Flash Brief: HHS AI Classification Discrepancy

Event Type: Policy Change

Severity: MEDIUM

Date: 2025-01-XX

Classification: UNCLASSIFIED//PUBLIC

---

TL;DR

HHS has classified fewer than 1% of its nearly 450 AI use cases as "high-impact" requiring enhanced risk management oversight—a stark contrast to DHS (Department of Homeland Security) (23%), DOJ (36%), and VA (59%). This classification gap signals inconsistent AI governance implementation across federal agencies and creates immediate compliance uncertainty for contractors developing AI solutions. Contractors must prepare for potential reclassification waves, agency-specific AI risk frameworks, and heightened scrutiny on existing HHS AI deployments. The discrepancy represents both a compliance risk and a strategic opportunity for firms that can navigate multi-agency AI governance requirements.

---

Key Points

• What Happened: HHS reported nearly 450 AI use cases but designated fewer than 1% as "high-impact" under OMB AI guidance, significantly lower than peer agencies. This suggests either genuine low-risk AI adoption or systematic underclassification that may trigger future corrective action.
• Who Is Affected: Prime contractors and subcontractors delivering AI/ML solutions, healthcare IT systems, data analytics platforms, and digital transformation services to HHS, DHS, DOJ, and VA. Firms holding OASIS+, CIO-SP4, NITAAC CIO-CS, GSA (General Services Administration) MAS, and Alliant 3 vehicles face immediate compliance review requirements.
• Timeline: HHS's AI inventory is published and under interagency review now. Expect OMB or GAO scrutiny within 60-90 days, potential reclassification guidance within 120 days, and contract modification requests for existing AI deployments within 6 months.
• What Contractors Should Do NOW: Audit all active HHS AI deliverables against NIST AI RMF criteria, cross-reference classification standards used by DHS/DOJ/VA, prepare impact statements for potential reclassification, and engage HHS program offices to clarify risk assessment methodologies before formal guidance changes.

---

Who Is Affected

Primary Impact Segments:

• Artificial Intelligence/Machine Learning solution providers
• Healthcare IT system integrators
• IT Services firms with AI-enabled platforms
• Data Analytics and Software Development contractors
• Risk Management & Compliance consultancies
• Digital Transformation service providers

NAICS Codes:

• 541512 (Computer Systems Design Services)
• 541511 (Custom Computer Programming Services)
• 541513 (Computer Facilities Management Services)
• 541519 (Other Computer Related Services)
• 541715 (R&D in Physical, Engineering, and Life Sciences)
• 541990 (All Other Professional, Scientific, and Technical Services)
• 518210 (Data Processing, Hosting, and Related Services)
• 541330 (Engineering Services)

Affected Agencies:

• HHS (primary concern—potential reclassification wave)
• DHS, DOJ, VA (comparative benchmarks for risk classification)
• All CFO Act agencies implementing OMB AI guidance

Contract Vehicles at Risk:

• OASIS+ (AI/ML task orders under review)
• CIO-SP4 (healthcare IT AI implementations)
• NITAAC CIO-CS (data analytics AI tools)
• GSA MAS (AI-enabled SaaS and professional services)
• Alliant 3 (enterprise AI transformation projects)

Compliance Surfaces:

• OMB M-24-10 AI Guidance (risk classification methodology)
• NIST AI Risk Management Framework (impact assessment criteria)
• FedRAMP (Federal Risk and Authorization Management Program) (AI system authorization boundaries)
• FISMA (AI security control inheritance)
• Section 508 (AI interface accessibility)
• HIPAA (AI processing of protected health information)

---

Frequently Asked Questions

Q: Why does HHS's low "high-impact" classification rate matter for my contracts?

If HHS has systematically underclassified AI use cases, expect retroactive compliance requirements when OMB or oversight bodies force reclassification. Contracts currently operating under "not high-impact" assumptions may suddenly require enhanced risk management documentation, additional security controls, bias testing, explainability features, and human review processes. This triggers contract modifications, cost growth, and schedule delays. Proactive contractors should audit their AI deliverables now against the stricter standards applied by DHS, DOJ, and VA to avoid surprise compliance gaps.

