GSA Seeks Input on AI Data Protection Regulations
Published Date: 6/17/2026
Proposed Rule
Summary
The General Services Administration (GSA) wants your thoughts on new rules to protect data in AI systems like Large Language Models. If you work with government tech or AI, this could change how you handle data security. Join the July 14 listening session or send your comments by August 3, 2026, to help shape these important rules.
Analyzed Economic Effects
9 provisions identified: 0 benefits, 9 costs, 0 mixed.
Government owns Government Data and custom developments
For contracts using LLMs, the Government retains full ownership of all Government Data and any Custom Developments; contractors receive only a limited, revocable license to use Government Data for the contract duration. Any intellectual property rights the contractor obtains in Government Data or related improvements are assigned to the Government effective immediately upon creation.
Prohibited commercial uses of Government Data
Contractors may not use Government Data to train or fine-tune LLMs, inform marketing or business strategy, retain or use data beyond the contract’s scope, transfer Government Data to unauthorized parties, or sell or license Government Data. These uses are explicitly listed as prohibited.
Strict data handling, localization, and deletion rules
Contractors must implement technical, administrative, physical, and organizational safeguards (including encryption, access controls, and automated processing that restricts human access), keep Government Data only when reasonably necessary, not remove Government Data from agreed premises or FedRAMP-authorized services without written consent, and securely and permanently delete all Government Data and custom developments upon contract completion and certify deletion.
Clause applies when LLMs use Government Data
If you are a contractor on a GSA solicitation and an LLM will process Government Data, contracting officers must insert GSAR clause 552.239-7001 into the solicitation and contract. The clause does not apply when the LLM is embedded in a common commercial product (for example, a word processor or map navigation system) or when LLM functionality is incidental to the core requirement.
Mandatory flowdown to subcontractors and providers
If you are a prime contractor, you must flow down specific paragraphs of clause 552.239-7001 to any subcontractor or service provider performing LLM roles (LLM Developer, System Operator, System Integrator, or Service Provider) using the supplemental flowdown clauses 552.239-7001-1 through -4. Where one entity performs multiple roles, multiple flowdown supplements should be used.
Disclosure and documentation obligations with deadlines
Contractors must disclose all LLMs and the entities filling defined flowdown roles by the date specified in the contract or, if no date is specified, within 120 days after starting work. Contractors must also disclose within 30 days after award whether the LLM was modified to comply with any non-U.S. statutes, and provide, on request, documentation (e.g., system cards, FedRAMP packages, decision logic, and transparency materials) to demonstrate compliance.
Incident reporting, log retention, and CISA reporting
If an incident affects contractors or third parties handling Government Data, contractors must notify the Contracting Officer within 72 hours, provide daily status updates until resolved, preserve relevant logs and forensic artifacts for at least 90 calendar days, and complete the CISA incident reporting form.
Preference for U.S. incorporation and foreign-control limits
The clause directs contractors to maximize use of LLMs developed, managed, and operated by entities incorporated in the United States and subject to U.S. law and jurisdiction. It also requires protections against foreign compulsion and prohibits use of LLM components that are developed, managed, or operated by entities subject to direction or control of adversary foreign governments (see 15 CFR 791.4).
Government testing rights and non-compliance penalties
The Government may run automated assessments of contracted LLMs at any time and may suspend use of an LLM until performance issues are fixed. If the Contracting Officer terminates for cause due to failure to remediate Unbiased AI Principles violations, the contractor may be liable for decommissioning costs up to a percentage of contract value (percentage to be inserted by the Contracting Officer).
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Related Federal Register Documents
2026-04486 — General Services Property Management Regulation (GSPMR); Nondiscrimination on the Basis of the Age Act Regulation for Programs or Activities Receiving Federal Financial Assistance
Starting March 6, 2026, the General Services Administration (GSA) is moving its age discrimination rules from a general government-wide spot to its own property management rulebook—without changing the actual rules. This update affects programs or activities that get federal money and helps keep things clear and organized. No new costs or policy changes, just a smarter way to find and follow the rules!
2025-22915 — Federal Management Regulation; Aligning the Federal Management Regulation (FMR) With the Administration's Deregulatory Priorities
Starting December 16, 2025, the government is updating its Federal Management Regulation to make rules simpler and smarter. This affects how federal agencies handle things like vehicles, mail, property, and transportation, cutting red tape and boosting efficiency. These changes save time and money while making sure everything follows the law and the President’s deregulatory goals.
2025-22289 — Federal Travel Regulation; Reorganizing and Streamlining the Federal Travel Regulation To Improve Operational Efficiency
Starting December 8, 2025, the government is making federal travel rules simpler and easier to follow. These changes affect all federal employees who travel or relocate for work, cutting out confusing and repeated rules to save time and taxpayer money. It’s a smart update that keeps things modern and efficient without losing important protections.
2026-12018 — Information Collection; System for Award Management Quarterly Certification of Compliance With Executive Order 14400, Urgent National Action To Save College Sports
Colleges and universities registered in the System for Award Management (SAM.gov) will now need to confirm every three months that they’re following new rules from Executive Order 14400, which aims to protect college sports. This means more paperwork but helps keep college sports safe and fair. Comments on this new requirement are open until August 17, 2026, with no direct costs announced yet.
2026-10287 — Information Collection; Certain Federal Acquisition Regulation Part 28 Requirements
The government agencies in charge of buying stuff—like the Department of Defense and NASA—are asking for your thoughts on keeping some paperwork rules for three more years. These rules help make sure buying processes are clear and fair, but they want to know if the paperwork is worth the effort or if it can be easier. If you’re involved in government contracts, this could affect how you report info until 2027.
2026-10288 — Information Collection; Architect-Engineer Qualifications (SF-330)
The government wants to keep using the Architect-Engineer Qualifications form (SF-330) for three more years to help pick the best design pros for federal projects. They’re asking architects, engineers, and the public to share thoughts by July 21, 2026, to make sure the form is useful and not too much work. No big cost changes, just a smooth extension to keep things running well.
Previous / Next Documents
Previous: 2026-12171 — Amendment of Class E Airspace Over Staunton, VA
The FAA wants to make the airspace around Staunton, VA bigger and better to support new flight paths at Bridgewater Air Park. Pilots flying by instruments will get safer, clearer routes thanks to this change. If you have thoughts, speak up by August 3, 2026—no costs or delays expected for the public.
Next: 2026-12234 — Wireline Competition Bureau and Office of Economics and Analytics Seek Comment on Proposed 2026 Mandatory Data Collection for Incarcerated People's Communications Services
The FCC wants to collect new info in 2026 about phone and video calls for people in jail to help set fair prices. This affects companies that provide these services and aims to make reporting easier for them. Comments on the plan are open until mid-July, so everyone can share their thoughts before any changes happen.