In response to the recent surge of security concerns regarding the application TikTok and its parent company, ByteDance Limited, Congress prohibited federal agency and contractor use under Division R, section 102 of the Consolidated Appropriations Act of 2023, known as the “No TikTok on Government Devices Act,” which was signed into law Dec. 29, 2022. This prohibition applies to the presence or use of any covered application on any information technology owned or managed by the government, or on any information technology used or provided by the contractor under a contract, including equipment provided by the contractor’s employees.
The Office of Management and Budget issued Memorandum M-23-13 in February 2023 to initiate implementations of these restrictions across the federal government. The contractor-related provisions are being implemented through revisions to the Federal Acquisition Regulation (FAR) first announced in June. The interim final rule (IFR) prohibits government contractors and their employees from having TikTok or any other applications from ByteDance Limited on their IT devices.
Effective June 2, 2023, the rule requires a new clause to be included in new solicitations and for
solicitations issued before were to be updated by July 3. For General Services Administration (GSA) contract holders, the new terms are to be included in the next “mass-modification Refresh 17” of GSA contracts, which could occur as early as July 2023. GSA held a webinar to discuss changes in Refresh 17 on June 28.
Key Elements of the Ban
- Beyond devices owned by the government or contractors, the prohibition extends to contractor employee devices utilized under a bring-your-own-device arrangement; however, it does not apply to an employee’s personal devices that are not used in this manner or in the performance of a contract.
- The new requirement applies to all contracts, including contracts at or below the simplified acquisition threshold and contracts for commercial products.
- The scope of equipment covered is quite broad. Contractors and agencies must remove TikTok from “information technology,” which includes any IT “equipment or interconnected system or subsystem of equipment.”
- In addition to removing and disallowing the installation of TikTok on any information technology as defined, it is expected that, under the ban, internet access to the website will be blocked.
- Limited exceptions are permitted for purposes stipulated under the act – specifically, law enforcement, national security and security research.
Impact on Security Industry Contractors
According to the IFR, the government believes that compliance with the new rule will not be overwhelming and/or expensive – while this is good news, it also means there is likely little room for exceptions unless the purpose is clearly within categories established and defined in the regulations. Contractors must revise their internal policies to incorporate the restriction on possessing or utilizing a covered application. Additionally, the enforcement of this prohibition might necessitate employee communications or training to ensure compliance with this new requirement.