The latest updates and analysis from Morrison Foerster
June 22, 2023 - Compliance, Cybersecurity & Data Privacy

When Does the So-Called TikTok Ban Really Apply to Contractors and Their Employees?

Cybersecurity abstract image

In the extensive chatter since the Federal Acquisition Regulatory Council (“FAR Council”) published an interim rule on the new Federal Acquisition Regulation (FAR) 52.204-27, “Prohibition on a ByteDance Covered Application,” commentators have almost universally advised that if a federal contractor’s employee uses a device in connection with a government contract in any way, TikTok is banned on that device.  These conclusions seem to rely on the common understanding of the term “information technology.”  But both the underlying congressional statute and the new implementing FAR clause adopt a specific statutory definition of “information technology” that is far more nuanced and far from clear in its scope.  Contractors may be ignoring this nuance and reading too much into the clause to their disadvantage.  Rather than assume the ban is more extensive than the text of the interim rule requires, contractors should use the notice-and-comment period to ask the FAR Council to clarify the rule’s intended scope.

Statutory and Regulatory Framework

The No TikTok on Government Devices Act became law on December 29, 2022, as part of the Consolidated Appropriations Act of 2023, Public Law 117-328 (the “Act”).  The Act requires all federal agencies to follow Office of Management and Budget (OMB) guidance to ensure that TikTok, and any other successor applications or services developed or owned by ByteDance Limited, are removed from all federal information technology.  The Act covers “information technology” as defined in 40 U.S.C.§ 11101(6), which states: 

The term “information technology”—

(A) with respect to an executive agency means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use—

(i) of that equipment; or

(ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product;

(B) includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but

(C) does not include any equipment acquired by a federal contractor incidental to a federal contract.

On February 27, 2023, the OMB released Memorandum M-23-13 (“OMB Memorandum”), which provides guidance on implementing the Act’s mandates.  The OMB guidance also referenced the statutory definition of information technology in 40 U.S.C. § 11101(6), and noted (emphasis added): 

That definition reaches not only IT owned or operated by agencies, but also IT “used by a contractor under a contract with the executive agency that requires the use” of that IT, whether expressly or “to a significant extent in the performance of a service or the furnishing of a product.”  That definition does not, however, “include any equipment acquired by a federal contractor incidental to a federal contract.”

OMB did not elaborate on what it means for a contract to “require[] the use” of particular IT, what a “significant extent” is, or what “incidental” means in this context.

On June 2, 2023, the FAR Council published an interim rule, effective immediately, implementing the Act and OMB Memorandum and requiring inclusion of the new FAR 52.204-27 clause in solicitations issued on or after June 2.  The interim rule also calls for modification of indefinite-delivery contracts to apply the FAR clause to future orders, inclusion of the clause in existing contracts when options are exercised or the period of performance extended, and amendment of pending solicitations to add the clause by no later than July 3, 2023. 

In the “discussion and analysis” preface to the interim rule, the FAR Council stated, in an oft-quoted conclusion:  “The FAR clause at 52.204–27 prohibits contractors from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the contractor under a contract, including equipment provided by the contractor’s employees.”  88 FR 36431.  It also notes, however, that the interim rule “uses the statutory definition of ‘information technology’ because Public Law 117-328 does so.  This is different from the FAR definition of ‘information technology’ at 2.101, which excludes imbedded information technology.”  Id.

Contributing to the perceived breadth of the interim rule, the FAR Council and Administrator for Federal Procurement Policy have decided to apply the new FAR clause to essentially all federal contracts, including contracts at or below the simplified acquisition threshold; contracts for commercial products and services, including commercially available off-the-shelf (COTS) items; and contracts at or below the micropurchase threshold.  The clause is also a mandatory flowdown in all subcontracts, including those for commercial products or commercial services.

Open Questions Create Ambiguity in Application of the Rule

Although Congress, the OMB, and the FAR Council all use the 40 U.S.C. § 11101(6) definition of information technology, none has explained what the definition means in this context.  This creates ambiguity in the application of the new FAR clause.  This is so because the definition does not encompass all contractor information technology, or even contractor information technology that may somehow relate to a covered contract.  Instead, the definition extends only to equipment that “is used by a contractor under a contract with the executive agency that requires the use— (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product.”  (Emphasis added.)  The rule also continues to carve out an exception for “equipment acquired by a federal contractor incidental to a federal contract.”  (Emphasis added.) 

