What happened
The US General Services Administration published a proposed rule in the Federal Register on 17 June 2026 (document 2026-12205) introducing a new GSAR contract clause (552.239-7001) governing how federal contractors must handle Government Data when large language models are used in contract performance. Key provisions: the clause applies when an LLM processes 'Government Data'; prohibits broad government licence grants (narrowed from an earlier draft's 'any lawful Government purpose' to the specific scope of the contract); includes a preference for US-incorporated LLM providers; grants a trade secrets carve-out from documentation obligations; caps decommissioning liability; requires written notice-and-cure before termination for cause; and protects pre-existing contractor 'Background Data'. Comments are open for public response.
Why it matters
This is the first US government-wide procurement rule specifically targeting LLM/AI data safeguarding in federal contracts. It operationalises AI data security at the contracting layer — affecting every vendor who deploys an LLM in a GSA-covered contract. The preference for US-incorporated providers and the restriction on government licence scope have significant implications for AI vendors' contract terms and data governance posture. The rule also sets a precedent that other agencies (DOD, DHS) are likely to follow.
Action needed
Submit public comments before the comment deadline. Federal contractors using LLMs in contract performance should: (1) conduct a data-flow audit to identify where Government Data enters LLM pipelines; (2) review licence grants in existing AI vendor agreements against the proposed clause's narrower scope; (3) verify LLM providers are US-incorporated or document justification; (4) update data-handling and decommissioning clauses in subcontracts.