Building on recent and ongoing efforts to limit Chinese government access to government contractor supply chains, the FAR Councils published an interim rule effective June 2, 2023, that will broadly ban TikTok on contractor and contractor employee electronic devices used in the performance of federal contracts. The ban will be implemented through a new contract clause at FAR 52.204-27. Expect to see the clause added in all future solicitations (including commercially available off-the-shelf (“COTS”) acquisitions and micro-purchases) and added to existing contracts over the next month. We answer seven common questions on this new interim rule and offer several compliance tips.
What’s banned?
The new TikTok ban broadly prohibits contractors from having or using a “covered application” (e.g., TikTok or other successor applications by ByteDance Limited, a privately held company headquartered in Beijing, China) on any “information technology” used in the performance of a government contract. The ban applies regardless of whether the technology is owned by the government, the contractor, or the contractor’s employees. Bottom line, the rule has a (very) broad reach—it applies to contracts below the micro-purchase threshold, contracts for commercial products and services, and COTS items.
Are there any exceptions?
There are a handful of exceptions. The ban doesn’t cover devices “incidental to a Federal contract.” Although the rule doesn’t define “incidental,” it conceivably would extend to technology used in support of indirect activities like payroll or human resources functions. And some limited exceptions also apply for law enforcement activities, national security interests and activities, and security research. There is also a waiver process available.
When does compliance start?
Imminently. FAR 52.204-27 must be included in all solicitations issued after June 2, 2023. And many existing contracts are likely to be amended to include the clause in future options and orders. Though the regulation contemplates some phase-in period to come into compliance, we recommend contractors take steps over the next several weeks to come into compliance. Comments on the rule are due August 1 (so some clarifications or revisions may still be possible).
Does the rule cover every employee-owned device?
No—just those used in the performance of a federal contract. For example, the rule covers employee-owned devices used as part of an employer “bring your own device” (“BYOD”) program, but personally owned mobile devices that are not used in the performance of a contract are exempted. In sum, the ban would not prohibit the use of Tik Tok on a personal device that is not used for work.
How onerous is compliance?
Regulators do not foresee a big impact on industry. The rule assumes that most contractors can leverage their existing technologies, policies, and procedures and update them to include the TikTok prohibition. Indeed, many businesses already use internal controls to block access to unwanted websites or to prevent employees from downloading certain applications. And compliance requires only an initial review of technology and policies for TikTok or any successor application or service, with periodic compliance checks thereafter.
Do contractors need to monitor their supply chains for compliance?
No. The rule even says that “changes made by this rule do not require a contractor to review its supply chain.” So, a subcontractor flow down should suffice. Rulemakers contrasted this simple flow down requirement with more exacting prohibitions, like the Section 889 Chinese telecommunication ban in FAR 52.204-25, which requires more active supply chain oversight.
How will compliance be enforced?
Neither the interim rule nor the FAR clause indicates how the government might enforce the TikTok ban. Unlike prior supply chain bans (e.g., Section 889, Kaspersky ban), FAR 52.204-27 does not require contractors to certify their compliance, nor does it require contractors to report any non-compliance discovered during performance. And as noted above, contractors are not responsible for supply chain implementation. For these reasons, we do not anticipate the TikTok ban will be a key enforcement area for regulators (and is more likely to come up as part of a larger audit or enforcement inquiry).
Compliance Tips
We anticipate contractors will be able to meet these compliance requirements through a combination of policy revisions, employee communication, and technology management:
Update employee handbook / technology policies: Revise employee handbooks and company technology policies to prohibit employee use of TikTok on any contractor information system or employee-owned device used to perform federal contracts. Companies may wish to require employees to communicate using their business phone numbers and to avoid using personal numbers not designated for official company business.
Block TikTok on company-issued phones: Businesses should take commercially reasonable steps to ensure that employees are unable to download TikTok on company-owned device and should monitor for TikTok use as part of its established system administration.
Employee attestations: Consider amending employee policy or compliance attestations to include the TikTok ban.
Flow down the clause: Given this is a mandatory flow-down, it should be included in any standard T’s & C’s or subcontracts going forward.
Analyze exceptions carefully: Given that the ban allows TikTok on equipment “incidental to a federal contract,” contractors could conceivably allow certain employees to continue using TikTok on personal devices, such as human resources or payroll employees who do not directly work on a federal contract. If your organization believes it is important to preserve access to TikTok on certain systems, we recommend consulting with counsel to ensure your system design complies with the interim rule.