GSA Proposes Sweeping AI Data Safeguarding Rules for LLM Contractors

The rapid adoption of large language model (LLM) systems across the federal government has prompted the U.S. General Services Administration (GSA) to develop standardized contract protections governing how government data is handled within those systems. GSA first circulated a draft clause through its GSA Interact platform in January 2026, followed by an informal draft in March 2026, which was summarized by Holland & Knight. On June 17, 2026, GSA published a notice and request for comments in the Federal Register (FR Doc. 2026-12205, 91 Fed. Reg. 36559), opening an official notice-and-comment period.

The proposed rule would amend 48 C.F.R. Parts 539 and 552 of the General Services Acquisition Regulation (GSAR). When finalized, it will likely apply across GSA's governmentwide contracts, including the Federal Supply Schedules, Governmentwide Acquisition Contracts and OASIS+. The stakes are high: GSA contractors who fail to comply face potential suspension of AI system use, termination for cause and liability for decommissioning costs.

The proposed rule reflects significant revisions from earlier versions that both respond to industry concerns and, in several respects, introduce new and more complex obligations. This Holland & Knight alert summarizes the key changes and highlights the issues most relevant to contractors and their supply chains.

What Changed: The March 2026 Draft vs. the June 2026 Proposed Rule

Scope Narrowed to LLMs – with Important Exceptions

The March draft applied broadly to all "Artificial Intelligence Systems." The June proposed rule narrows the clause's scope to LLMs only, defined as generative artificial intelligence (AI) models trained on vast, diverse datasets that enable natural-language responses to user prompts.

Critically, the clause does not apply when:

• the LLM is embedded in a common commercial product, such as a word processor or map navigation system
• the LLM functionality is incidental to the primary purpose of the core requirement being procured

This is an important concession to industry feedback about the overbreadth of the March draft. However, the boundaries of these exceptions are not self-defining. Contractors whose commercial offerings incorporate LLM features as a secondary capability will need to carefully assess whether their use case falls within the "incidental" exception and should expect that line to be tested.

A New 4-Tier Flowdown Structure

Perhaps the most architecturally significant change is the introduction of four role-specific flowdown clauses that extend the clause's requirements throughout the LLM supply chain:

• GSAR 552.239-7001-1. LLM Developer Flowdown Requirements
• GSAR 552.239-7001-2. LLM System Operator Flowdown Requirements
• GSAR 552.239-7001-3. LLM System Integrator Flowdown Requirements
• GSAR 552.239-7001-4. LLM Service Provider Flowdown Requirements

These roles are defined by reference to U.S. National Institute of Standards and Technology AI Risk Management Framework 1.0, Appendix A actor categories. The prime contractor bears responsibility for flowing down applicable paragraphs of the base clause to any subcontractor or service provider functioning in a covered role. Where a single entity performs multiple roles, multiple flowdown clauses apply.

What This Means for the Supply Chain

LLM vendors, cloud infrastructure providers, fine-tuning services, retrieval-augmented generation (RAG) providers and other participants who are not party to the prime contract may now receive obligations that mirror those imposed on the prime. Entities throughout the supply chain should review whether their existing commercial terms are compatible with these requirements and anticipate that prime contractors will seek flowdown compliance as a condition of doing business on covered contracts.

Revamped "American AI" Requirements

The March draft imposed a blunt prohibition: Contractors must use only "American AI Systems," and the use of any AI components "manufactured, developed, or controlled by non-U.S. entities" was flatly prohibited.

The June proposed rule replaces this with a more nuanced, criteria-based framework under the Unbiased AI Principles section. LLMs used on covered contracts must maximize use of systems meeting all of the following criteria:

• Controlling Entity and Jurisdiction. The LLM is developed, managed and operated by an entity incorporated in the U.S. and subject to U.S. law and jurisdiction.
• Protection Against Foreign Compulsion. No foreign government can compel disclosure of government data or operational details that could compromise the LLM's integrity or security. Core model, data storage and output generation components cannot be developed or operated by entities subject to the direction, influence or control of adversary foreign governments (see 15 C.F.R. 791.4).
• Component Flexibility and Risk Mitigation. Incidental foreign-developed components – such as open-source components, published research, ancillary third-party services, or globally operated infrastructure – are permissible, provided they do not introduce security risks or foreign control that would violate the above criteria and the systems storing government data satisfy applicable federal security requirements.

