GSA's New DEI Restrictions, Cybersecurity Requirements: What Federal Contractors Need to Know

The U.S. General Services Administration (GSA) in April 2026 released a revised version of its GSA Form 3517B (the General Clauses) applicable to GSA leases. Coming on the heels of earlier revisions in December 2025 and March 2026, the April 2026 revision introduces a new clause addressing diversity, equity and inclusion (DEI) discrimination and a major consolidation of cybersecurity provisions under a single regulatory framework.

Notably, this impacts more than just new federal leases. In accordance with Executive Order (EO) 14398 discussed below, lessors with existing leases have begun to receive Docusign requests for signatures on proposed lease amendments that incorporate the DEI discrimination provisions, often accompanied by daily reminders.

An analysis of these new compliance obligations, the associated enforcement risk and options for lessors follows.

New DEI Discrimination Requirements

The most notable addition to the General Clauses is Federal Acquisition Regulation (FAR) 52.222-90, Addressing DEI Discrimination by Federal Contractors. This provision was added pursuant to EO 14398, issued on March 26, 2026, and related agency guidance.

The clause contains six elements:

1. No Racially Discriminatory DEI Activities. Contractors may not engage in any racially discriminatory DEI activities, which the EO defines as disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity's resources
2. Access to Books and Records. The contractor must furnish all information and reports, including access to books, records and accounts, as required by the contracting agency for purposes of ascertaining compliance.
3. Remedies for Noncompliance. In the event of noncompliance by the contractor or a subcontractor, the contract may be canceled, terminated or suspended in whole or in part, and the contractor may be declared ineligible for further government contracts. The FAR Council's implementation guidance makes a contractor's failure to comply a cause for possible debarment or suspension.
4. Reporting of Subcontractor Conduct. The contractor must report any subcontractor's "known or reasonably knowable conduct" that may violate the clause and promptly take any appropriate remedial actions directed by the agency. Notably, the EO does not define the term "known or reasonably knowable conduct," leaving open significant questions about the scope of a contractor's monitoring and reporting obligations with respect to its subcontractors.
5. Notification of Litigation. The contractor must inform the contracting agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of the clause.
6. False Claims Act (FCA) Materiality. The contractor recognizes that compliance with the clause is "material" to the government's payment decisions for purposes of the FCA.

The EO directed agencies to include FAR 52.222-90 in all new solicitations and contracts beginning April 24, 2026, and modify existing government contracts to incorporate the clause by July 24, 2026. Many federal lessors have already received requests from the government to execute a bilateral lease amendment containing the new clause for their existing leases.

Although most government contracts contain a "termination for convenience" clause allowing the government to cancel the contract if the contractor refuses to sign a modification, standard GSA leases lack this clause. This means that a lessor may negotiate or refuse to sign a bilateral modification without risk that the government will terminate the lease in response.

Recommendations

• This will be a case-by-case analysis. Many lessor entities do not have employees, which will lower the compliance obligations and enforcement risk associated with this clause. In contrast, some lessors subcontract back to their affiliates or parent companies, which may have the opposite effect on the risk analysis. Lessors operating in their lease term will likely have fewer contracts to flow their compliance obligations down to than those still in the design and construction phase. All of these considerations should factor into the decision of whether or not to accept this clause into existing leases.
• The risk of refusal to sign is uncertain at this point. As noted above, GSA leases do not contain termination for convenience rights, so do not anticipate much risk of a lease termination. However, this clause will be included in all new leases, executions of options and potentially any lease amendment that provides the lessor with any sort of consideration, so it may be unavoidable over the next few years.
• Lessors should consider taking steps to ensure that the government will cover the lessor's costs of compliance with the new standards prior to signing a bilateral agreement. If a lessor refuses to sign a bilateral modification altogether, the government may subsequently impose a unilateral modification to the lease to add the new clause where the lessor's consent is not required. That would constitute a "change" under the Changes Clause, which in turn would entitle the lessor to an equitable adjustment for compliance costs.
• Lessors that elect to accept this clause into existing or new leases should carefully review their internal policies, programs and subcontract activities to ensure that they follow the new clause and promptly correct any instances of noncompliance.
• Lessors should ensure they understand their flowdown obligations, as discussed below.

Cybersecurity Changes

The cybersecurity section of the April 2026 GSA Form 3517B reflects a sweeping consolidation of what were previously seven separate FAR clauses into a streamlined set of provisions under GSA Class Deviation RFO-2025-40. Where the prior version of the form housed separate clauses addressing Kaspersky Lab prohibitions, telecommunications and video surveillance equipment bans, ByteDance/TikTok restrictions and supply chain security orders, the new version merges these into a single comprehensive clause – FAR 52.240-91, Security Prohibitions and Exclusions.

The clause prohibits contractors from providing or using in performance of the lease: any covered application (TikTok or any successor developed by ByteDance), any Kaspersky Lab-covered article, any covered telecommunications equipment or services used as a substantial or essential component of any system or as critical technology, and any Federal Acquisition Security Council (FASC)-prohibited unmanned aircraft system manufactured or assembled by an American Security Drone Act-covered foreign entity.

Other security-related clauses, including FAR 52.204-9 (Personal Identify Verification of Contractor Personnel), GSAR 552.204-9, (Personal Identify Verification Requirements) and FAR 52.240-93 (Basic Safeguarding of Covered Contractor Information Systems), remain substantively unchanged.

Recommendations

• First, understand what your obligations look like. Many of these clauses were not drafted with leasing in mind and will be largely – if not entirely – inapplicable to the scope of work contemplated by a GSA lease.
• For those requirements that are applicable, determine who is best positioned to ensure compliance. Most of the applicable compliance requirements will be covered through controls in subcontracting and the sourcing of components and information technology supplies.

Addressing Flowdown Requirements

Both the new DEI-related clause and consolidated cybersecurity clause contain explicit flowdown requirements that prime contractors must carefully manage. Lessors should take stock of their existing subcontracts, vendor agreements and service provider contracts and consider modifications to incorporate the new clauses.

Recommendations

• The supply chain security requirements – including the ban on Huawei/ZTE products and Federal Acquisition Supply Chain Security Act orders – will primarily (though not exclusively) impact the construction and development phase of leasing, so it's important to make sure general contractors and construction managers understand these sourcing and vendor restrictions.
• Lessors should develop and maintain, with yearly updates, a simple flowdown provision that can be incorporated into all subcontracts, during both the design and construction phases and the lease term.

Practical Steps for Compliance

The April 2026 revision to GSA Form 3517B adds significant new requirements and a substantial new compliance risk, one that could result in a default termination, FCA liability or even exclusion from government leasing opportunities. This shouldn't be taken lightly, and lessors should consider very carefully whether to sign on for the new DEI obligations.

It is also worth noting that this clause has recently been challenged in federal court by multiple plaintiffs, most recently by 20 states and the District of Columbia in a case filed in the U.S. District Court for the District of Maryland, Maryland v. Hegseth.The complaint alleges numerous violations of the Administrative Procedure Act and argues that the government failed to follow statutorily mandated processes and exceeded its authority to implement policy changes through contract clauses. These are arguments that multiple courts found persuasive when addressing COVID-era testing and vaccination requirements in government contracts. So, the long-term future of this clause remains unclear.

Holland & Knight is available to help federal lessors review their existing policies and programs for DEI or cybersecurity compliance and can help current lessors conduct a risk analysis tailored to their business model to determine how best to respond to requests for lease modifications to incorporate the DEI clause.

For more information or questions, please contact the authors.