The FAR Council’s Implementation of the “No TikTok on Government Devices Act” - Applicability, Limited Exceptions and the FAR Council’s Expectation of Impact of the Rule

Daniel Petkoff, Holly Roth
Polsinelli
Contact
LinkedIn
Facebook
X
Send
Embed

Polsinelli

Background

In December of 2022, Congress passed the “No TikTok on Government Devices Act” as part of the Consolidated Appropriations Act, 2023 to address the risks presented by the app to sensitive government data. This law required the government to develop standards and guidelines for executive agencies requiring the removal of any covered application from information technology. Covered application was defined as the “social networking service TikTok or any successor application or service developed or provided by ByteDance Limited,” a Chinese technology company located in Beijing. The Office of Management and Budget (OMB) released the implementing guidance for the No TikTok on Government Devices Act through Memorandum M-23-13 in February 2023.

In June of 2023, the Federal Acquisition Regulations (FAR) Council, consisting of the Secretary of Defense, The Administrator of National Aeronautics and Space, and the Administrator of General Services, issued an interim rule amending the FAR to implement this section of the Consolidated Appropriations Act by adding FAR subpart 4.22, amending FAR section 13.201, and issuing a new contract clause at 52.204-27.

The TikTok Ban

The new regulations, FAR 4.2201, 4.2202 and 4.2203, the added language at FAR 13.201(k) and contracts clause 52.204-27 prohibit government contractors and subcontractors and contractor and subcontractor personnel from having the TikTok app on information technology affiliated with the performance of a contract. The rule became effective immediately upon release, according to the FAR Council, due to urgent and compelling reasons. The swift implementation of the rule did not allow for public comment. The action was described as necessary because OMB Memorandum M-23-13 requires agencies to comply with the prohibition on a covered application in contracts no later than 120 days after the effective date of the memorandum. Contract Clause FAR 52.504-27, the Prohibition on a ByteDance Covered Application, applies to solicitations issued on or after June 2, 2023, and in solicitations issued before the effective date, provided the award of the resulting contract occurs on or after the effective date. Contractors and subcontractors should review the contracts and subcontracts to determine whether they were issued/awarded after the effective date and take the necessary steps to ensure compliance.

The prohibition applies to the presence or use of any covered application on any information technology owned or managed by the Government, or on any information technology used or provided by a contractor under a contract, including equipment provided by the contractor’s employees. The ban applies to all devices used in contract performance: government-owned devices, contractor-owned devices, employee-owned devices, and subcontractor-owned devices. This means that employee-owned devices are also subject to the rule if they are used in the course of work fulfilling a government contract. However, the Federal Register states that the rule is not applicable to personal communication devices that are not used in the performance of a government contract. It is likely that the ban would be applicable to personal devices if employees take calls, emails, or texts pertaining to the performance of a government contract on their personal devices, but beyond that, the scope of the rule is unclear in its implications for personal information technology devices. The rule also specifically uses a brand-new statutory definition for “information technology” introduced in the No TikTok on Government Devices Act, which includes embedded information technology, unlike the already established FAR definition.

Applicability of the Ban

The Federal Acquisition Streamlining Act of 1994 (FASA) generally limits the applicability of new laws when agencies make acquisitions at or below the Simplified Acquisition Threshold. 41 U.S.C. §1905. However, FASA provides that such acquisitions will not be exempt under certain circumstances, including when the FAR Council determines that it would not be in the best interest of the Federal Government to exempt specific contracts. The FAR Council made a determination to include acquisitions at or below the Simplified Acquisition Threshold as well as at or below the Micro-Purchase Threshold, in the TikTok ban.

Similarly, FASA restricts the applicability of certain laws to contracts for the acquisition of commercial products and services. 41 U.S.C. §1906. The FAR Council also decided to apply the TikTok ban to acquisitions for commercial products and services. The Administrator for Federal Procurement Policy consequently determined that it was in the best interest of the Government to apply this rule to contracts for the acquisition of Commercially Available Off-the-Shelf Items, as well.

OMB Memorandum M-23-13’s Limited Exceptions to the Rule

The No TikTok on Government Devices Act, and the OMB Memorandum issued in response thereto, provides limited exceptions to the restrictions for law enforcement activities, national security interests and activities and security research. Agencies are advised to limit the use of these exceptions to instances in which the use of a covered application is critical to their mission and there are no viable alternatives. The exceptions must be granted by the agency heads, and the agency head remains responsible for ensuring that all individuals with delegated authority maintain the required documentation and take all necessary actions to mitigate risk posed by the covered applications. Any exceptions granted by an agency head may only last up to one year, after which the agency must reevaluate the exception granted for renewal or termination.

Expected Impact

The FAR Council assumes that the rule will not have a significant economic impact on businesses. The Office of Management and Budget recommends that contractors and agencies “identify the use or presence of TikTok on information technology, remove and disallow installations of TikTok on IT owned or operated by contractors, and prohibit internet traffic from IT owned by contractors to TikTok.” Implementation will, however, require contractors to communicate the new rule to their employees and train them on the new requirement. The changes from this rule do not require contractors to review their supply chains, nor do they impose a reporting requirement. According to the FAR Council, it believes that contractors already have technology in place to block access to unwanted or nefarious websites, prevent the download of prohibited applications to devices, and remove a downloaded app.

The FAR Council’s position is that the prohibition on using a covered application on Government-related IT, including Federal contractors’ equipment, is a national security measure to protect Government information and information and communication technology systems.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:

Polsinelli
Polsinelli
Contact
more
less

Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide