What "government-furnished" actually means
On many federal efforts, part of what a performer needs to do the work does not belong to the performer. It belongs to the government, which hands it over for the life of the contract. The Federal Acquisition Regulation calls this government-furnished property: property in the possession of, or directly acquired by, the Government and subsequently furnished to the contractor for performance of a contract (FAR 45.101). Performers meet three flavors of it. Government-furnished information (GFI) is datasets, documents, and reference designs. Government-furnished equipment (GFE) is hardware, sensors, and test articles. Government-furnished property (GFP) is the umbrella the contract clauses use. On an AI or data effort, GFI is the flavor that decides whether the work happens on schedule.
GFI, GFE, GFP
Information, equipment, and the umbrella property category are all furnished by the government for the contract only. Whatever the label, the performer accepts a duty to account for it, protect it, use it strictly for the contract, and dispose of it as directed at the end.

The distinction matters because the contract treats furnished property as a controlled asset, not a convenience. Under the Government Property clause (FAR 52.245-1), a performer that receives it takes on a real obligation: account for it, protect it, use it only for the contract, and dispose of it as the contracting officer directs at closeout. Furnished data is not a gift. It is a loan with a paper trail.
Why data access is the quiet schedule killer
Federal AI efforts are often planned as if the data is already in hand. The plan assumes a labeled corpus, a sensor feed, a set of maintenance records, or a reference model, and it schedules the modeling work against that assumption. Then the effort starts and the data is not there. It is held by a program office that has to locate it, review it for release, mark or strip sensitive fields, and move it through a channel that clears security. Weeks pass. On a six- or twelve-month effort, a four-week data slip is not a rounding error. It is a large share of the runway.
The failure is rarely technical. It is procedural. The performer never wrote the data request into the proposal, never negotiated a delivery date into the award, and never asked who on the government side owns the transfer. By the time the gap is visible at kickoff, the schedule is set and the clock is running.
What determines whether furnished data arrives on time
Ask early: put the data request in the proposal
The single most effective move is also the least glamorous. Name the data you need, in the proposal, with specificity. State the datasets, the fields, the formats, the classification, and the approximate volume. State when in the period of performance you need each set. State what you will do while you wait if a set is late. A reviewer who reads a precise data request sees a performer who has done this before.
Then negotiate the request into the award schedule. The data request belongs in the proposal, not the kickoff meeting. A furnished dataset written into the award schedule arrives on a schedule; one assumed into the plan arrives whenever the program office gets to it. That single difference, negotiated before award, is worth more than any recovery move made after the clock starts.
The path from request to first byte
The mechanics from request to delivery follow a predictable arc. Knowing it lets a performer set honest expectations and spot the step that is stuck.
From request to handled data — six stages
Most delay lives between stages two and three, in the government-side review and the agreement paperwork, not in the transfer itself. That is the part a performer can shorten by being ready before it is asked: environment authorized, agreements pre-reviewed, the right person cleared and provisioned.
Working while you wait, then validating for real
No serious effort sits idle waiting for furnished data. The discipline is to make real progress on stand-ins without pretending the stand-in is the real thing. Three honest substitutes carry most of the load.
Public datasets. Establish the pipeline, the baselines, and the evaluation harness on open data that shares the statistical shape of the target, so the machinery is proven before the real data lands.
Representative surrogates. Stand up ingestion and preprocessing on a same-class source, a commercial sensor of the right type or an open corpus from the same domain, so format and scale are exercised early.
Synthetic augmentation. Generate plausible variation to pressure-test the model where real coverage is thin, with a clear note that synthetic performance is a hypothesis, not a result.
The stand-in work is scaffolding, not the building. When the furnished data arrives, the honest performer re-runs the evaluation on it and reports the number that matters: performance on the real distribution, not the surrogate. Where the surrogate flattered the model, the report says so. That is the difference between a Phase I that de-risks the problem and one that hides the risk until Phase II finds it. Validation is also a checkpoint on the data itself, which is frequently smaller, noisier, or differently labeled than the request implied. Discovering that early, and documenting it, is a finding a program office values as much as a model result.
Handling by data class
What a performer must do with furnished data depends entirely on its class. The four classes below cover almost everything an AI effort touches.
| Data class | What it typically requires | Where it can live |
|---|---|---|
| Public / releasable | License and attribution check; confirm it is truly cleared for public use | Any project environment |
| CUI | Safeguarding per DFARS 252.204-7012 and NIST SP 800-171; correct marking; access limited to authorized handlers | A compliant enclave (on-prem or a government-cloud region) |
| Proprietary / third-party | NDA plus data-use agreement; use limited to the stated purpose; no derivative disclosure | A segregated store under the agreement's terms |
| Classified | Accredited system, cleared personnel, accredited facility; handling per the security guide | Never on a commercial network |
The rule of thumb: the environment rises to meet the most sensitive datum in it. One CUI field in an otherwise public dataset makes the whole store a CUI store.
CUI and DoD safeguarding, at a high level
Most federal data an AI performer handles is Controlled Unclassified Information. CUI is not classified, but it carries safeguarding and dissemination controls established under Executive Order 13556 and 32 CFR Part 2002, with the National Archives serving as executive agent and maintaining the registry of CUI categories. On a Defense effort, that obligation is written into the contract through DFARS 252.204-7012, which requires the security controls in NIST SP 800-171 on any system that stores or processes covered defense information, and requires cyber incidents to be reported to DoD within 72 hours of discovery.
The practical reading for a small firm: if the effort involves CUI, the receiving environment has to be a compliant enclave, the controls have to be documented in a system security plan, and there has to be a working path to report an incident. CMMC formalizes how those controls are assessed. None of it is optional, and none of it can be stood up the week the data arrives.
