On June 2, 2023, the FAR Council issued an Interim Rule to implement the prohibition on having or using TikTok or any successor application or service developed or provided by ByteDance Limited (covered application). Importantly, the prohibition applies not only to Government-issued devices but encompasses contractor and contractor employee-owned devices (e.g., employee devices used as part of a bring-your-own-device program) as well. The Interim Rule took immediate effect and requires new FAR clause FAR 52.204-27, Prohibition on a ByteDance Covered Application, to be included in solicitations issued on or after June 2, 2023. In addition, solicitations issued before the effective date were required to be amended by July 3, 2023, provided that award of the resulting contract(s) occurs on or after the effective date. Existing indefinite-delivery, indefinite-quantity contracts were required to be modified to include the new clause by July 3, 2023, to apply to future orders. Finally, if exercising an option or modifying an existing contract to extend the period of performance, contracting officers must include the clause. In short, this clause will soon be in most if not all Federal government contracts. Contractors should take action now to ensure that they are prepared to comply with these requirements and that employees are familiar with and trained regarding the prohibition.
The Interim Rule implements the No TikTok on Government Devices Act (included as part of the Consolidated Appropriations Act of 2023) and its implementing guidance under OMB Memorandum M-23-13 (February 27, 2023), which directed agencies to remove any covered application from Federal devices. The new FAR clause applies very broadly and must be included in all solicitations and contracts, including acquisitions for commercial products and commercial services, to include acquisitions of commercially available off-the-shelf (COTS) items. The clause applies to contracts below the simplified acquisition threshold, including contracts at or below the micro-purchase threshold where the performance of the contract may require the presence or use of a covered application. The clause also requires flow down to subcontractors. It is clear that the US Government is taking the national security threat posed by these covered applications seriously and has cast a very wide net in an effort to capture as many contracts as possible under the prohibition.
The prohibition in FAR 52.204-27 is straightforward: contractors are “prohibited from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor’s employees[.]” FAR 52.204-27(b). Limited exceptions are available if the Contracting Officer provides written notification to the contractor that an exception has been granted in accordance with OMB Memorandum M-23-13 (i.e., where a covered application will be used in law enforcement activities, national security interests and activities, or security research). FAR 52.204-27 incorporates the definition of “information technology” found at 40 U.S.C. 11101(6) rather than the definition at FAR 2.101, which excludes “imbedded information technology”. For purposes of the prohibition, “information technology”:
(1) Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use—
(i) Of that equipment; or
(ii) Of that equipment to a significant extent in the performance of a service or the furnishing of a product;
(2) Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
(3) Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.
The Interim Rule does not clarify what constitutes use “to a significant extent” or “incidental to” performance of a Federal contract; however, given the wide applicability of the rule, contractors should take care to identify all potentially affected information technology to ensure compliance with the prohibition.
The Interim Rule posits that this rule will not have a “significant economic impact” on businesses and that it is less complex than other, similar prohibitions that have been enacted, such as the prohibition on contracting for hardware, software, and services developed or produced by Kaspersky Lab (FAR 52.204-23) and the prohibition on contracting for certain telecommunications or video surveillance services or equipment (FAR 52.204-25). Unlike those prior prohibitions, which require review of the contractor supply chain (FAR 52.204-25) and/or include reporting requirements (FAR 52.204-23, FAR 52.204-25), FAR 52.204-27 includes neither a requirement for a contractor to review its supply chain nor a reporting requirement. However, as a practical matter, contractors will need to undertake an initial review of technology used in the performance of their government contracts and take steps to ensure that devices issued to employees/employee-owned devices used on a government contract comply with the prohibition. The rule contemplates that contractors “already have technology in place to block access to unwanted or nefarious websites, prevent the download of prohibited applications (apps) to devices, and remove a downloaded app” and “already have in place policies for employees to follow for workplace technology.” Accordingly, the Government expects that after this initial review and update to existing policies and procedures, contractors will only be required to review those policies and procedures “periodically thereafter.” 88 FR 36432. In reality, however, the effort required for contractors to comply with the prohibition will vary based on the nature of the contractor’s business, the makeup of its workforce, and the scope of any existing policies in place.
At a minimum, contractors will need to update any existing workplace technology policies to include the prohibition and train employees on the new requirement, particularly in light of the prohibition on use of the application on a personal device used in performance of a Federal contract. However, any contractor that does not have an existing robust workplace technology policy, should enact one as soon as possible to address the prohibition (and the other, similar prohibitions that are now present in all Federal solicitations and contracts). Comments are due on the Interim Rule on or before August 1, 2023, to be considered in the formation of the final rule; however, given the simplicity of the rule and the Government’s clear interest in applying the prohibition to as broad a swath of contractors as possible, contractors should not be surprised to see a final rule that closely follows the Interim Rule. As such, contractors should not wait to take action to ensure that policies are updated and employees are trained in the prohibition, or they risk attracting the wrong kind of followers: Government investigators.