The U.S. GSA has proposed AI procurement rules allowing open-source LLM components under strict security safeguards, marking a shift from blanket restrictions while imposing new compliance obligations across the AI supply chain.
The U.S. General Services Administration (GSA) has proposed new government-wide AI procurement rules that explicitly allow the use of open-source AI components in Large Language Model (LLM) systems under a risk-based security framework, replacing earlier blanket restrictions on foreign AI technologies.
Published as proposed GSAR 552.239-7001, the regulation applies to government contracts involving LLMs that process government data and extends compliance obligations across the AI supply chain, covering developers, system operators, integrators and service providers.
Under the proposal, incidental foreign-developed open-source software, published research and third-party services remain permissible provided they do not introduce security risks, are not subject to adversary foreign government control and comply with U.S. federal security requirements.
The draft also strengthens government data protections by prohibiting contractors from using government data to train or fine-tune LLMs, improve models, support advertising or marketing, or sell or share the data. It mandates “eyes off” automated processing with technical safeguards including encryption, access controls and audit logging to prevent human access to sensitive government information.
The proposal introduces mandatory flowdown clauses across the LLM ecosystem, requires due diligence throughout AI supply chains and expands compliance to system prompts, retrieval-augmented generation (RAG) configurations and model deployments. Contractors that fail to comply could face suspension of AI system use, termination for cause and capped decommissioning costs.
GSA will hold a public listening session on 14 July 2026, with written comments due by 3 August 2026. If adopted, the framework could become one of the most significant procurement policies governing the use of open-source AI components in U.S. government systems.
