The General Services Administration (GSA) is seeking public comment on a proposed acquisition regulation clause that would establish requirements for how Large Language Model Artificial Intelligence Systems (LLMs) handle government data when used under GSA contracts. While the proposal is not yet a final rule, it offers an early look at how GSA may approach future acquisition requirements for AI systems that process government data.
According to the notice, the proposed clause could eventually be incorporated into GSA contract vehicles such as the Federal Supply Schedule program, Governmentwide Acquisition Contracts (GWACs), and OASIS+.
A Focus on Government Data
The proposed clause applies when government data is processed by an LLM and establishes requirements governing how that data is handled, protected, stored, and used.
Among the areas addressed in the proposal are:
- Government ownership of government data and custom developments
- Restrictions on the use of government data
- Data handling and safeguarding requirements
- Data localization requirements
- Data portability and interoperability
- Incident reporting and documentation requirements
The proposal would also prohibit contractors from using government data to train, fine-tune, or otherwise improve LLMs except as expressly authorized under the contract.
Responsibilities Across the AI Ecosystem
Recognizing the complexity of modern AI environments, GSA proposes distinct responsibilities for multiple participants involved in delivering AI capabilities.
The draft establishes separate roles for:
- LLM Developers
- LLM System Operators
- LLM System Integrators
- LLM Service Providers
The proposal would require contractors to flow down certain requirements to subcontractors and service providers performing these functions.
According to GSA, the objective is to ensure that safeguarding requirements extend throughout the AI supply chain when government data is involved.
New Transparency and Oversight Requirements
The proposed clause would require contractors to provide information regarding the LLMs used in contract performance and identify the entities responsible for developing, operating, integrating, or supporting those systems.
The draft also includes requirements related to:
- Human oversight and intervention capabilities
- Auditability and traceability
- Compliance documentation
- Incident reporting
- Change notification
- Government evaluation rights
Contractors would be required to notify the Government of certain material changes involving models, providers, hosting environments, security controls, and other modifications that could affect contract performance or government data.
Foreign Ownership and Control
GSA is also requesting industry feedback on whether the proposed clause adequately addresses risks associated with foreign ownership, influence, or control of LLMs.
The draft includes provisions related to jurisdiction, foreign government influence, and entities involved in processing government data. GSA specifically asks commenters whether the proposal sufficiently addresses situations where changes to an LLM could affect government data, outputs, or decisions without changing the contracting entity.
What Contractors Should Watch
More broadly, the proposal represents one of GSA’s most detailed efforts to establish acquisition requirements specifically addressing the use of large language models in federal contracting environments.
The draft goes beyond traditional cybersecurity requirements and addresses topics such as AI data rights, contractor accountability, supply chain transparency, operational oversight, model governance, and change management.
For contractors supporting federal AI initiatives, cloud modernization efforts, digital transformation programs, and emerging technology projects, the notice provides insight into how GSA is evaluating future requirements for AI systems that process government data.
GSA is accepting public comments and plans to hold a listening session as it gathers additional industry feedback before determining next steps.
