applicable trustworthiness criteria (the DoD AI Ethical Principles and the NIST AI Risk Management Framework are the primary reference standards)
- Governance confirmation: That documented policies, accountability structures, and monitoring processes are in place and operational
- Incident history: Disclosure of any known AI system failures, anomalies, or misuse events during the contract period
The NDAA AI disclosure requirements for defense contractors extend beyond the attestation itself. Section 1513 contemplates that contractors will proactively disclose material changes to their AI systems — including replacing a system with a different model, integrating a new AI vendor, or discovering that a previously attested system no longer meets the applicable standards. Disclosure obligations are ongoing, not limited to the initial submission.
Contracting officers at the agency level have authority to request supporting documentation behind any attestation. Contractors should treat their attestation package as audit-ready from day one, not as a summary document that points to documentation that doesn’t yet exist.
How Section 1513 Intersects with CMMC, DFARS, and Flowdown Pressure
Defense contractors navigating Section 1513 are not doing so in isolation. The NDAA AI requirements for defense contractors sit on top of a regulatory stack that is already demanding significant compliance investment.
DFARS 252.204-7021 establishes the CMMC compliance requirement and its associated attestation mechanisms. The AI attestation obligations under Section 1513 are structurally similar — both require a responsible official to attest to compliance, both carry False Claims Act exposure, and both require supporting documentation. For contractors already building CMMC attestation infrastructure, the Section 1513 attestation can be integrated into the same governance and documentation program rather than built separately.
CMMC Phase 2 brings its own November 2026 deadline, meaning contractors face two major compliance milestones within a five-month window. The sequencing matters: CMMC assessment preparation and Section 1513 attestation preparation share significant documentation overlap — AI system inventories, access controls, incident response procedures, and governance policies. Running these as parallel workstreams with shared documentation is more efficient than treating them as separate programs.
Flowdown pressure is the dimension most subcontractors are underestimating. Prime contractors receiving Section 1513 obligations from the government are already beginning to push those requirements down through their supply chains via contract clauses and prime contractor AI flowdown letters. If you are a subcontractor, you may receive a flowdown letter requiring Section 1513 compliance as a condition of continued contract performance — on a timeline set by your prime, not by the government. Those timelines are often shorter than June 2026.
The NDAA Section 1513 AI governance requirements also align with the broader CMMC AI compliance framework that the Defense Industrial Base is being asked to build. Contractors who approach these requirements as a unified program — rather than responding to each regulation separately — will spend less and be better positioned for the audit scrutiny that follows.
Before the Implementing Rules Land
Building a defensible attestation package now (so you're ready when DoD’s implementing rules issue) requires a structured program, not a sprint in Q2 2026. Here is what that program needs to include.
1. Complete an AI System Inventory. Map every AI system used in contract performance. For each system, document: the vendor, the model or version, the data it processes, the contracts it touches, and the risk classification. This inventory is the foundation of everything else — attestation, governance policy scope, and audit response.
2. Adopt a Recognized AI Risk Framework. The NIST AI Risk Management Framework (AI RMF) is the most directly applicable reference standard for Section 1513 compliance. Map your AI systems against the AI RMF’s GOVERN, MAP, MEASURE, and MANAGE functions. Gaps in each function become your remediation roadmap.
3. Establish Documented Governance Policies. Write and approve policies covering: AI system procurement and approval, acceptable use, monitoring and anomaly detection, incident response, and third-party AI vendor oversight. These policies need to be operational — not aspirational documents that describe a future state.
4. Assign Accountability. Section 1513 requires that someone owns AI risk. Designate a responsible official for AI governance (often the CISO, CTO, or a dedicated AI Risk Officer), define their authority, and document the accountability structure. The attestation will be signed by a senior official — that person needs to be confident the underlying program is real.
5. Build Your Attestation Package. Compile the documentation that supports each attestation claim: the inventory, the policy set, the risk assessments, the governance accountability structure, and any incident history. Treat this as an audit package from the start.
6. Plan for Continuous Monitoring. Section 1513 compliance does not end at attestation. Build processes for monitoring AI system performance, detecting anomalies, and triggering re-assessment when systems change. The NDAA AI compliance timeline 2026 is a starting line, not a finish line.
Even without a fixed statutory deadline, the question is no longer whether to start — it is whether your current program will produce a defensible attestation or a liability. The contractors who treat Section 1513 as a documentation exercise will struggle under audit. The ones who build a real governance program now will be positioned to attest with confidence and absorb whatever additional requirements follow.