GSA unveils new AI-specific acquisition rule

The General Services Administration has unveiled a set of proposed changes to acquisition regulations that include new language governing how agencies buy artificial intelligence products and services.

If finalized, the new rule would create new requirements for data protection and intellectual property on contractors that use large language models to process government data.

GSA Regulation clause 552.239-7001, Basic Safeguarding of Data within Large Language Model Artificial Intelligence Systems (LLMs), was posted to the Federal Register on June 17 for industry to weigh in on.

The proposed rule applies to GSA’s government-wide contracts such as the Federal Supply Schedule, government-wide acquisition contracts and the OASIS+ professional services vehicle.

GSA is also seeking to clarify contractor responsibilities for LLMs in the proposed rule, which also highlights flow-down requirements and attestations as core to its implementation and enforcement.

The proposal breaks out contractors into four roles regarding AI development and implementation: LLM developers, LLM system operators, LLM systems integrators and LLM service providers.

Developers are the creators of the LLM models. Service providers are responsible for deploying, operating and monitoring the models. Systems integrators configure and adapt the LLM systems for government environments. System operators provide hosting and other access capabilities.

Each role has a specific flow-down clause in the proposed rule, so prime contractors must determine which role or roles their vendors hold to apply the clauses.

As our colleagues at NextGov/FCW reported ahead of that posting, GSA sought to balance its desires to encourage market growth and foster competition while also benefitting agencies and taxpayers.

The proposed rule defines government data as covering inputs and outputs generated by LLMs in the performance of the contract.

Contractors would have to disclose all LLMs used or made available in the performance of a contract or task/delivery order within 120 days of commencing work, unless another date is specified in the contract or order. All entities filling different LLM roles would have to be disclosed as well.

Contracting officers and all other government-provided points of contact must be notified within 72 hours of the discovery of incidents related to LLMs and the handling of government data.

GSA’s proposal has five specific questions it wants industry and other stakeholder communities to respond to:

1. Does the change in clause prescription adequately address previous concerns about the broadness of the scope of the clause?
2. Are the requirements, such as government data ownership and protection and contractor accountability, clearly defined?
3. Are the roles and responsibilities of the contractor, LLM developer, LLM system operator, LLM system integrator, and LLM service provider clearly defined and are flow-down paragraphs accurately presented?
4. Do you understand how to implement the flow-down clauses?
5. Does the clause adequately address risks related to foreign ownership or control of LLMs, where changes to the LLM could covertly affect government data, outputs, or decisions without changing the contracting entity?

All comments and answers to GSA’s questions and the proposed rule are due by Aug. 3, 2026. GSA will also hold a public listening session on July 14. Registration for that event closes on July 3.