OMB M-25-21 reads like a buying spec for fixed-scope AI.
The two federal AI acquisition memos that came out of OMB in April 2025 didn’t get the press they deserved. Most of the coverage at the time framed them as a Trump-administration rewrite of Biden-era AI policy — which is technically true and substantively misses the story. Read together, M-25-21 and M-25-22 are the most specific federal AI buying spec the U.S. government has ever published. They tell you, in roughly 60 pages of combined text, exactly what kind of AI vendor a federal agency is supposed to buy from in 2026 and beyond.
If you have read the memos as a federal AI vendor and you still pitch reserved-cluster, vendor-specific, single-region AI deployments wrapped in a level-of-effort contract, you are mispricing your own risk. The buying spec is right there in the text, and most of the established federal AI integrators are not positioned to deliver against it.
Here is what the memos actually require, why the requirements line up with what we have already been pricing on the commercial side, and what the practical SDVOSB / small-business wedge looks like for the next two years.
What the memos actually say
M-25-21, “Accelerating Federal Use of AI through Innovation, Governance, and Public Trust,” establishes the governance framework. Every covered agency designates a Chief AI Officer, publishes a public AI strategy, maintains a public AI use-case inventory, and adopts minimum risk management practices for any AI system designated “high-impact.” Agencies have until April 15, 2026 to bring every high-impact system into compliance or shut it down. This is not a draft. It is the operating policy of the executive branch.
M-25-22, “Driving Efficient Acquisition of Artificial Intelligence in Government,” is the procurement counterpart. It applies to solicitations issued on or after October 1, 2025 and to contract renewals after that date. The memo’s three core policies are: (1) ensure a competitive American AI marketplace, (2) safeguard taxpayer dollars by tracking AI performance and managing risks across the lifecycle, and (3) promote effective acquisition through cross-functional engagement.
Strip the policy language out and translate it into what a contracting officer is going to ask you for. The memo directs agencies to consider vendor lock-in at every stage of the AI acquisition lifecycle — initial demonstrations, solicitation provisions, contract awards, ongoing data access. It directs them to include contract terms for knowledge transfer, data and model portability, and licensing and pricing transparency. It requires ongoing testing and monitoring rights, with the agency able to evaluate performance, risks, and effectiveness throughout the contract period of performance. It bars vendors from training publicly or commercially available models on non-public agency data without explicit consent. It instructs agencies to ensure that contracts clearly delineate IP rights, with a strong default that the government retains rights to code and models produced under the contract.
The “Buy American” framing got most of the press attention. The portability and lifecycle-monitoring requirements are the part that actually changes who can win this work.
Translating the memos into a buying spec
If you read M-25-22 as a procurement officer trying to write a SOW that will not embarrass the agency in 18 months, the picture comes into focus quickly. You want a vendor that:
Can demonstrate working AI before award (the memo emphasizes testing-before-purchase rights), then deliver a system the agency can continue to test and monitor throughout the period of performance. You want a vendor whose architecture doesn’t lock you into a single cloud, a single model provider, or a single inference vendor — because lock-in is now an enumerated procurement risk you have to mitigate. You want a vendor that delivers fixed-scope, deliverable-based engagements rather than reserved-capacity contracts that bill regardless of usage, because the memo’s emphasis on tracking AI performance and managing costs aligns naturally with outcome-based pricing. You want a vendor whose IP terms are clean — the government gets the code, the models, and the data rights it needs to keep operating the system without the vendor, if necessary.
That is a buying spec. It is not vague. It tells you, fairly precisely, what architectural and contractual posture a vendor needs to have to win against it.
Now hold that up against the typical federal AI engagement circa 2023. Long-term reserved capacity in a single vendor’s cloud. Proprietary model fine-tunes that don’t port. Custom serving infrastructure that requires the vendor to operate it indefinitely. Level-of-effort billing that grows whether the system is working or not. Tool integrations that are bespoke to the vendor’s framework rather than built against an open protocol.
The 2023 engagement model is exactly what M-25-22 is written to prevent. The integrators that built their federal AI practices on the 2023 model are going to adapt — they always do — but the adaptation cycle is 18 to 24 months, and the small vendors that show up next quarter with the right architecture are going to capture the wedge.
Why this matches the commercial pricing model already
The reason this matters is that the architecture and the pricing model required by the federal memos is the same architecture and pricing model that survives the math on the commercial side.
I wrote about this last month in the context of the Cast AI 2026 State of Kubernetes Optimization Report — at 5% average GPU utilization across 23,000 production clusters, the reserved-capacity model is structurally underwater for most workloads, and pay-per-inference + edge-stateful-runtime + standardized tool surfaces is the architecture that actually pencils. The commercial market is converging on that architecture because the unit economics demand it.
