Insights

The General Services Administration (GSA) is seeking public comment on a new GSA Regulation clause, 552.239-7001, Basic Safeguarding of Data within Large Language Model Artificial Intelligence Systems (LLMs), governing data safeguards and requirements prime contractors must comply with when providing or using LLMs under federal contracts. This updated clause (Revised Clause) reflects substantial revisions from an earlier version released in March 2026 (Original Clause) that faced substantial pushback from industry. Where the Original Clause cast a wide net — imposing obligations broadly across AI systems with little differentiation among supply-chain participants — the Revised Clause is more narrowly tailored. The Revised Clause:

On June 5, 2026, President Trump issued National Security Presidential Memorandum (NSPM) 11 (NSPM-11) to accelerate AI adoption by the U.S. military and intelligence agencies. It directs updated AI management, acquisition, and use policies and seeks to compel AI companies to comply with Trump administration policies.  It calls for expanded training and enhanced security in collaboration with the private sector and orders the “termination for default or for convenience” of government contracts with AI companies that wish to limit how the government uses their products. NSPM-11 could also herald a major change in autonomous warfighting policy by directing the update of the Pentagon’s primary directive on autonomous weapon systems.

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Australian Cyber Security Centre, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre, published joint guidance on the “Careful Adoption of Agentic AI Services” (Guidance).

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.

U.S. colleges and universities watched closely this summer when the DOJ, in a novel move, scrutinized the cybersecurity compliance of a research lab at an academic institution.

The Department of Defense (DoD) has released the highly anticipated second final rule for the Cybersecurity Maturity Model Certification Program (CMMC), ushering in its mandatory implementation that begins on November 10. CMMC is a unified assessment model released by the DoD in response to the growing threat of cyberattacks on and data theft from the Defense Industrial Base.  This program requires every DoD contractor that handles sensitive government data to certify compliance with certain cybersecurity controls.  CMMC brings greater scrutiny to contractors’ cybersecurity compliance and greater risks associated with compliance failures. To achieve certification, contractors must prove that their organizations can meet a myriad of security control obligations, a process that can be daunting without familiarity with the policies, procedures, and practices that will be required when the program is finalized.