The Office of Management and Budget on Monday published a memo for federal agencies that gives all departments 30 days to ensure Chinese-owned video app TikTok is no longer present on government devices.
The direction of the guidance isn’t new for federal government IT leaders — three senior officials speaking to FedScoop on the condition of anonymity said their agencies had for several months monitored the use of applications such as TikTok — but the policy document poses technical and definitional questions for departments working to implement the new guidance.
While most government agencies took steps to identify instances of TikTok following a push by Congress late last year to ban the use of the application on federal devices, the technology officials have questions remaining on how agencies will demonstrate compliance with the order, what the memo means for Bring Your Own Device policies and the extent to which it is politically driven.
30-day deadline for identifying instances of TikTok
The memo requires government IT leaders within 30 days to “identify the use or presence of a covered application on information technology” and to establish an internal process to adjudicate limited exceptions.
Two of the senior technology officials said their agencies had already conducted the analysis required to establish how many devices were operating TikTok and had taken action to prevent staff from installing and using the application.
IT departments can enforce such measures by remotely removing the application across selected devices, which can also require the use of “allowlists” or “blocklists” when targeting a specific piece of software.
“[I] can’t imagine there’s a single government agency that doesn’t block access to pornography. The same technology can be applied to TikTok,” one official said.
Given agencies’ prior work to identify the use of the video application on government devices, multiple officials were uncertain what evidence OMB would seek from departments to prove compliance with the order.
In addition to identifying instances of the application on devices, the memo requires changes to current and future contracting language to ensure TikTok is not used by federal contractors working on government networks.
The currently serving IT officials said the precise meaning of these changes was unclear because contractors working on government networks generally require access to the same technical pathways that a department’s employees receive.
Another official struggled to think of examples where contractors working with civilian agencies on IT solicitations would need to use TikTok on government networks where a national security exemption would not apply.
A challenge to Bring Your Own Device policies?
The TikTok ban could pose some thorny challenges for federal agencies that have adopted and pushed for a “bring your own device” (BYOD) concept allowing federal employees to connect their personal communication and IT devices to government networks.
“Bring your own device is a big push within federal government agencies. This has been a trend within the government for a while and so banning TikTok could be a big issue within that environment,” said one former federal agency IT leader, speaking with FedScoop on the condition of anonymity.
They added: “How can you block such a device from being downloaded and used on a personal device?”
The federal government in 2012 first released a “Bring Your Own Device” toolkit that gives agency guidance on how to best empower federal employees to leverage their own personal devices to do their jobs “anywhere, anytime” while still adhering to established security and records requirements.
“This will be a very tough federal agency ban to enforce. You can’t fully block it because people will always find ways around it with VPNs or other workarounds if they want,” said the IT executive.
“The only way to truly stop TikTok use is to copy the playbook of the CCP and have a firewall that stops all access to those within the federal government and contractors.”
To what extent is the memo politically driven?
Federal government career staff and former officials told FedScoop the TikTok ban was largely political in nature given the bipartisan hostility towards Chinese-owned companies and attempts by the Chinese government to surveil Americans or tap into federal devices.
“It’s mostly just a political effort from the Biden administration and Congress to do something easy and quick that signals they’re doing something about China,” said a former federal agency CIO who is now in the private sector.
“It’s a well-known at least perceived risk on both sides so it really only has political upsides and few downsides. Who would stand up to this or pushback?” they added.
The bipartisan $1.7 trillion spending bill that was signed into law by President Biden in late December included a ban on the use of TikTok on government devices, except for law enforcement, national security and research purposes.
Another current federal agency CIO speaking with FedScoop said the TikTok ban was common sense and wouldn’t pose much of a burden to federal employees or contractors.
“I think it’s a smart idea from a national security perspective. The prohibition applies to any device that is processing unique federal government information or has access to it – whether that’s a government device or a contractor.” said the CIO, who spoke with FedScoop on the condition of anonymity.
“Why should it be on a government or contracting device in the first place? It has no business being on there. There’s no difference between TikTok and having Candy Crush on your work phone, it’s only really used if you’re bored in a meeting or something,” the CIO added.