Skip to Main Content

Keeping you informed

General Services Administration Proposes New AI Data Safeguarding Requirements for Government Contractors

    Client Alerts
  • July 09, 2026

The General Services Administration published a revised draft of a proposed clause on June 17, 2026, that would establish data safeguarding requirements for government contractors using large language model (LLM) artificial intelligence systems to process government data. The GSA has indicated that the draft clause may proceed through a General Services Acquisition Regulation (GSAR) deviation and/or formal rulemaking.

The June proposal is an updated version of a proposed contract clause that, as we analyzed in a client alert in May, could have sweeping ramifications for AI use by government contractors across the federal IT supply chain. The GSA’s revised contract clause addresses comments the administration received on the initial draft and other developments on the use of LLMs across government.

The comment period on the June proposal closes August 3, 2026.

What the Proposed Clause Would Cover

If adopted, the proposed clause, GSAR 552.239-7001, would apply to solicitations and contracts, including those for commercial products and services, when government data will be processed by an LLM. It may be used in GSA government-wide contracts, including Federal Supply Schedule, Governmentwide Acquisition Contracts (GWACs), and OASIS+. The clause would not apply where an LLM is embedded in a common commercial product (such as a word processor) or where LLM functionality is merely incidental to the primary work being performed.

The draft addresses several key areas, among others:

  • Government data ownership and use restrictions: The government would retain full ownership of all data it provides to an LLM system and all outputs that system generates. Contractors would be prohibited from using that data to train AI models, inform their own business decisions, or transfer it to unauthorized parties. Government data may be received and processed only by specified LLM supply-chain participants, including LLM developers, operators, integrators, and service providers, provided the applicable clause requirements are flowed down to those entities.
     
  • Unbiased AI principles: Contractors would be required to ensure that deployed LLMs are truthful, nonpartisan, and not configured to embed partisan or ideological bias through training, fine-tuning, system prompts, or other means. The government would reserve the right to conduct its own automated assessments of deployed systems and could suspend use of an LLM pending remediation of identified issues.
     
  • Foreign adversary safeguards: Contractors would be required to maximize the use of LLMs developed, managed, and operated by U.S.-incorporated entities that are subject to U.S. law and jurisdiction. LLMs must have protections against foreign compulsion, including ensuring that the LLM and core components must not be developed, managed, or operated by entities that are subject to direction, influence, or control of an adversary foreign government, as defined under the Information and Communications Technology and Services (ICTS) supply-chain regulations at 15 CFR 791.4. The clause does allow incidental foreign-developed components, ancillary third-party services, and globally operated infrastructure, provided they do not introduce prohibited foreign-control risks and government data systems meet applicable federal security requirements.
     
  • Change notification: Contractors would be required to provide at least 30 days' advance written notice before making material changes to an LLM used under a contract, including swapping providers, reducing data protection controls, or modifying the LLM to comply with a non-U.S. government requirement. Notice within seven days would be required when a change meaningfully increases bias, degrades safety features or degrades performance or truthfulness of outputs.

Beyond these highlights, the proposed clause also imposes significant operational obligations, including incident reporting within 72 hours (including completion of the Cybersecurity and Infrastructure Security Agency incident reporting form), data localization and logical-segregation requirements, human-oversight and traceability tools, personally identifiable information (PII) controls, data-portability and interoperability obligations, and secure deletion with written certification upon contract completion.

What This Means for Contractors

While this is only a proposed clause, contractors can nonetheless begin taking steps now to understand the changes proposed by GSA and prepare for GSA adoption of an expansive LLM clause.

Under the proposed changes, government data could not be used to improve the contractor's own products, inform its business strategy, or benefit other customers. These restrictions extend to every party in the LLM delivery chain, not just the prime. Contractors should begin assessing tools now to ensure that these safeguards are in place.

The unbiased AI principles provision presents a compliance challenge that is harder to manage than most contract requirements. The government would assess deployed LLMs against its own benchmarks, and the clause does not require disclosure of those benchmarks absent an adverse action.

Contractors can reduce their exposure by engaging LLM providers about their bias-testing methodologies, maintaining records of system configurations and any content guardrails in place at the time of performance, and building contractual rights to receive advance notice from their LLM providers of any model changes that could affect output behavior. That documentation will matter if the government identifies a problem and the contractor needs to demonstrate what it deployed and when.

The foreign-adversary provisions will drive tool selection. Companies using LLMs with significant overseas development or ownership connections should assess how those products would fare under this standard.

In order to meet the flow down obligations, companies that rely on commercial AI tools should assess now whether those vendors would accept government-mandated flow down terms, and factor that risk into subcontracting decisions.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.