New TikTok Ban Doesn't Reach All Contractor IT or Employees' Personal Devices
Contractors Have a Range of Compliance Options Depending on Information Technology Equipment Requirements in Their Contracts
Effective June 2, 2023, all federal contracts and solicitations are required to include a new Federal Acquisition Regulation (FAR) clause: FAR 52.204-27, Prohibition on a ByteDance Covered Application. This clause implements Section 102 of Division R of the Consolidated Appropriations Act of 2023, "No TikTok on Government Devices Act."
A previous Holland & Knight alert detailed the possible interpretations of the new clause and compliance approaches that could minimize legal risk for federal contractors and subcontractors. The authors recommended a broad interpretation and approach that could minimize disputes with federal agency contracting officers who interpret the clause as broadly applying to any information technology used by a contractor or its employees (including employees' personal devices) in the performance of a government contract.
While that is one approach to compliance, it is not the only approach, and the authors are careful to avoid suggesting that it is legally required by FAR 52.204-27. This is because FAR 52.204-27 has important provisions limiting the information technology to which it applies. The clause does not prohibit the presence or use of TikTok on all information technology used by a contractor or its employees in performance of a covered contract. Instead, Congress established a legal definition of "information technology" subject to the TikTok prohibition, which was carried into FAR 52.204-27, that limits the reach of the clause to information technology "required" by an executive agency, either expressly or to a significant extent. Because existing federal contracts generally do not require the use of employees' personal devices either expressly or to a significant extent, such "optional" or "elective" information technology falls outside the scope of the clause. Thus, contractors retain discretion to adopt a compliance approach that is something less than a blanket prohibition of TikTok on employees' personal devices that they elect to use in the performance of the contractor's federal contracts.
As explained below, FAR 52.204-27 does not apply to all "information technology" that a contractor might use in performing its government contracts. Instead, FAR 52.204-27 (tracking the statutory language of Section 102) limits the scope of the "information technology" covered by the prohibition to equipment used by a contractor under an executive agency that "requires the use" of the that equipment, either specifically or "to a significant extent in the performance of a service or the furnishing of a project." Congress thus placed the burden on federal agencies to specify information technology requirements in their statements of work or performance work statements, and the plain language of the prohibition does not apply to any equipment used by a contractor that is discretionary rather than required under the contract.
For many federal contractors, especially sellers of commercial products or commercial services, their contracts generally do not require the use of specific information technology equipment, either expressly or to a significant extent, in the performance of work. Instead, the current inventory of federal prime contracts generally includes performance-based specifications such as performance work statements, and leaves the question of what information technology equipment the contractor elects to use (or not use) entirely up to the contractor's sole discretion. In such cases, the contractor's obligations under FAR 52.204-27 are limited to information technology equipment that is required by an executive agency contract (specifically, or to a significant extent). When a contract is silent on the information technology equipment the contractor must use in the furnishing of its products, the prohibition of FAR 52.204-27 does not apply to information technology equipment the contractor elects to use at its discretion to perform the contract.
This application of the prohibition of FAR 52.204-27 is consistent with (even mandated by) the text of Section 102. In Section 102, Congress defined the "information technology" to which the TikTok ban would apply by incorporating by reference the definition of "information technology" in 40 U.S.C. 11101. This definition includes equipment or systems "used by a contractor under a contract" that also meets the following requirement: the contract "requires the use-- (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product." This definition of "information technology" expressly excludes equipment "acquired by a federal contractor incidental to a federal contract." It is a plain language corollary to the statutory text that "information technology" likewise excludes equipment a contractor uses in the performance of a federal contract that contains no stated requirement for its use.
The Office of Management and Budget (OMB) Memo expressly adopted the definition of "information technology" at 40 U.S.C. 11101, as it was required to do by Section 102. Likewise, the FAR Council incorporated this definition word-for-word in the text of the new clause at FAR 52.204-27.
