The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued an interim rule, effective immediately, that amends the Federal Acquisition Regulation (FAR) to prohibit organizations from having or using “the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited”1 (referred to as a “covered application”) on any information technology used or provided by the organization under a U.S. Government contract. See 88 Fed Reg. 36430 (June 2, 2023). The ban is implemented through a new contract clause, FAR 52.204-27, Prohibition on a ByteDance Covered Application, which must be flowed down to all subcontractors. Comments to this interim rule are due August 1, 2023.
The TikTok ban implements the “No TikTok on Government Devices Act,”2 which instructs the Director of the Office of Management and Budget (OMB), in consultation with the Administrator of General Services, the Director of the Cybersecurity and Infrastructure Security Agency, the Director of National Intelligence, and the Secretary of Defense, to develop standards and guidelines for agencies requiring the removal of TikTok from Federal information technology. The FAR interim rule also follows the implementation guidance of OMB Memorandum M-23-13, entitled, “No TikTok on Government Devices Implementation Guidance.” The interim rule characterizes the ban on TikTok as a national security measure aimed at protecting Government information and communication technology systems.
Scope of ban
The rule’s scope is quite broad. It prohibits the presence or use of any covered application in information technology, including equipment used by government contractors and their employees in performing government contracts. The new contract clause prohibits contractors “from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor’s employees.” The rule adopts the statutory definition of “information technology” located at 40 U.S.C. § 11101(6).3 That definition extends to information technology components and services “used by a contractor under a government contract “that requires the use—(i) Of that equipment; or (ii) Of that equipment to a significant extent in the performance of a service or the furnishing of a product.” It excludes, however, “any equipment acquired by a Federal contractor incidental to a Federal contract.”
The interim rule’s commentary specifies that the prohibition applies to devices regardless of whether they are owned by the Government, contractor, or contractor’s employees (including employee-owned devices that are used as part of an employer bring-your-own-device program). However, a personally-owned cell phone that is not used in the performance of the relevant contract is excluded from the ban’s coverage.
The rule applies to all government procurement contracts and related subcontracts, including contracts at or below the simplified acquisition threshold, and contracts for commercial products/services and commercially available off-the-shelf items with both small and other than small businesses. But it does not apply to grants and cooperative agreements. Also, application of the rule can be waived by the contracting officer. In such cases, the contracting officer must provide written notice to the contractor of the exception.
Government contracting officers must include clause FAR 52.204-27 in all solicitations issued on or after June 2, 2023. Solicitations issued before the rule’s effective date, but scheduled to be awarded after June 2, 2023, must be amended by July 3, 2023 to comply with the new rule. Contracting officers must modify existing indefinite-delivery contracts to include FAR 52.204-27 by July 3, 2023 to ensure the prohibition applies to future orders. Contracting officers must also incorporate the FAR clause when exercising an option or modifying an existing contract/order to extend the period of performance.
Impact on organizations with U.S. government business
The rule builds upon previous information technology-related prohibitions, such as the prohibition on contracting for certain telecommunications and video surveillance services or equipment (see, e.g., FAR clause 52.204-25) and the ban on hardware, software and services provided by Kaspersky Lab and other covered entities (FAR clause 52.204-23).4 In commentary that accompanies the rule, the rule’s drafters noted that the TikTok prohibition will require contractors to update existing technology, policies, and procedures to prohibit “the presence or use of a covered application or the URLs associated with a covered application on devices used by a contractor under a contract with the Government.” The drafters also noted their expectation that contractors already have technology in place to block access to unwanted or nefarious websites, prevent the download of prohibited applications to devices, and remove a downloaded app. Finally, the drafters also suggested that contractors consider employee communications or training on the new requirement, including as it pertains to a personal device used in performance of a Federal contract.
1 ByteDance Limited is a privately held company headquartered in Beijing, China.
2 Pub. L. No. 117-328, div. R, §§ 101-02, available at https://www.congress.gov/bill/117th-congress/housebill/2617.
3 This definition is different than that included in FAR 2.101, which excludes imbedded information technology. See also FAR 52.204-27 and FAR 4.2201 for the applicable definition of “information technology.”
4 One notable distinction from these clauses is that FAR 52.204-27 does not have a reporting requirement. See FAR 52.204-23 (requiring reporting if the contractor identifies a “covered article” provided to the Government during contract performance or is notified of such by a subcontractor at any tier or any other source); FAR 52.204-25 (requiring reporting if the contractor identifies “covered telecommunications equipment or services” used during contract performance or is notified of such by a subcontractor at any tier or by any other source).