You may have learned of a new FAR provision banning the use of TikTok by contractors and employees. Lawmakers and regulators are concerned that TikTok and its parent company, ByteDance, may put sensitive user data into the hands of the Chinese government, posing a national security threat. A new FAR clause was released earlier this month and became effective immediately. The interim rule was published in the Federal Register on June 2.
All new Solicitations issued by DoD, GSA, and NASA are required to include the rule, and existing solicitations and IDIQ contracts are supposed to be modified by July 3.
The TikTok ban is similar to the NDAA Section 889 ban on contractors using covered telecommunications equipment of Huawei and other specified Chinese companies, but the new ban is less burdensome than that was. The TikTok ban was included in the Consolidated Appropriations Act for 2023 which was signed into law in December. The prohibition is intended to eliminate the TikTok app from Federal IT devices, but the prohibition extends to devices used by federal contractors under a contract that requires use of IT, including on personally owned devices used for work.
The Interim Rule states that
The FAR clause at 52.204-27 prohibits contractors from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the contractor under a contract, including equipment provided by the contractor’s employees.
This prohibition applies to devices regardless of whether the device is owned by the Government, the contractor, or the contractor’s employees ( e.g., employee-owned devices that are used as part of an employer bring your own device (BYOD) program). A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition.
The publication suggests the new rule will not have a significant impact on businesses. It concludes that
The efforts required by a contractor to update its technology and policies to implement the prohibition on having or using TikTok will be limited to an initial review of technology and policies for TikTok or any successor application or service and will only require review of policies periodically thereafter.
So your required actions depend on whether you have issued personnel IT equipment or have a BYOD program. Contractors will need to:
- Identify the use or presence of TikTok on IT equipment owned by the company.
- Remove and disallow installations of TikTok on IT owned or operated by the company and prohibit internet traffic from IT owned by the company to TikTok.
- Update any internal company IT policies to include the prohibition on having or using the app on company equipment or BYOD equipment.
- Your IT team may have a rule set that allows personally owned devices on which employees receive work email or other work applications to be controlled. Those systems should be updated to include the TikTok ban on equipment that will be “used” in the course of performing a covered government contract.
- Alert employees about this new requirement and add the prohibition to your employee training.
- Insert the substance of FAR 52.204-27 into all subcontracts.
It’s very likely that some number of employees currently have the app on a company device, or a personal device used in performance of a government contract, which includes email or work-from-home arrangements. Focus on effective employee communications and training will be essential for an effective compliance effort.
There are a number of unanswered questions about the reach of this ban. It’s clear that the ban extends to contractor-owned equipment, but the extension to personally-owned IT equipment becomes more problematic and challenging. As more and more companies permit employees to access company email and systems on their personal devices, those systems become vulnerable to the concerns about TikTok. Given that contractors are certifying their compliance with the provision, it makes sense to implement a company TikTok ban for employee devices used for work.
We can expect the Government will uniformly consider this to be a no cost change to current contracts, but there could be entitlement to compensation if you conclude there are costs involved. If so, make sure you open a separate charge number to account for company and employee compensated time required to inspect, monitor, or remove such prohibited apps from all IT devices.
Please reach out to our Government Contracts team with any questions.