On June 2, 2023, the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council issued an interim rule to implement a new statutory requirement that, in short, bans the TikTok app from devices used in the performance of federal government contracts (TikTok Rule). The TikTok Rule introduces a new FAR clause, FAR 52.204-27, entitled “Prohibition on a ByteDance Covered Application (June 2023)” (TikTok Clause), which is effective immediately and applies to all contracts, including contracts at or below the simplified acquisition threshold, contracts for commercial products (including commercially available, off-the-shelf items), and contracts for commercial services. The TikTok Clause also flows down to all subcontracts. Because of the TikTok Rule’s broad application, federal contractors will need to review and potentially revise compliance programs.
On December 29, 2022, as part of the Consolidated Appropriations Act, 2023, Congress passed the “No TikTok on Government Devices Act” (Pub. L No. 117-328, 136 Stat. 4459, 5258). Generally speaking, the law required the government to “develop standards and guidelines for executive agencies requiring the removal of any covered application” — specifically defined here as the “social networking service TikTok or any successor application or service developed” by ByteDance Limited, a Chinese internet technology company headquartered in Beijing, or an entity owned by ByteDance Limited — “from information technology.”
Although only passed into law at the end of last year, this idea has been around since at least 2020, when it was first introduced in the Senate. The concern involves national security, as explained by the legislation’s sponsor:
TikTok is a uniquely intrusive application. The company openly admits that it tracks users’ locations, it tracks users’ keystroke patterns, it tracks the filenames on users’ devices. TikTok essentially claims the right to peer straight through our phones into our lives.
166 Cong. Rec. S5236 (daily ed. Aug. 6, 2020) (statement of Sen. Josh Hawley).
The legislative history last year echoes the concern:
The requirements mandated by China’s National Intelligence Law allow for the potential that Chinese government officials could use TikTok to violate the civil rights and privacy of users in the United States, or otherwise gather data that may have national security implications.
The TikTok Clause prohibits the presence or use of the TikTok app on information technology (IT) equipment used by government contractors and contractor personnel in the performance of a contract:
The Contractor is prohibited from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor’s employees including equipment provided by the Contractor’s employees . . .
FAR 52.204-27(b) (emphasis added).
The TikTok Rule states that the prohibition “applies to devices regardless of whether the device is owned by the Government, the contractor, or the contractor’s employees (e.g., employee-owned devices that are used as part of an employer bring your own device (BYOD) program).” While there is an exception for a “personally-owned cell phone that is not used in the performance of the contract,” there is no definition of what the phrase “not used in the performance of the contract” means.
The new FAR clause applies to:
- Any solicitation issued on or after June 2, 2023;
- Any contract award that occurs on or after June 2, 2023, even if the solicitation predated the rulemaking;
- Existing IDIQ contracts, to be amended by July 3, 2023, to apply to future orders; and
- Any modifications/option awards for existing contracts or task or delivery orders that extend the period of performance.
The TikTok Rule applies broadly to all contracts and includes government-owned, contractor-owned, and employee-owned IT devices. The main exception, which is for personally owned cell phones that are not used in the performance of a contract, is likely to be an area of confusion unless and until a final rule provides a more detailed definition, particularly regarding a contractor’s obligations for employees who indirectly work on an occasional basis in support of a federal government contract, e.g., personnel, legal, administrative.
The TikTok Rule states, “It is expected that contractors already have technology in place to block access to unwanted or nefarious websites, prevent the download of prohibited applications (apps) to devices, and remove a downloaded app.” The rule also states, “[I]t is expected that contractors already have policies in place for employees to follow for workplace technology.” The general purpose of the TikTok Rule and these additional statements signals a greater emphasis by the government on personal device security. Where necessary, prudent contractors should adjust their compliance programs accordingly.
Bradley will continue to monitor this issue and provide further updates as appropriate. If you have any questions about this article, please feel free to contact Patrick Quigley, Matt Flynn, or Aron Beezley.