Government Contractors Face an Immediate Deadline to Delete TikTok from Some IT
Earlier this month, bipartisan legislation was introduced in the U.S. Congress that would allow the U.S. to regulate and even ban the app TikTok. Although the proposed legislation has dominated the news coverage, a recent Office of Management and Budget memorandum currently prohibits the use of TikTok on information technology used by federal agencies and contractors. This blog discusses the immediate ramifications applicable to government contractors and steps contractors should take to help ensure they are prepared to implement requirements that could soon apply to them.
First, we discuss why TikTok has generated such controversy and restrictions placed on government use.
Concern Over TikTok and the Proposed Legislation
TikTok is owned by the Beijing-based company, ByteDance, which is subject to Chinese laws that make information from users accessible to the Chinese government. This raises obvious concerns that the Chinese government could spy on American users or even use the app to spread propaganda and disinformation. TikTok is currently under criminal investigation by the FBI and the U.S. Department of Justice, and ByteDance has confirmed that it has previously used TikTok to monitor the physical locations of U.S. journalists.
The proposed legislation currently before Congress, the RESTRICT Act, would empower the U.S. Department of Commerce to "identify, deter, disrupt, prevent, prohibit, and mitigate transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security." Although the bill does not expressly mention TikTok by name, the bipartisan group of senators who introduced it have specifically cited TikTok as the driving motivation for the proposed legislation. President Joe Biden1 has endorsed the RESTRICT Act, and it is expected to pass Congress in its current, or a substantially similar, form and become law.
Concurrently, the Committee on Foreign Investment in the United States (CFIUS) is threatening to ban TikTok if the company does not spin off from the app's Chinese owners. It appears unlikely, however, that the Chinese government would allow ByteDance to divest itself of TikTok.
OMB Directives to Federal Agencies and Contractors
The White House issued a memorandum on Feb. 28, 2023, requiring the removal of TikTok2 from federal information technology. This memo fulfilled the requirement set forth in the Consolidated Appropriations Act, 2023 (the Act), which instructed the Director of the Office of Management and Budget (OMB) to develop standards and guidelines for agencies to require the removal of TikTok from federal information technology.
The OMB directive has important implications for government contractors, as the memo applies to all "information technology," as that term is defined in 40 U.S.C.§ 11101(6). This covers not only information technology (IT) owned or operated by federal agencies, but also IT "used by a contractor under a contract with the executive agency that requires the use" of that IT, whether expressly or "to a significant extent in the performance of a service or the furnishing of a product." (emphasis added).
This definition does not, however, "include any equipment acquired by a federal contractor incidental to a federal contract." Unfortunately, the OMB directive provides no detail on this point. In the authors' view, the directive encompasses IT that is reasonably necessary to the contractor's business, but is only incidental to the performance of its government contract, such as payroll, financial management and human resources systems, especially if those systems do not interconnect with any federal information systems.3
In other words, the OMB memo covers IT owned or operated by federal agencies, as well as any IT used by a contractor under a contract where the agency requires the use of that IT, either expressly or to a significant extent.
The OMB memo contains three compliance deadlines. Below, we describe each deadline, and then discuss how this deadline affects government contractors.
By March 29, 2023, federal agencies are required to 1) identify the use or presence of TikTok on IT, 2) remove and disallow installations of TikTok on IT owned or operated by agencies and 3) prohibit internet traffic from IT owned by agencies to TikTok. In other words, agencies must eliminate TikTok from phones and systems and prohibit internet traffic from reaching the site.
The March 29, 2023, deadline is for agencies, so it does not require immediate action by contractors. To the extent that companies can, however, it is prudent to coordinate with contracting officials to facilitate compliance by the agency.
The OMB memo further provides that by May 28, 2023, agencies must 1) ensure that any new contracts issued do not contain requirements that may include the use of TikTok in performance and 2) cease use of contracts that contain requirements that may include use of TikTok in performance of the contract or so modify those contracts.
The May 28, 2023, deadline is the most important for government contractors. By this date, contractors will want to ensure that they themselves are compliant with the earlier agency deadline. In other words, contractors should ensure that TikTok 1) is removed from all of its IT 2) cannot be downloaded or otherwise accessed on any company IT and 3) any use thereof can be identified.
Technically, contractors are required to address only IT that is used in the performance of a government contract. It is recommended, however, that contractors take steps to ensure that all company IT meets these requirements given that the IT utilized in the performance of a contract is often fluid and not easily segregated. This is particularly true in the case of IT used by contractor employees for a variety of purposes, only one of which may involve meeting contract performance requirements.
By June 27, 2023, for any contracts whose performance may involve the use of IT by the contractor, agencies must 1) ensure that any modification that extends the period of performance, including through exercise of an option, includes a requirement to conform with the TikTok ban and 2) ensure that each agency solicitation thereafter that may involve use of IT by a contractor requires conformance with the TikTok prohibition as part of any resulting contract. In other words, by June 27, 2023, all solicitations will include the TikTok prohibition, and no current contract will be extended or have an option exercised without including this prohibition.
Exceptions to the OMB directive are permitted for law enforcement activities, national security interests and activities, and security research, but applications must be submitted in advance for exceptions that are very restrictive and are not automatic.
To date, agencies have not yet released any proposed or interim rules and there have been no proposed Federal Acquisition Regulations (FAR) or the Defense Federal Acquisition Regulation Supplement (DFARS) amendments.
Contractors should lean forward on the requirements in the OMB memo and take steps to remove and prohibit TikTok from all information technology that may be used to perform federal contracts. Although the United States could eventually ban TikTok entirely, the precise requirements and implementation time frames are not set. Government contractors, however, have imminent deadlines for compliance with OMB's directive as noted above.
For additional information on the OMB directive and how it impacts government contractors, please contact the authors or any member of Holland & Knight's Government Contracts Group.
2 The "covered application" being banned is defined as "the social networking service TikTok or any successor application or service of TikTok developed or provided by ByteDance Limited or an entity owned by ByteDance Limited."
3 This view is consistent with that expressed in 40 U.S.C. 11101, Department of Defense Instruction 5000.82, Acquisition of Information Technology, and OMB’s 2012 Memo (M-12-20) providing reporting instructions under the Federal Information Security Management Act (FISMA).