AGENCY:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Interim rule.

SUMMARY:

DoD, GSA, and NASA are issuing an interim rule amending the Federal Acquisition Regulation (FAR) to implement a section of the Consolidated Appropriations Act, 2023, and its implementing guidance.

DATES:

Effective June 2, 2023.

Applicability:

• Contracting officers shall include the clause at FAR 52.204–27, Prohibition on a ByteDance Covered Application—

○ In solicitations issued on or after June 2, 2023; and

○ In solicitations issued before the effective date, provided award of the resulting contract(s) occurs on or after the effective date. The amendment of the solicitation must be accomplished by July 3, 2023.

• For existing indefinite-delivery contracts only, contracting officers shall modify them, in accordance with FAR 1.108(d)(3), to include the FAR clause at 52.204–27, Prohibition on a ByteDance Covered Application, by July 3, 2023, to apply to future orders.
• If exercising an option or modifying an existing contract or task or delivery order to extend the period of performance, contracting officers shall include the clause. When exercising an option, agencies should consider modifying the existing contract to add the clause in a sufficient amount of time before exercising the option and to provide contractors with adequate time to comply with the clause.

Agencies whose mission or operational posture prevents Start Printed Page 36431 compliance with the timelines above must notify the Federal Chief Information Officer by sending a message to ofcio@omb.eop.gov prior to July 3, 2023.

Comment Date: Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before August 1, 2023 to be considered in the formation of the final rule.

ADDRESSES:

Submit comments in response to FAC 2023–04, FAR Case 2023–010 to the Federal eRulemaking portal at https://www.regulations.gov by searching for “FAR Case 2023–010”. Select the link “Comment Now” that corresponds with “FAR Case 2023–010”. Follow the instructions provided on the “Comment Now” screen. Please include your name, company name (if any), and “FAR Case 2023–010” on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions.

Instructions: Please submit comments only and cite “FAR Case 2023–010” in all correspondence related to this case. Comments received generally will be posted without change to https://www.regulations.gov, including any personal and/or business confidential information provided. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at https://www.regulations.gov/​faq). To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission to verify posting.

FOR FURTHER INFORMATION CONTACT:

Farpolicy@gsa.gov or call 202–969–4075. Please cite FAR Case 2023–010. For information pertaining to status, publication schedules, or alternate instructions for submitting comments if https://www.regulations.gov cannot be used, contact the Regulatory Secretariat Division at 202–501–4755 or GSARegSec@gsa.gov. Please cite FAC 2023–04, FAR Case 2023–010.

SUPPLEMENTARY INFORMATION:

I. Background

This interim rule implements section 102 of Division R of the Consolidated Appropriations Act, 2023 (Pub. L. 117–328), the No TikTok on Government Devices Act, and its implementing guidance under OMB Memorandum M–23–13, dated February 27, 2023, “No TikTok on Government Devices” Implementation Guidance. The rule revises the FAR to implement the prohibition on having or using the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited (“covered application”). This prohibition applies to the presence or use of any covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the contractor under a contract, including equipment provided by the contractor's employees, unless an exception is granted in accordance with Office of Management and Budget (OMB) Memorandum M–23–13.

TikTok is a software application owned and operated by ByteDance Limited, a privately held company headquartered in Beijing, China. The Consolidated Appropriations Act, 2023, enacted the No TikTok on Government Devices Act, which instructs the Director of OMB, in consultation with the Administrator of General Services, the Director of the Cybersecurity and Infrastructure Security Agency, the Director of National Intelligence, and the Secretary of Defense, to develop standards and guidelines for agencies requiring the removal of TikTok from Federal information technology.

OMB Memorandum M–23–13 fulfills the requirement of section 102 of Division R of Public Law 117–328 by directing agencies to remove any covered application (“TikTok”) from Federal devices and providing instructions and deadlines for that removal.

II. Discussion and Analysis

This rule amends FAR part 4, adding a new subpart 4.22, Prohibition on a ByteDance Covered Application, with a corresponding new contract clause at 52.204–27, Prohibition on a ByteDance Covered Application.

This rule uses the statutory definition of “information technology” because Public Law 117–328 does so. This is different from the FAR definition of “information technology” at 2.101, which excludes imbedded information technology.

This rule adds text in subpart 13.2, Actions at or Below the Micro-Purchase Threshold, to address the prohibition with regard to micro-purchases.

This rule adds a cross-reference in part 39, Acquisition of Information Technology, to call the attention of contracting officers to the new prohibition.

The FAR clause at 52.204–27 prohibits contractors from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the contractor under a contract, including equipment provided by the contractor's employees.

This prohibition applies to devices regardless of whether the device is owned by the Government, the contractor, or the contractor's employees ( e.g., employee-owned devices that are used as part of an employer bring your own device (BYOD) program). A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition.