The federal market is converging on the same architecture because the acquisition policy demands it. Pay-per-inference is portable by construction — you are not reserving capacity in a specific vendor’s hardware, you are buying tokens against a standard contract. Stateless inference at the edge is auditable by construction — every request is a discrete billable event that produces a log line, which is exactly the artifact the memo’s ongoing-monitoring requirements need. Standardized tool surfaces (MCP) are portable by construction — the contract between the agent and the tool is defined by an open protocol, so an agency can swap one vendor’s agent for another’s without rewriting the integration layer.
Three years ago, the commercial and federal AI buying patterns were diverging — federal needed audit trails and security controls that commercial didn’t, commercial needed scale that federal didn’t. In 2026 they are converging on the same architectural answer, for different reasons, with the same vendors winning on both sides if they’re positioned correctly.
The SDVOSB and small-business wedge
This is where it gets interesting for veteran-owned and small-business AI vendors.
The traditional federal AI vendor profile — large integrator, multi-year staffing contract, reserved cloud capacity, level-of-effort billing — is structurally mismatched to the new acquisition spec. Not because the integrators can’t deliver good work. They can. The mismatch is in the contracting posture they are built around. A 500-person federal AI practice does not want to bid fixed-scope, deliverable-based engagements with portability requirements, because that compresses the margin model the practice was sized for.
Small vendors with the right architecture have the opposite problem. They cannot bid 50-person staff augmentation contracts because they don’t have 50 people. They can bid fixed-scope architectural engagements that deliver a working, portable, monitored AI system in 90 days with clean IP transfer and a maintenance plan. Which is exactly what M-25-22 is written to favor.
The set-aside lanes — SDVOSB, VOSB, WOSB, 8(a), HUBZone — are about to be the most interesting place in federal AI procurement, for two reasons. First, the acquisition spec rewards architectural posture more than headcount, and small businesses can deliver the right architecture without the contractual gravity of the integrators. Second, agencies are under explicit pressure to meet small-business contracting goals, and a small-business vendor that shows up with a memo-compliant proposal is the path of least resistance for a contracting officer who needs to thread three different requirements at once.
The NAICS codes that matter for AI-specific federal work — 541511 (Custom Computer Programming), 541512 (Computer Systems Design), 541690 (Other Scientific and Technical Consulting) — all have small-business size standards that most legitimate AI specialty shops fall comfortably under. 541511 and 541512 use a $34M revenue standard. 541690 uses $19M. The set-aside addressable market for AI work in those NAICS codes is, conservatively, hundreds of millions of dollars in FY26 alone, growing fast.
What a memo-compliant proposal actually looks like
Practical translation, if you are writing a federal AI proposal in 2026 and want to map directly to the memos:
Lead with the architecture, not the headcount. The proposal section that explains how the AI will be built, hosted, monitored, and handed off matters more than the org chart. Demonstrate vendor portability explicitly — name the open protocols you build against (MCP for tool surfaces, OpenAI-compatible APIs for inference, standard logging/observability stacks), and explain what the agency can do without you if it ever needs to. Commit to fixed deliverables tied to working, testable AI behavior, not to staffing levels or hours billed. Include a model and data portability plan as a deliverable — what gets handed over, in what format, on what schedule. Specify the audit trail you will provide for high-impact use cases, mapped to the M-25-21 minimum risk management practices (pre-deployment testing, AI impact assessments, ongoing monitoring, human review, end-user feedback). Specify the IP rights the agency receives, defaulting to maximum rights for the agency. Specify what happens to non-public agency data — explicitly bar training on it without consent, and provide a contractual mechanism for the agency to verify this.
Every one of those items is in M-25-22 by name. None of them are optional for new solicitations. A proposal that addresses all of them by name is a proposal that is demonstrably memo-compliant, which is what a contracting officer needs to defend the award.
This is the proposal posture I am taking at Truvisory® for federal AI modernization engagements. Not because the architecture is novel — the architecture is what the commercial math already requires. Because the language of the proposal has to map directly onto the acquisition memo, line by line, so the contracting officer can do their job without rewriting the procurement file.
The buying spec is hiding in plain sight
The OMB memos are public documents. They have been live since April 2025. The October 1, 2025 effective date for new solicitations has already passed. The April 15, 2026 compliance deadline for high-impact systems is six weeks out as I write this. The federal AI procurement landscape has already shifted under the spec the memos define, and most of the existing federal AI vendor ecosystem is still pitching the 2023 engagement model.
This is the consulting wedge. Not “we’ll help you do AI.” Specifically: federal AI modernization that is vendor-portable by construction, pay-per-inference for cost transparency, MCP-first for tool portability, and structured to satisfy M-25-21 and M-25-22 from day one. That’s a buying spec the federal market is going to be looking for, with small-business set-asides attached, and the small vendors with the right architecture are going to capture the wedge before the integrators finish their adaptation cycle.
The memos are not a constraint. They are a buyer’s list. Read them as one.