This shift from bright-line prohibition to criteria-based analysis gives contractors more flexibility but also more analytical burden. Contractors with LLMs that incorporate any non-U.S. components will need to conduct and document a risk-based assessment. The reference to 15 C.F.R. 791.4 ,the adversary foreign government definition used in export control contexts, signals that this analysis could be technically and legally complex.

Strict Government Data Ownership and Prohibited Uses

Both drafts establish that the government retains full ownership of all government data (defined broadly to include all data inputs and data outputs) and custom developments. The June 2026 proposed rule tightens and expands the prohibited uses of government data. Prohibited uses now expressly include:

• training, fine-tuning or otherwise improving an LLM, including those operated by third parties, or developing or improving LLMs for any other customers
• using government data to inform the contractor's advertising, marketing, sales, monetization, strategy or operations or to provide to other government or nongovernment entities
• retaining, accessing or using beyond the scope and duration permitted in the contract
• processing or storing government data with, or transferring it to, any party not authorized under the contract or without appropriate extension (flowdown) of applicable requirements (new in the June draft)
• selling or licensing government data to any party (new in the June draft)

The addition of the last two prohibitions closes potential gaps and reflects concerns about unauthorized data sharing within complex LLM supply chains.

Importantly, the June proposed rule also adds new contractor-side intellectual property (IP) protections that industry had sought. It introduces a defined term, "Background Data," covering the contractor's preexisting proprietary content, reference materials, knowledge bases and other IP that may be incorporated into the LLM's processing or outputs through mechanisms such as retrieval, vector stores or embeddings. It also confirms that the contractor retains ownership of the underlying LLM, base models and Background Data in their original form and adds an express trade-secrets carve-out providing that the contractor need not disclose proprietary source code, model weights or trade secrets. The June proposed rule's license grant to the government was also narrowed (see "What Stays the Same" below).

"Eyes Off" Data Handling – Now with Specific Technical Controls

The March 2026 draft required general "eyes off" data handling procedures restricting human review of government data. The June proposed rule replaces this with a detailed set of automated technical controls that must be implemented at the contract level and customized at the individual task/delivery order level. Required automated processing systems and operational controls include:

• automated data ingestion, processing and response generation without human content review
• technical access controls that prevent personnel from viewing government data
• encrypted data transmission and processing that renders government data unreadable to human personnel
• administrative and technical safeguards that allow system operation, monitoring and maintenance without exposing government data content
• audit logging systems that track data processing activities without capturing or displaying actual government data

These requirements are operationally significant. Contractors and LLM vendors should assess whether their current architectures meet these standards and budget for any necessary technical changes.

Contractor Due Diligence for the LLM Supply Chain

A new provision requires the prime contractor to exercise due diligence in selecting and overseeing LLM developers, system operators, system integrators and service providers. Specifically, the contractor must:

• notify the contracting officer within 72 hours of any known non-adherence to the clause by any supply chain participant
• demonstrate compliance, either by flowing down applicable requirements or obtaining attestations from supply chain participants with appropriate authority confirming that requirements have been implemented

The attestation pathway offers a practical alternative to full contractual flowdown in some circumstances, but it places significant reliance on the accuracy and completeness of third-party representations. Contractors should carefully document their due diligence efforts.

Change Notification – Renamed, Expanded and More Prescriptive

The March draft's "Change Management" section has been renamed "Change Notification" and substantially expanded. Key notification obligations now include:

• 30 days' advance written notice to the contracting officer before any planned material change affecting services, including adding, replacing or materially changing any LLM or supply chain participant, as well as changes to data protection controls, changes in Federal Risk and Authorization Management Program (FedRAMP) Authorization Status or any modification to comply with any non-U.S. government statute, regulation or policy
• seven days' notice upon identifying any change that materially increases output bias, decreases safety guardrails or behavioral constraints, or degrades performance or truthfulness of outputs
• immediate notice for emergency or unplanned changes, followed by a description of remediation or rollback actions available
• 30 days' advance notice before discontinuing or replacing any LLM, with concurrent access to successor models for a minimum evaluation period

All notifications must include the description of the change, affected roles, services, systems and Government Data; any limitations, tradeoffs or negative impacts; evaluation approach; any remediation or rollback actions; and confirmation that applicable flowdown requirements have been met.

The seven-day notice obligation for safety and performance degradation is particularly notable. In a rapidly evolving LLM market, model updates that subtly shift performance characteristics are common. Contractors and their LLM vendors will need monitoring and escalation protocols capable of identifying and reporting such changes within this compressed timeframe.