While the limited interpretation above is objectively consistent with the text of the Interim Rule and 40 U.S.C. 11101 by way of Section 102, the FAR Council included language in the Federal Register Notice announcing FAR 52.204-27 that could create fodder for an erroneously expansive view of the clause. There, the FAR Council's analysis said:
This prohibition applies to devices regardless of whether the device is owned by the Government, the contractor, or the contractor's employees (e.g., employee-owned devices that are used as part of an employer bring your own device (BYOD) program). A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition.
This statement raises questions about how individual contracting officers might erroneously apply the clause for two reasons:
- First, the FAR Council sets a line for exclusion at "a personally-owned cell phone that is not used in the performance of the contract." A contracting officer who did not first apply the definition of "information technology" could erroneously assert that a personally owned cell phone that is used in the performance of a contract, to any extent, would be subject to the prohibition under FAR 52.204-27.
- Second, the FAR Council's reference to "employee bring your own device" (BYOD) programs could create confusion that the clause reaches personal devices without consideration of the definition of "information technology."
However, such an expansive interpretation is not what Congress intended or explicitly directed. The FAR Council has no legal authority to extend the TikTok ban beyond the statutory text of Section 102, which expressly limits its application to "information technology" as a defined term. For a personal device or personally owned cell phone to fall within the scope of the clause, it must meet the definition of "information technology." The definition of "information technology" quite clearly limits itself to equipment required by an executive agency contract. Thus, while Contractors have the option of simply banning the presence of TikTok on all comply information technology (including employees' personal devices) used in performance of a federal contract, such a policy is not required by the plain language of FAR 52.204-27. Instead, less intrusive or disruptive approaches exist.
One path is to issue guidance to relevant employees to review existing and new contracts to assess which information technology is required either expressly or to a significant extent. As noted above, the text of FAR 52.204-27 – specifically the legal definition of "information technology" – does not extend to any information technology a contractor or employee may use in the performance of federal contracts. Thus, a contractor could issue guidance to relevant employees making them aware of the new clause at FAR 52.204-27, stating the company's policy to comply, asking them to review new and existing contracts that include FAR 52.204-27 to look for any specific information technology whose use is required expressly or to a significant extent. If any contracts expressly require such information technology, this can be reported to a centralized compliance authority (the company's chief compliance officer, for example) for coordination with the contractor's information technology function to ensure any such required equipment complies with the ban.
The "relevant employees" who should receive such guidance would probably include contract management personnel responsible for review solicitations, requests for proposal, requests for quotation and newly awarded contracts and orders under contracts that include FAR 52.204-27. It may also make sense to include management and relevant program personnel responsible for performance of such contracts and orders, even though they may not be on the front line of reviewing contractual language.
The guidance to relevant employees to review contracts and orders for information technology equipment requirements should closely track the definition of "information technology" in FAR 52.204-27. Employees should be asked to carefully review contracts and orders that include FAR 52.204-27 to look for information technology equipment requirements. They should be instructed to look for provisions of the contract that require the use of specific information technology equipment, either specifically or to a significant extent in the performance of a service or the furnishing of a product or service.
In addition, employees should be reminded that information technology equipment that might be expressly called for in a contract includes a range of technology, including equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the executive agency. This includes computers, ancillary equipment (including imaging peripherals, input, output and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services) and related resources.
The key is for employees to look for express requirements in the contract or order – most likely (but not necessarily exclusively) in the text of a statement of work, product description, specification, performance work statement or other "requirements" section of the contract or order. When an employee identifies such required information technology equipment, it should report the findings to the company's existing compliance authority for coordinated response to ensure the company prohibits the presence or use of covered applications on such equipment.
The understanding and application of FAR 52.204-27 are still in its early stages. The foregoing blog post is based on currently available legal resources and government guidance. The Interim Rule is subject to public comment and may be clarified or modified in the issuance of a future Final Rule. This may result in changes to understanding the prohibition and its scope. As the earlier alert noted, it is also possible that some contracting professionals within the government have taken a more expansive view of this requirement. When adopting a more tailored approach in line with the legal definition of "information technology," contractors should be prepared to engage with and educate the government customer regarding the limited scope and reach of the clause to information technology used by contractors and their employees.