Ambiguities abound, which prevent anyone from stating with certainty what the scope of this new rule is.  For example, what is the difference between an agency (i) requiring use of equipment, or (ii) requiring use of that same equipment to a significant extent?  The FAR Council, like Congress, joined these two requirements with a disjunctive “or,” so presumably they are intended to be two different categories of requirements.  But, if any contractually required use of the equipment triggers the ban, then required use “to a significant extent” are empty words that simply prohibit what is already prohibited under the first prong of the disjunction.  That is not the way statutes or regulations usually work, so the drafters almost certainly meant something other than what the text seems to say.[1]

This mystery notwithstanding, it seems apparent that to meet the definition of “information technology” covered by the new FAR clause, a government agency must have required use of the equipment in connection with a government contract.  This happens with some regularity in terms of government-furnished equipment, or implicit requirements for contractors to use their own equipment to access government systems.  However, explicit agency directives do not generally extend to day-to-day use of company-issued laptops, or employees’ personal devices, to conduct all other work related to government contracts, such as email communications with customers.  Strictly applying the new clause’s text, a specific contractual requirement to use particular equipment would be necessary for the TikTok ban to apply.  There almost certainly would be no such requirement specified in a micropurchase order, or simplified purchase order for a COTS product.  It thus seems there is a significant disconnect between what most observers assume is an intended broad reach of the interim rule, and the textual definition of “information technology” in the rule itself. 

And what does the carve-out for “any equipment acquired by a federal contractor incidental to a federal contract” mean?  In the absence of an agency requirement for a contractor (or subcontractor) to use its own (or its employees’) information technology equipment in connection with a government contract, wouldn’t most contractor or bring your own device (BYOD) equipment fall within the “incidental” equipment exception? 

The authors of the congressional statute, the OMB Memorandum, and the interim rule adopted a narrow definition of “information technology” that is at odds with the much more extensive scope that most observers assume the “TikTok ban” has.  Lack of clarity in the statute, the memorandum, and the regulation is stymying contractors’ ability to know precisely what equipment is covered, and how they are supposed to implement the ban.  Ironically, the FAR Council, in concluding that the new clause imposes minimal burdens on contractors, states without providing any guidance:  “It will be particularly important for contractors to clearly explain to their employees when a covered application is prohibited on a personal device used in performance of a Federal contract.”  88 FR 36432.  If procurement attorneys and industry experts can’t explain with certainty what exactly is banned, it is unclear how businesses can be expected to explain it to their employees.   

Issues for Comment

The FAR Council has invited industry to submit comments on the interim by August 1, 2023.  We urge impacted contractors, subcontractors, and the trade associations that represent them to accept that invitation.  Among the questions that require clarification are:

  • If an agency does not specifically require use of specific information technology equipment, does that mean such equipment is not covered by the clause? 
  • What would such a “requirement” look like?  For example, is it a requirement only if the contract itself (or a written order of the contracting officer) states the contractor must use the specific technology?
  • How can the clause apply to micropurchases when the mechanisms used for such purchases—primarily use of government purchase cards—often do not involve the flow down or transfer of any formal terms to the “contractor”?
  • Does the ban cover any device that sends, receives, or stores data generated in the performance of a government contract?  If so, why does the clause not say that?
  • What distinction is meant by use “(i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product”?  Does the FAR Council mean to say that the equipment is covered only if the contractor is required to use it “to a significant extent” (whatever that means)?  Or is all equipment covered if a contract expressly requires its use, plus any implicitly required equipment only if the contractor actually uses it “to a significant extent”?    
  • What does “incidental to a federal contract” mean?  If a contract does not expressly require a contractor to acquire or use particular equipment, does that make the equipment incidental? 
  • Is use of a personal or company device to answer email from government customers “incidental”?  What about a device occasionally used to take telephone calls from government employees who want to discuss contract performance?  What about devices employees use to log time they spend working on company projects, including covered contracts?
  • What about use of a personal or company device to market or sell a product to a government customer?
  • Are COTS product manufacturers expected to ban TikTok from every one of their employees’ devices if those employees are in any way involved in the development of a product that the U.S. government purchases?
  • In the BYOD context, how does the FAR Council expect contractors to enforce employees’ compliance with the rule?  Is it enough to institute the policy and provide training, or are contractors expected to conduct random checks of the applications employees have on their BYOD telephones?

These are just a few of the many questions that spring to mind when reading the imprecise interim rule.  Without clarification and precision in language, some contractors will over-comply, others will under-comply, and no one will be able to figure out who is right. 

In addition to demanding clarification, industry should advocate for a common-sense balance between the federal government’s legitimate national security concerns and the actual threat posed by the potential presence of TikTok on some contractor employees’ personal devices.  Mitigation measures, such as use of container management features to isolate work-related programs from the remainder of an employee’s device, are a potential option.  Given the prevalence of BYOD policies, such measures are arguably more secure than a mere written policy requesting that employees not use certain apps on the own devices. 

At the end of the day, a well thought out final rule is needed for the government to address its real concerns about intrusive technology.  No one’s interests are served by broad-brush prohibitions that lack enforcement mechanisms and are difficult to comprehend or implement as written.

[1] The OMB, in Memorandum M-23-13, appears to interpret the first prong to refer only to express contract requirements, whereas the second is intended to capture use that is not expressly required but nevertheless comprises a “significant extent” of contract performance.  But that is not what the statute or regulation says.