When the data is someone else's property
Some furnished data does not belong to the government either. It is a vendor's proprietary corpus, a partner's design data, or a dataset the government licensed under terms it has to pass through to the performer. Here the instrument is a nondisclosure agreement or a data-use agreement that binds the performer to the owner's terms: use limited to the stated purpose, no disclosure beyond the named team, no derivative product that leaks the source, and destruction or return at the end.
Read those agreements before touching the data, not after. A data-use agreement can forbid the exact thing an AI effort wants to do, which is train a model that generalizes beyond the licensed purpose. It is far better to learn that at signature than at delivery.
How delivery actually happens
Furnished data moves through a small set of channels, chosen by classification and volume. Described generically: secure government file-transfer portals for CUI-level data under a size cap; encrypted physical media, shipped and tracked, for volumes too large to move online; and direct access inside a government or accredited enclave, a virtual desktop into an environment the data never leaves, for the most sensitive sets. Classified data moves only through classified channels into accredited spaces.
The performer's job is to be ready for whichever channel the program uses: an account provisioned, a certificate in hand, an enclave standing, a person cleared. The channel itself is rarely the bottleneck once the receiving side is prepared.
Provenance and version, for every set
Every furnished dataset gets a provenance record the day it arrives: where it came from, who sent it, when, under which agreement, at what classification, with what integrity check. Every version gets a number. When a program office sends a corrected extract three months in, the old and new sets are both retained and labeled, and the results record which version produced them.
This is not bureaucracy. It is the only way to answer the question an auditor, a reviewer, or a successor team will eventually ask: which data produced this result, and were we cleared to use it that way. A model trained on a furnished dataset with no provenance trail has nothing to defend itself with.
Getting the receiving environment ready
Readiness is what turns a data-transfer date into a data-transfer event. Before the first byte moves, the receiving environment should clear this list.
- Authorization boundary defined and documented in a system security plan
- Access controls and multi-factor authentication enforced on the enclave
- Encryption in transit and at rest for the furnished data
- Audit logging of every access to the data, retained as an artifact
- U.S.-person or clearance status verified for everyone who will handle it
- Furnished data segregated from other clients and other efforts
- Media-handling and sanitization procedures written and tested
- Incident-reporting path stood up and confirmed working
Giving the data back
Furnished data has an end state written into the contract. At closeout the performer returns or destroys it as the contracting officer directs and, for anything sensitive, provides a certificate of destruction that records what was destroyed, how, when, and by whom. Retention past the contract is not a courtesy to keep; it is a liability to hold, unless a clause or agreement specifically authorizes it.
Publication is its own gate. Anything a performer wants to publish or present from a federal effort, a paper, a benchmark, or a conference talk, goes through the program's public-release review first. That review protects the performer as much as the government: it is the line between a citable result and an inadvertent disclosure.
Why the data-handling record compounds
Program offices remember who was easy to trust with their data. A performer who requested data precisely, handled it by the book, kept a clean provenance trail, and returned it with a destruction certificate has done something a proposal can only claim and conduct can prove. The next effort starts with that reputation already banked.
For a small firm building toward durable federal work, the data-handling record is quiet, unglamorous, and one of the most lasting assets it owns. It compounds across efforts the way trust always does: slowly, and then decisively.
Judgment calls performers ask about
Should we bid when the key data is government-furnished and uncertain?
Yes, if the proposal names the data precisely, negotiates a delivery milestone, and states a credible substitute plan for slips. A furnished-data dependency is a schedule risk to manage in writing, not a reason to walk away from otherwise strong work.
What if the transfer slips past kickoff?
Run the substitute plan and keep building the pipeline, baselines, and evaluation harness on open or surrogate data. Document the slip and the workaround in the monthly report so the record shows real progress and a known dependency, not a stalled effort.
Can synthetic data stand in for the real thing in the final report?
As a bridge, yes; as the headline result, no. Synthetic and surrogate performance is a hypothesis. The result that counts is measured on the furnished data, and the report should be explicit about which number came from which source.
Do we really have to destroy everything at the end?
Return or destruction at closeout is the default the Government Property clause and any data-use agreement set. Keeping furnished data afterward without written authorization creates liability with no upside. If continued use is genuinely needed, ask for it in writing before the contract ends.
Frequently asked questions
Government-furnished information (GFI) is data, documents, and reference material. Government-furnished equipment (GFE) is hardware, sensors, and test articles. Government-furnished property (GFP) is the umbrella term the contract clauses use for anything the government owns and hands to the performer for the contract. FAR 45.101 defines furnished property as property in the government's possession, or directly acquired by it, and subsequently furnished to the contractor for performance.
In the proposal, before award. Name each dataset, its fields, format, classification, and volume, and state when in the period of performance it is needed. Then negotiate a delivery milestone into the award schedule so the request is a contractual obligation, not an assumption. Requesting at kickoff is already late.
CUI carries safeguarding controls set under Executive Order 13556 and 32 CFR Part 2002. On a Defense contract, DFARS 252.204-7012 requires the NIST SP 800-171 controls on any system that processes covered defense information, plus cyber-incident reporting to DoD within 72 hours. In practice that means a compliant enclave, a documented system security plan, and a tested incident-reporting path.
By channel matched to classification and size: secure government file-transfer portals for CUI-level data under a cap, encrypted and tracked physical media for large volumes, and direct enclave access through a virtual desktop for the most sensitive sets. Classified data moves only through classified channels into accredited spaces. The receiving side, not the channel, is usually the slow part.
It is returned or destroyed as the contracting officer directs, per the Government Property clause and any data-use agreement. Sensitive data usually calls for a certificate of destruction recording what, how, when, and by whom. Anything published from the effort goes through the program's public-release review first.