III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Products (Including Commercially Available Off-the-Shelf (COTS) Items), or for Commercial Services

This rule adds a new clause at FAR 52.204–27, Prohibition on a ByteDance Covered Application, to implement the requirements of section 102 of Division R of Public Law 117–328, and its implementing guidance under OMB Memorandum M–23–13. The clause is prescribed at FAR 4.2203 for use in solicitations and contracts unless an exception is granted in accordance with OMB Memorandum M–23–13.

A. Applicability to Contracts at or Below the Simplified Acquisition Threshold

41 U.S.C. 1905 governs the applicability of laws to acquisitions at or below the SAT. Section 1905 generally limits the applicability of new laws when agencies are making acquisitions at or below the SAT, but provides that such acquisitions will not be exempt from a provision of law under certain circumstances, including when the Federal Acquisition Regulatory Council (FAR Council) makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts and subcontracts in amounts not greater than the SAT from the provision of law. The FAR Council has made a determination to apply this statute to acquisitions at or below the SAT.

B. Applicability to Contracts for the Acquisition of Commercial Products and Commercial Services, Including Commercially Available Off-the-Shelf (COTS) Items

41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial products and commercial services and is intended to limit the applicability of laws to Start Printed Page 36432 contracts for the acquisition of commercial products and commercial services. Section 1906 provides that if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial contracts, the provision of law will apply to contracts for the acquisition of commercial products and commercial services.

41 U.S.C. 1907 states that acquisitions of COTS items will be exempt from certain provisions of law unless the Administrator for Federal Procurement Policy makes a written determination and finds that it would not be in the best interest of the Federal Government to exempt contracts for the procurement of COTS items.

The FAR Council has made a determination to apply this statute to acquisitions for commercial products and commercial services. The Administrator for Federal Procurement Policy has made a determination to apply this statute to acquisitions for COTS items.

C. Determinations

The FAR Council has determined that it is in the best interest of the Government to apply the rule to contracts at or below the SAT and for the acquisition of commercial products and commercial services. The Administrator for Federal Procurement Policy has determined that it is in the best interest of the Government to apply this rule to contracts for the acquisition of COTS items.

While the law does not specifically address acquisitions of commercial products and commercial services, including COTS items, there is an unacceptable level of risk for the Government in allowing the presence or use of a covered application on information technology, including certain equipment used by Federal contractors. This level of risk is not alleviated by the fact that the service or product being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the Government ( i.e., that it is a commercial product or COTS item), nor by the small size of the purchase ( i.e., at or below the SAT). As a result, agencies may face increased risk of exposure if the presence or use of a covered application is allowed on a contract for commercial services or commercial products (including COTS items). The prohibition on having or using a covered application on information technology, including certain equipment used by Federal contractors, is a national security measure to protect Government information and information and communication technology systems.

IV. Expected Impact of the Rule

This rule is not expected to have a significant economic impact on businesses. The changes made in this rule are less complex than other prohibitions that have been incorporated into the FAR, such as the prohibition on contracting for certain telecommunications and video surveillance services or equipment, which requires reviewing a contractor's supply chain to uncover any prohibited equipment or services. See FAR clause 52.204–25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. The changes made by this rule do not require a contractor to review its supply chain. Additionally, there is no reporting requirement by a contractor such as those required by 52.204–25, and by FAR clause 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. The changes made by this rule do require contractors to leverage existing technology, policies, and procedures already in place and update those to prohibit the presence or use of a covered application or the URLs associated with a covered application on devices used by a contractor under a contract with the Government. It is expected that contractors already have technology in place to block access to unwanted or nefarious websites, prevent the download of prohibited applications (apps) to devices, and remove a downloaded app. Additionally, it is expected that contractors already have policies in place for employees to follow for workplace technology. It is recognized that these policies will need to be updated to include the prohibition on having or using a covered application, and that implementation of the prohibition may also require employee communications or training on this new requirement. It will be particularly important for contractors to clearly explain to their employees when a covered application is prohibited on a personal device used in performance of a Federal contract.

The efforts required by a contractor to update its technology and policies to implement the prohibition on having or using TikTok will be limited to an initial review of technology and policies for TikTok or any successor application or service and will only require review of policies periodically thereafter. This is also quite different from prohibitions that require frequent reviews of the supply chain.

V. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993.

VI. Congressional Review Act

The Congressional Review Act (5 U.S.C. 801–808) requires interim and final rules to be submitted to Congress before the rule takes effect. DoD, GSA, and NASA will send this rule to each House of the Congress and to the Comptroller General of the United States. The Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget has determined that this is not a major rule under 5 U.S.C. 804.