Noncompliance Consequences – with a New Cost Cap

Both the March draft and the June proposed rule preserve the government's right to suspend use of an LLM system for performance issues and terminate for cause if the contractor fails to comply with the Unbiased AI Principles. The June proposed rule adds two important modifications:

• Decommissioning cost liability is capped at a percentage of contract value to be inserted by the contracting officer at the time of award.
• The government must disclose its basis for the termination determination to enable the contractor to understand the government's reasoning and take remedial action.

The cap acknowledges industry concerns about open-ended decommissioning liability, but the percentage is left blank, a critical open issue on which industry should comment. The disclosure obligation, though modest, at least ensures contractors are not left without recourse. The clause also limits decommissioning liability to terminations for cause that follow the contractor's failure to remediate after specific written notice of noncompliance, which is effectively a notice-and-cure protection.

Unbiased AI Principles – More Technically Specific

Both the March draft and proposed rule require AI systems to be truthful, prioritize historical accuracy and scientific inquiry, and be neutral and nonpartisan. The June proposed rule makes the nonpartisan obligation more technically specific: Contractors must not intentionally "introduce or embed" partisan or ideological judgments "through methods such as training data selection, fine-tuning, RAG references, system prompts, or other configuration methods" (emphasis added).

This language is significant because it reaches beyond the model itself to the full configuration of a deployed LLM system, including system prompts and RAG configurations that are often set by the prime contractor or integrator rather than the underlying model developer. Contractors configuring LLMs for government deployment should review their system prompts, knowledge bases and retrieval configurations with this obligation in mind.

What Stays the Same

Several significant provisions are largely unchanged from the March draft:

• the government's irrevocable, royalty-free, nonexclusive license to use the LLM for the duration of the contract remains – but note that the June proposed rule meaningfully narrowed its scope; the license is "strictly limited to the specific purposes and scope of work defined within the contract or task/delivery order" and the LLM's commercially available features, background data and functionality necessary to perform, a notable retreat from the earlier "any lawful Government purpose" formulation
• the prohibition on LLMs refusing to produce data outputs or conduct analyses based on the contractor's or service provider's discretionary policies (though this cannot require retraining or alteration of model weights)
• the requirement for secure deletion and written certification upon contract completion, termination or expiration
• the data localization requirements restricting government data to agreed-upon premises or authorized services
• the government's right to conduct automated benchmark assessments of bias, truthfulness, safety and unsolicited ideological content – without being required to disclose its benchmarks, test data or methodologies to contractors
• logical segregation of government data from nongovernment customer data
• data portability and interoperability requirements, including export in open, machine-readable formats

Comment Opportunities

GSA has specifically solicited comment on the following questions, among others:

1. Does the change in clause prescription adequately address previous concerns about the breadth of the clause's scope?
2. Are the requirements for government data ownership and protection and contractor accountability clearly defined?
3. Are the roles of the contractor, LLM developer, LLM system operator, LLM system integrator and LLM service provider clearly defined and flowdown paragraphs accurately presented?
4. Do you understand how to implement the flowdown clauses?
5. Does the clause adequately address risks related to foreign ownership or control of LLMs?

Comments should be submitted by August 3, 2026, through the Federal eRulemaking portal. Industry participants also can attend virtually or in person a public listening session from 11 a.m. to 2 p.m. ET on July 14, 2026, at The George Washington University Law School in Washington, D.C. Participants must register by July 3, 2026.

Practical Considerations for Contractors

Prime Contractors should immediately audit their current LLM arrangements – including with commercial off-the-shelf AI tools used in contract performance – to assess exposure under this clause. Key questions include: Does the LLM process government data? Who are the developers, operators, integrators and service providers in the supply chain? Do existing commercial agreements permit the required flowdowns? Are current technical architectures capable of meeting the "eyes off" data handling requirements?

LLM vendors and technology providers who supply to government contractors should anticipate increased due diligence inquiries, requests for attestations and pressure to accept flowdown clauses. Commercial terms that conflict with the clause's requirements – particularly on data use, training and modification rights – will need to be addressed. Vendors should also assess whether their model update and release processes can accommodate the new change notification timelines.

System Integrators who configure LLMs for government deployment bear particular exposure under the Unbiased AI Principles provision, given that system prompts, RAG configurations and other deployment-time choices are now explicitly within scope. Integrators should document their configuration decisions and establish review processes to ensure deployments remain compliant as underlying models evolve.

Subcontractors and service providers at all tiers should review the four flowdown clauses carefully. The flowdown structure means that requirements can reach entities far removed from the prime contract, including those who may not have historically considered themselves government contractors.

If you have questions about this alert, please contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.