FY2026 NDAA, Section 5303 ("Reports on technology transformation projects at the department")

SEC. 5303. REPORTS ON TECHNOLOGY TRANSFORMATION PROJECTS AT THE DEPARTMENT. (a) Definitions.--In this section: (1) Appropriate congressional committees.--The term ``appropriate congressional committees'' means-- (A) the Committee on Foreign Affairs and the Committee on Appropriations of the House of Representatives; and (B) the Committee on Foreign Relations and the Committee on Appropriations of the Senate. (2) Technology.--The term ``technology'' includes-- (A) artificial intelligence and machine learning systems; (B) cybersecurity modernization tools or platforms; (C) cloud computing services and infrastructure; (D) enterprise data platforms and analytics tools; (E) customer experience platforms for public-facing services; and (F) internal workflow automation or modernization systems. (3) Technology transformation project.-- (A) In general.--The term ``technology transformation project'' means any new or significantly modified technology deployed by the Department with the purpose of improving diplomatic, consular, administrative, or security operations. (B) Exclusions.--The term ``technology transformation project'' does not include a routine software update or version upgrade, a security patch or maintenance of an existing system, a minor configuration change, a business-as-usual information technology operation, a support activity, or a project that costs less than $1,000,000.

(b) Annual Report.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, and annually thereafter for five years, the Secretary shall submit to the appropriate congressional committees a report on all technology transformation projects completed during the preceding two fiscal years. (2) Elements.--Each report required by paragraph (1) shall include the following elements: (A) For each project, the following: (i) A summary of the objective, scope, and operational context of the project. (ii) An identification of the primary technologies and vendors used, including artificial intelligence models, cloud providers, cybersecurity platforms, and major software components.

(iii) A report on baseline and post-implementation performance and adoption metrics for the project, including (if applicable) with respect to-- (I) operational efficiency, such as reductions in processing time, staff hours, or error rates; (II) user impact, such as improvements in end-user satisfaction scores and reliability; (III) security posture, such as enhancements in threat detection, incident response time; (IV) cost performance, including budgeted costs versus actual costs and projected cost savings or cost avoidance; (V) interoperability and integration, including level of integration achieved with existing systems of the Department; (VI) artificial intelligence, if applicable; and (VII) adoption, including, if applicable-- (aa) an estimate of the percentage of eligible end-users actively using the system within the first three, six, and 12 months of deployment; (bb) the proportion of staff trained to use the system; (cc) the frequency and duration of use, disaggregated by bureau or geographic region if relevant; (dd) summarized user feedback, including pain points and satisfaction ratings; and (ee) a description of the status of deprecation or reduction in use of legacy systems, if applicable.

(iv) A description of key challenges encountered during implementation and any mitigation strategies employed. (v) A summary of contracting or acquisition strategies used, including information on how the vendor or development team supported change management and adoption, including user testing, stakeholder engagement, and phased rollout. (B) For any project where adoption metrics fell below 50 percent of estimated usage within six months of launch, the following: (i) A remediation plan with specific steps to improve adoption, including retraining, user experience improvements, or outreach. (ii) An assessment of whether rollout should be paused or modified. (iii) Any plans for iterative development based on feedback from employees.

(3) Public summary.--Not later than 60 days after submitting a report required by paragraph (1) to the appropriate congressional committees, the Secretary shall publish an unclassified summary of the report on the publicly accessible website of the Department, consistent with national security interests. (c) Government Accountability Office Evaluation.--Not later than 18 months after the date of the enactment of this Act, and biennially thereafter, the Comptroller General of the United States shall submit to the appropriate congressional committees a report-- (1) evaluating-- (A) the extent to which the Department has implemented and reported on technology transformation projects in accordance with the requirements under this section; (B) the effectiveness and reliability of the Department's performance and adoption metrics for such projects; (C) whether such projects have met intended goals related to operational efficiency, security, cost-effectiveness, user adoption, and modernization of legacy systems; and (D) the adequacy of oversight mechanisms in place to ensure the responsible deployment of artificial intelligence and other emerging technologies; and (2) including any recommendations to improve the Department's management, implementation, or evaluation of technology transformation efforts.