VII. Regulatory Flexibility Act

DoD, GSA, and NASA do not expect this rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601–612, because of the reasons discussed in section IV of this preamble. However, an Initial Regulatory Flexibility Analysis (IRFA) has been performed and is summarized as follows:

DoD, GSA, and NASA are amending the FAR to implement the prohibition on having or using the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited (“covered application”). The rule prohibits the presence or use of a covered application on agency information technology, including certain equipment used by Federal contractors.

This interim rule is being implemented as a national security measure to protect Government information and information and communication technology systems. The legal basis for the rule is section 102 of Division R of the Consolidated Appropriations Act, 2023 (Pub. L. 117–328), and its implementing guidance under OMB Memorandum M–23–13, which collectively prohibit the presence or use of a covered application on information technology, including certain equipment used by Federal Start Printed Page 36433 contractors. Promulgation of the FAR is authorized by 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

This rule applies to small and other than small businesses. Based on data obtained from the Federal Procurement Data System, 116,133 unique entities (including 76,206 small businesses) were awarded contracts in FY 2022. DoD, GSA, and NASA do not have data as to how many subcontracts are awarded to small businesses.

The proposed rule does not include any reporting or record keeping requirements.

The rule does not duplicate, overlap, or conflict with any other Federal rules.

There are no available alternatives to the interim rule to accomplish the desired objective of the statute. Because of the nature of the prohibition enacted by section 102 of Division R of Public Law 117–328, it is not possible to exempt small entities from coverage of the rule.

The Regulatory Secretariat Division has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat Division. DoD, GSA, and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities.

DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by the rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2023–010), in correspondence.

VIII. Paperwork Reduction Act

This rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. 3501–3521).

IX. Determination To Issue an Immediately Effective Interim Rule

A determination has been made under the authority of the Secretary of Defense, the Administrator of General Services, and the Administrator of the National Aeronautics and Space Administration that urgent and compelling reasons exist to promulgate this interim rule effective immediately without prior opportunity for public comment. This action is necessary because section 102 of Division R of Public Law 117–328 and its implementing guidance under OMB Memorandum M–23–13 require agencies to comply with the prohibition on a covered application in contracts no later than 120 days after the effective date of the Memorandum. This interim rule is being implemented as a national security measure to protect Government information and information and communication technology systems. Issuing an interim rule facilitates uniformity and consistency across Government, allows agencies to prepare for the implementation of the requirements of OMB Memorandum M–23–13, limits the chance of incorrect implementation, prevents the need for contracting officers to have to relearn or change procedures if agency-specific guidance differs from the FAR implementation, and aids industry with compliance. However, pursuant to 41 U.S.C. 1707 and FAR 1.501–3(b), the Department of Defense, General Services Administration, and National Aeronautics and Space Administration will consider public comments received in response to this interim rule in the formation of the final rule.

List of Subjects in 48 CFR Parts 4, 13, 39, and 52

• Government procurement

Therefore, DoD, GSA, and NASA amend 48 CFR parts 4, 13, 39, and 52 as set forth below:

1. The authority citation for 48 CFR parts 4, 13, 39, and 52 continues to read as follows:

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

PART 4—ADMINISTRATIVE AND INFORMATION MATTERS

2. Add subpart 4.22 to read as follows:

Subpart 4.22—Prohibition on a ByteDance Covered Application

PART 13—SIMPLIFIED ACQUISITION PROCEDURES

3. Amend section 13.201 by adding paragraph (k) to read as follows:

PART 39—ACQUISITION OF INFORMATION TECHNOLOGY

4. Amend section 39.101 by adding paragraph (g) to read as follows:

PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

5. Add section 52.204–27 to read as follows:

6. Amend section 52.212–5 by—

a. Revising the date of the clause;

b. Redesignating paragraphs (b)(8) through (63) as paragraphs (b)(9) through (64);

c. Adding a new paragraph (b)(8);

d. Redesignating paragraphs (e)(1)(v) through (xxiii) as paragraphs (e)(1)(vi) through (xxiv);

e. Adding a new paragraph (e)(1)(v);

f. In Alternate II:

i. Revising the date of the Alternate;

ii. Redesignating paragraphs (e)(1)(ii)(E) through (V) as paragraphs (e)(1)(ii)(F) through (W); and

iii. Adding a new paragraph (e)(1)(ii)(E).

The revisions and additions read as follows:

7. Amend section 52.213–4 by—

a. Revising the date of the clause;

b. Redesignating paragraphs (a)(1)(iv) through (x) as paragraphs (a)(1)(v) through (xi);

c. Adding a new paragraph (a)(1)(iv); and

d. Removing from paragraph (a)(2)(vii) “(MAR 2023)” and adding “([June 2023])” in its place.

The revision and addition read as follows:

8. Amend section 52.244–6 by—

a. Revising the date of the clause;

b. Redesignating paragraphs (c)(1)(vii) through (xx) as paragraphs (c)(1)(viii) through (xxi); and

c. Adding a new paragraph (c)(1)(vii).

The revision and addition read as follows: