èßäapp this Policy
TikTok Research Policy
Policy Number: 12007
Effective Date:
Sep 10, 2024
Last Updated:
Sep 10, 2024
Responsible Office:
Division of Information Technology
Responsible Administrator:
Vice President for Information Technology
Policy Contact:
Kate Stoan
Director, Research Security and Compliance
kstoan@umsystem.edu
Categories:
- General Administration
- Information Technology
Menu:
- Scope
- Reason for Policy
- Policy Statement
- Definitions
- Accountabilities
- Forms
- Related Information
- History
- Procedure
Prohibition on a TikTok (ByteDance) Covered Application
Scope
Applies to all University employees, including students in employment status, and recognized volunteers and all other appointments (paid or unpaid) who are performing services in connection with a federal contract acquiring goods or services, regardless of whether their role involves performing research or other services on a federal contract or supporting the negotiation and execution of a federal contract. For example, application of the policy extends not only to individuals performing research or services called for by a federal contract, but also to individuals who provide supporting services (including but not limited to business, compliance, and research security services) for the negotiation or execution of federal contracts. Federal research grants, cooperative agreements, and other federal funding agreements will fall outside the scope of this policy unless they contain specific clauses similar to those addressed below.
Reason for Policy
The U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration issued an interim rule implementing the No TikTok on Government Devices Act, applicable to any contract solicitations the agencies issue, The Federal Acquisition Regulatory Council determined that the presence or use of TikTok on covered IT poses "an unacceptable level of risk" to national security. The Federal Acquisition Regulation (FAR) has been amended to include a new contract clause, FAR 52.204-27, Prohibition on a ByteDance Covered Application, which will be included in federal contracts to implement the interim rule.
For federal contracts containing FAR 52.204-27, the interim rule prohibits government contractors and subcontractors, such as the University, from having or using the TikTok application (or any successor application or service provided by ByteDance Limited: 1) on any information technology (IT) equipment owned or managed by the Government, or on 2) IT equipment used or provided by a contractor under a government contract, whether the IT is owned by the contractor or by a contractor employee.
The University is a recipient of federal contracts and must comply with this prohibition when included in federal contracts.
Policy Statement
- With regard to any federal contract acquiring goods or services:
- The University prohibits the presence or use of the TikTok application (app), or any successor app developed or provided by ByteDance or a subsidiary, on IT equipment used in contract performance, including IT equipment owned by an employee which is used in performance of the contract.
- The University requires employees to ensure that the TikTok app or any successor app developed or provided by ByteDance or a subsidiary is not installed or is uninstalled:
- On any University-owned IT equipment used or provided by the University in performance of a federal contract;
- On any IT equipment leased or otherwise acquired by the University that is used or provided by the University in performance of a federal contract; and
- On any personally owned IT equipment used in performance of a federal contract. This includes, but is not limited to, personally owned cell phones or tablets used in performance of a federal contract.
- Under this policy, IT equipment is considered to be used in the performance of a federal contract if it is used in performing research or services called for by a federal contract or providing supporting services (including but not limited to business, compliance, and research security services) for the negotiation or execution of the contract. For example, this includes, but is not limited to, an individual’s personally owned cell phone that is used to receive and transmit emails about research or services called for by a federal contract or about supporting services for negotiation or execution of the contract.
- Personally owned cell phones or other electronic devices that are not used in the performance of a federal contract are excluded from the FAR 52.204-27 requirements and this Policy.
- Employees responsible for awarding subcontracts under a federal contract will ensure that the substance of FAR 52.204-27 is included in any subcontract, including any subcontract for the acquisition of commercial products or commercial services.
- Employees responsible for issuing contracts to consultants who assist the University in proposal development or assist the University in providing supporting services (including but not limited to business, compliance, and research security services) for the negotiation or execution of federal contracts will ensure that the substance of FAR 52.204-27 is included in the contract.
- Federal research grants, cooperative agreements, and other federal funding agreements will fall outside the scope of this policy unless they contain specific clauses similar to FAR 52.204-27,
Procedures
Enforcement
Failure to abide by this policy may result in denial of access to University IT and telecom resources and may also result in disciplinary action up to and including termination.
Definitions
Information Technology:
as defined in 40 U.S.C. 11101(6)—
(1) Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use—
(i) Of that equipment; or
(ii) Of that equipment to a significant extent in the performance of a service or the furnishing of a product;
(2) Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
(3) Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.
Accountabilities
Vice President for Information Technology:
- Work with CIOs to implement and adopt the removal of TikTok from University IT equipment covered by this policy.
- Work with CIOs to prevent the downloading of TikTok to University IT equipment covered by this policy.
- Work with CIOs and Research Security and Compliance to distribute guidance and/or related procedures for the removal of TikTok from University and personal IT equipment covered by this policy.
Campus/business unit CIOs:
- Lead implementation and adoption of removal of TikTok from University IT equipment covered by this policy and guidance for the removal of TikTok from personal IT equipment covered by this policy.
Research Security and Compliance:
- Assist implementation and adoption of removal of TikTok from University IT equipment covered by this policy and guidance for the removal of TikTok from personal IT equipment covered by this policy.
Campus Sponsored Programs Administration:
- Assist in the identification of FAR 52.204-27, Prohibition on a ByteDance Covered Application and any similar clauses or requirements in federal contracts.
University employees:
- Comply with University requirements to remove TikTok from University and personally owned IT equipment covered by this policy.
Additional Details
Forms
Related Information
Exceptions: Limited exceptions to the rule are available for law enforcement activities, national security interest and activities, and security research. As identified in OMB Memorandum M-23-13, exceptions must be granted by an agency head or their designee and are limited to one-year periods. Application of this exception will be facilitated by Research Security and Compliance. Additional exceptions to this Policy may be granted in writing by Research Security and Compliance on a case-by-case basis.
History
Procedure
Reviewed 2024-09-10