In the three weeks since the General Services Administration updated its proposed regulations for the basic safeguarding of data within large language model artificial intelligence systems, vendors and other interested parties have only officially submitted six comments.
But that is not because there isn’t a lack of interest or questions about the new proposed rule that GSA would apply to all schedule and governmentwide acquisition contracts under their purview. The comments likely will start pouring in after GSA holds a listening session on July 14 in Washington, D.C. Registration closed on July 3.
Vendors and other AI experts say GSA did a good job updating the proposal from the previous version released in March. GSA reissued the updated draft regulations on June 17 with a request for comments that closes on Aug. 3.
Laura Stanton, the acting commissioner of GSA’s Federal Acquisition Service, said in May at the Coalition for Common Sense in Government Procurement conference, that before the agency released the updated regulations they received a lot of initial feedback on the draft rule. She said GSA better understood the pain points of the different aspects in the proposed rule.
In the updated regulations, GSA asked contractors, agencies and others to weigh in on several of the big questions, including:
- Does the change in clause prescription adequately address previous concerns about the broadness of the scope of the clause?
- Are the requirements such as government data ownership and protection and contractor accountability clearly defined?
- Are the roles and responsibilities of the contractor, LLM developer, LLM system operator, LLM system integrator, and LLM service provider clearly defined and flow down paragraphs accurately presented?
- Do you understand how to implement the flow down clauses?
- Does the clause adequately address risks related to foreign ownership or control of LLMs, where changes to the LLM could covertly affect government data, outputs or decisions without changing the contracting entity?
Several experts praised GSA’s changes, especially around tightening the definitions and the specific application of the rule in regard to LLMs, as well as the flow down expectations from contractors to subcontractors.
Data governance changes
Jose Arrieta, the founder of Imagineer, a former chief information officer at the Department of Health and Human Services and a former director of GSA’s IT schedule, said this is the most consequential regulation since the agency issued the cloud security rule to implement the Federal Risk Authorization Management Program (FedRAMP).
“When this is finalized, every federal AI contract eventually will reference one clause. This is foundational for how the government buys and governs AI for next decade. Companies that don’t take this seriously will be left behind,” Arrieta said in an interview with Federal News Network. “The government got the data governance piece right in this proposal. That is a core principle. The proposal says that government data will not be used to be train commercial models. I think that’s correct as the controls over government data are important.”
Jessic Tillipman, an associate dean for government procurement law studies at the George Washington University, said GSA addressed many of the problems with the initial draft.
“They got rid of the lawful use and mandatory Made in America provisions that came out in the initial rule. They also created separate flow down requirements depending on LLM. That got much better because it was a blanket flow down initially. Now there are four different clauses and GSA created an attestation provision to help mitigate the flow down requirements on the prime,” Tillipman said in an interview with Federal News Network. “I still think you can read the tension in the draft regulations between the administration priorities and what it feels like the career folks are working on.”
At the same time, experts also say GSA still must address some outlying issues in the proposal.
One industry executive, who requested anonymity because they work closely with GSA and didn’t want to impact their relationship with the agency, said the decision to expand the scope and applicability of the rule to all GSA-run contracts will raise some new questions.
“I think there will be a lot of contractors who will want to know how the new regulations will apply to the Defense Department’s use of these vehicles, and how the requirements will map to other contract vehicles outside of GSA,” the executive said. “Another big question is around how attestation will work. Who is asking for it and how it’s collected? Is it the agency using the vehicle or GSA? Those are some of the questions that need answering and could make it challenging to implement.”
Defining ideological neutrality isn’t easy
Arrieta said among the areas he’d like to see some more details or improvements is around the prohibition of the foreign ownership requirement for LLMs.
He said requiring only U.S. corporate entities to develop LLMs may sound reasonable on the surface, but it will create a barrier to entry for many small to medium-sized firms because of how globally distributed AI development is today.
“Between open source and international development teams, this provision literally narrows the compliant vendor pool and narrows the options down to hyper scalers only,” he said. “A mid-tier company doesn’t easily meet the foreign ownership model. For example, if someone is using an automated AI coding tool, the person using it doesn’t have control of where the initial logic is built to build the code or to support the government even if it’s running on a cloud service provider in North America. You can’t certify full development lineage and you can’t compel them to meet foreign ownership requirements. It will create a documentation burden and I’m not even sure how the big integrators can do that, let alone small or midsized companies. There is a risk and an attention to implementation that we need to be aware of and honest about.”
Several other questions emerged around the updated regulations. Tillipman said GSA’s discussion about ideological neutrality needs more clarification.
“What does that mean? That is the administration saying no woke AI stuff. While it was tightened a bit in this version, it will cause real problems. If you see that provision, what does it mean for compliance? It’s a very mushy term,” she said. “Another part that stands out is the undisclosed benchmarks for testing for woke AI that they are talking about. That also seems tough.”
The industry executive said while the new regulations are far from complete, GSA has shown its desire to get them as right as possible. But the executive said a lot of the devil will be in the details when it comes to implementing the final rule.
“GSA has not only changed the scope and content of the rule but also the process itself. and we appreciate their willingness to take our concerns into consideration and take further comments,” the executive said.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