Q: How do I know if my HHS AI solution should be "high-impact" under the stricter interpretation?

Apply the NIST AI RMF impact criteria used by higher-classifying agencies: Does your AI system (1) make or materially influence decisions about individuals' rights, benefits, or access to services? (2) Process sensitive PII or health data at scale? (3) Operate with limited human oversight in critical workflows? (4) Affect safety, civil rights, or civil liberties? If yes to any, prepare for "high-impact" reclassification. Cross-reference your system against DHS's 23% classification rate—if comparable DHS AI tools are high-impact, yours likely should be too. Document your risk assessment methodology now to demonstrate due diligence.

Q: What's the strategic opportunity in this classification discrepancy?

Contractors who master multi-agency AI governance requirements gain competitive advantage. Firms that can deliver AI solutions meeting the strictest standards (VA's 59% high-impact threshold) can compete across all agencies without solution redesign. Build proposal win themes around "governance-ready AI" that exceeds HHS's current requirements but aligns with government-wide best practices. Position your firm as the partner that prevents reclassification crises. Develop reusable compliance artifacts (bias testing protocols, explainability frameworks, human oversight architectures) that work across HHS, DHS, DOJ, and VA—then leverage those investments across your entire federal AI portfolio.

---

Definitions

• High-Impact AI Use Case: Under OMB M-24-10, AI systems that have the potential to meaningfully impact civil rights, civil liberties, or safety; or are used in sensitive domains like law enforcement, benefits determination, or critical infrastructure. High-impact designations trigger mandatory minimum practices including impact assessments, ongoing monitoring, human review processes, and opt-out mechanisms.
• NIST AI Risk Management Framework (AI RMF): Voluntary framework providing a structured approach to identifying, assessing, and managing AI risks across the system lifecycle. Federal agencies use AI RMF criteria to classify impact levels and determine appropriate risk management practices. The framework addresses trustworthiness characteristics including validity, reliability, safety, security, resilience, accountability, transparency, explainability, interpretability, privacy enhancement, and fairness.
• OMB M-24-10: Office of Management and Budget memorandum "Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence" issued March 2024. Establishes government-wide requirements for AI governance, including mandatory minimum practices for high-impact AI, agency Chief AI Officer designation, AI use case inventory publication, and annual compliance reporting.
• AI Use Case Inventory: Public catalog of AI systems used by federal agencies, required under OMB M-24-10. Inventories must include use case descriptions, impact classifications, deployment status, and compliance with minimum practices. Discrepancies in classification methodologies across agencies reveal inconsistent AI governance maturity and risk assessment rigor.
• Reclassification Risk: The compliance and operational exposure created when an AI system initially designated as low or moderate impact is subsequently determined to meet high-impact criteria. Reclassification triggers retroactive compliance requirements, contract modifications, and potential operational suspension until enhanced risk management practices are implemented.

---

Intelligence Response

Cabrillo Signals War Room detected this classification discrepancy by continuously monitoring agency AI inventories, OMB guidance implementation, and cross-agency compliance patterns. The platform automatically flagged HHS's statistical outlier status (sub-1% vs. 23-59% peer rates) and correlated it with active contract vehicles, affected NAICS codes, and compliance surface changes. This briefing was generated and routed within 4 hours of public reporting.

Immediate Platform Actions:

Cabrillo Signals Match Engine should be configured to rescore all HHS AI/ML opportunities in your pipeline. The classification discrepancy increases probability of mid-contract compliance changes, affecting win probability, cost estimation, and risk ratings. Set automated rescoring triggers for any HHS solicitation mentioning "artificial intelligence," "machine learning," "automated decision," or "algorithmic system." Cross-reference against DHS, DOJ, and VA AI solicitations to identify agencies applying stricter governance standards—these represent lower compliance risk.

