Some social media platforms (SPMs) can be entertaining, but they can also be illegal...if you’re a federal contractor.

In late 2022 as part of a larger budget bill, Congress passed the No TikTok on Government Devices Act. For anyone who was watching the news, the fundamental reasoning behind this is this SPM is a Chinese-owned company that gathers user information, whether you’re watching videos as a high school student in Des Moines or an IT worker at the Pentagon.

As part of this law, governmental agencies are directed by the Office of Management and Budget to remove from this SPM or anything else created or provided by the SPM’s company or its subsidiaries from all government devices. This includes removal from computers, ancillary equipment, software, firmware, and anything that would connect to the larger systems utilized by the federal government which might be “used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency…” This is an extremely broad definition.

Interim Rules for Federal Contractors

As of June 2, interim rules were issued by the Federal Acquisition Regulatory Council (FAR Council). FAR applied these rules to federal contractors as “a national security measure to protect government information and information in community technology systems.” This specifically means that federal contractors are prohibited from utilizing a video SPM on:

• Any information technology owned or managed by the government.
• Any information technology used or provided by the federal government or under a federal contract including equipment used or provided by the federal contractors employees. (personal devices)

These requirements apply regardless of who owns the device and are clearly intended to apply to employee-owned devices used as part of the workplace. Of concern to federal contractors in this instance is that while they may provide work-based devices, in many instances employees are more familiar with their personal devices or perhaps personal devices have the most recent iteration of needed technology. Employees frequently default to using their personal devices in a way not contemplated by the employer. Because of this, federal contractors will have to be particularly diligent in assessing how devices are used and whether or not personal devices, which may still have SPMs on them are, in fact, “cross-pollinating” with the contractor systems.

The rule will be applied broadly so it is critical employers comply with it if there are projects connected to the government budget. While this is an interim rule, it is enforceable, and although the rule does not currently list fines or penalties for noncompliance, it is likely these will be developed and will be enforced not only by FAR but potentially by the OFCCP and other agencies.

The Big Picture

As employers have done with every new iteration of various privacy and confidentiality rules, whether state-based rules or those in the EU like the GDPR, they need to proceed cautiously and look carefully at issues involving information flow, data mapping, and how systems are used.

Employers should determine whether or not they are, in fact, a federal contractor to whom these interim rules apply. If you are a federal contractor or even if you are contemplating applying for federal contracts or as a subcontractor, you may need to evaluate your information technology policies, proceed carefully in assessing existing practices, including changes to any practice, and review the security settings on all existing technology.

You will also need to focus on a workable enforcement policy. Knowing the rule and publishing it is only the first step. As we have seen with HIPAA and other data compliance requirements, failure to enforce compliance is almost more problematic than not having the rule in the first place, because failure to force compliance indicates you knew but simply didn’t take the actions necessary to comply with the law.