Cabrillo Signals Intelligence Hub requires immediate saved search configuration for: (1) HHS AI governance policy updates, (2) OMB guidance revisions or clarifications on impact classification, (3) GAO or OIG reports on AI risk management implementation, (4) SAM.gov (System for Award Management) solicitations from HHS containing AI RMF or high-impact AI language, and (5) contract modifications on existing HHS AI vehicles (OASIS+, CIO-SP4) adding compliance requirements. Set alert frequency to daily for the next 90 days during the likely policy clarification window.

Proposal Studio (Proposal OS) compliance matrices must be updated to address dual-standard AI governance. For HHS proposals, build compliance narratives that meet current low-impact requirements while demonstrating readiness for high-impact reclassification. Populate the win theme library with "governance-ready AI" positioning, "multi-agency AI compliance experience" differentiators, and "reclassification-proof architecture" technical approaches. Configure the bid/no-bid decision engine to flag HHS AI opportunities with elevated compliance risk scores until classification methodology stabilizes.

Notification Chain:

• Capture Managers (immediate)—Need to assess active HHS AI pursuits for reclassification risk and adjust capture strategies, teaming decisions, and pricing assumptions. Must engage HHS program offices within 48 hours to clarify risk assessment expectations.
• Proposal Directors (within 4 hours)—Must update compliance matrices, win themes, and technical approach templates for all AI-related proposals across HHS, DHS, DOJ, and VA. Need to brief proposal teams on multi-agency governance positioning strategies.
• Program Managers with Active HHS AI Contracts (within 8 hours)—Must audit current deliverables against high-impact criteria, document risk assessment methodologies, and prepare impact statements for potential contract modifications. Should initiate proactive discussions with CORs and program offices.
• Business Development VPs (within 12 hours)—Need to understand strategic implications for HHS pipeline, assess competitive positioning against firms with stronger AI governance capabilities, and evaluate teaming opportunities with AI compliance specialists.
• Chief Technology Officer / Chief AI Officer (within 24 hours)—Must review enterprise AI architecture standards to ensure HHS solutions can scale to high-impact requirements without redesign. Should assess reusable compliance artifact investments (bias testing, explainability frameworks) that work across all agencies.
• Contracts and Compliance Directors (within 24 hours)—Need to prepare for potential contract modification negotiations, assess cost impact of reclassification scenarios, and develop compliance upgrade roadmaps for existing HHS AI deliverables.

First 48-Hour Playbook:

Hour 0-4: Capture managers identify all active HHS AI pursuits and contracts in pipeline. Pull current AI use case descriptions, impact classifications, and compliance narratives. Flag any deliverables that would be classified as high-impact under DHS/DOJ/VA standards. Brief executive leadership on exposure scope.

Hour 4-12: Proposal directors convene rapid response team to update compliance matrices and win themes. Pull NIST AI RMF documentation and OMB M-24-10 minimum practices. Cross-reference HHS solicitation language against DHS/DOJ/VA AI requirements to identify governance gaps. Update Proposal Studio libraries with dual-standard compliance approaches.

Hour 12-24: Program managers with active HHS AI contracts conduct technical audits of current deliverables. Document existing risk management practices, bias testing protocols, human oversight mechanisms, and explainability features. Prepare gap analysis comparing current state to high-impact requirements. Draft proactive compliance upgrade proposals for COR discussion.

Hour 24-48: Business development initiates outreach to HHS program offices on active pursuits. Ask clarifying questions about AI risk assessment methodology, impact classification criteria, and anticipated policy changes. Position firm as proactive governance partner. Simultaneously, assess competitive intelligence—which competitors have multi-agency AI governance experience? Evaluate teaming opportunities to fill capability gaps. Update capture plans with reclassification risk mitigation strategies.

Related Resources:

• Secure Operations Guide (/insights/secure-operations-guide) — Framework for managing compliance changes across active contracts
• CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide) — Risk-based compliance methodology applicable to AI governance
• CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide) — Data handling protocols for AI systems processing sensitive information

---