CMMC 2.0: Why Banning Tiktok on US Devices is a Good Idea
On June 2nd, 2023, the FAR Council issued an interim rule to enact the prohibition on using or having TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited. The TikTok ban doesn’t just apply to Government-issued devices. The rule also covers devices owned by contractors and even personal devices used for work (BYOD) by contractor employees. Under the Interim Rule, which took immediate effect, solicitations issued on or after June 2nd, 2023, should include the new FAR clause 52.204-27, Prohibition on a ByteDance Covered Application. Additionally, contracts issued before the effective date must be amended by July 3rd, 2023, if the award of the resulting solicitation(s) was to occur on or after the effective date. This requirement also applies to existing indefinite-quantity and indefinite-delivery contracts.
It meant that the rule would appear in almost all solicitations within two months. This raised questions and concerns about enforcement and compliance across sectors involved in government contracts. The effects of this prohibition are far-reaching, especially for contractors who rely on personal devices to perform tasks related to government contracts. The primary concern is how to effectively enforce such a ban on personal devices without infringing on individual rights or privacy while still maintaining the integrity and security of government data.
Why Did the US Ban TikTok?
It is important to note that the US Government hasn’t imposed a nationwide ban on TikTok. However, FAR 52.204-27 restricts its use on government devices and by government contractors due to national security concerns. The only State that has an existing law purporting to ban TikTok across its borders is Montana. However, in a lawsuit against Montana’s TikTok ban, a judge ruled that it “oversteps state power” and “likely violates the First Amendment.” Additionally, a growing number of universities, such as the University of Texas at Austin, Auburn University, and Boise State University, have blocked the app on their campus Wi-Fi networks. While some may view this move as an overreaction or infringement on personal freedoms, there are several compelling reasons why banning Tiktok on US devices is a good idea. So, why is the US banning TikTok in Government-owned, contractor-owned, and even personal devices used for work (BYOD)?
National Security Concerns
Although TikTok CEO asserts that the company is based in Singapore, its parent company, ByteDance, is in Beijing, China. US officials worry that China’s ability to compel access to information under national security laws could compromise the privacy of data collected by TikTok from US users. According to Western legal experts, Chinese national security laws are too broad. They require any citizen or organization in China to help and cooperate with the state “intelligence work.” Unfortunately, the law doesn’t define the meaning of “intellience work.” TikTok has been criticized for its extensive data collection practices, including personal information, location details, device information, and browsing history. Should Chinese authorities gain access to TikTok’s user information, they could use it to identify potential intelligence opportunities by uncovering predilections, vices, or pressure points of a potential blackmail target or spy recruit. Beijing could weaponize this information for nefarious purposes like targeted disinformation campaigns.
Cyber Security Concerns
Beyond data concerns, cybersecurity vulnerabilities raise national security alarms. The app’s Chinese ownership, ByteDance, raises critical questions about potential vulnerabilities:
- Backdoor access: Experts warn of potential “backdooring,” where the Chinese government could leverage apps like TikTok to gain unauthorized access to US government networks and exfiltrate data.
- Data breaches: Any large platform is susceptible to cyberattacks, but TikTok’s Chinese connection heightens anxieties. State-sponsored cyberattacks by China are a growing concern, and the potential for stolen data to reach Chinese authorities fuels further worry.
- Malware and spyware: While not confirmed, some cybersecurity experts suspect the app itself could contain malicious software designed to collect user data or compromise devices. In fact, Tiktok’s parent company, ByteDance, has been criticized for monitoring employee communications and potentially using that information for surveillance purposes.
To mitigate these risks, lawmakers implemented a ban on TikTok across government-owned devices, contractor devices, and even personal devices used for work purposes.
Data Security and Privacy Concerns
Another reason for the TikTok ban hinges on deep-seated concerns surrounding data security and privacy. There have been concerns about the app’s aggressive data collection practices, with some experts arguing they go beyond industry standards. But how does TikTok use this data? TikTok’s data handling practices have been criticized for their lack of transparency. It is unclear how user data is being used or who has access to it. And that’s not all. TikTok has been accused of sharing user data with third-party companies, which could use it for targeted advertising or other purposes. Under GDPR, TikTok should first seek user consent before collecting or using user data. TikTok maintains that US data is now stored in data centers within the US and Singapore. However, a 2022 Buzzfeed investigation revealed that ByteDance employees in China “repeatedly” accessed non-public US user data.
Algorithm Transparency Issues
The lack of transparency surrounding TikTok’s algorithm and content recommendation system raises concerns about its ability to manipulate and influence users. National security officials have voiced their concerns that Beijing may leverage TikTok’s content moderation and recommendation algorithms to influence content shown to US citizens. This, again, leads to national security anxieties, fearing potential manipulation for foreign agendas and misinformation. TikTok has taken steps to increase transparency, such as providing general information about the algorithm’s factors and offering limited user controls. As part of “Project Texas,” Oracle reportedly is auditing TikTok algorithms to ensure US user information is secure from manipulation. However, critics argue these are insufficient measures.
Enforcing TikTok Ban With Intune
Implementing a ban on TikTok across devices within an organization can be effectively managed using Microsoft Intune’s comprehensive suite of MDM and MAM tools. The process begins with the creation of App Protection Policies, specifically tailored to prevent unauthorized applications like TikTok from accessing organizational data. For BYOD scenarios, MAM policies target only the apps containing corporate data, designating TikTok as a prohibited app using its bundle ID. Thus, you can safeguard your corporate data without fully managing the personal device. For organization-owned devices, MDM policies can be employed to outright block the installation of TikTok. Compliance policies complement these measures by defining and enforcing compliance standards that consider devices with TikTok installed as non-compliant, utilizing Intune’s app inventory capabilities to detect unauthorized installations and take automated actions like user notifications, access blocks, or corporate data wipes for non-compliance.
Additionally, Intune facilitates direct application control, allowing administrators to blacklist apps like TikTok, thereby preventing its installation or execution on enrolled devices, or to implement a whitelist strategy, implicitly excluding TikTok by only allowing approved applications. Integration with Azure Active Directory Conditional Access further strengthens enforcement by restricting access to corporate resources from devices that fail to comply with the TikTok ban based on device compliance status or user sign-in risk. The implementation of these technical measures necessitates clear communication with users to explain the ban’s rationale, its implications, and the necessary steps for compliance, ensuring that policies respect user privacy in BYOD contexts. Regular auditing of app compliance policies and conditional access settings is crucial to adapt to evolving threats and organizational policy changes. This ensures your organization is FAR clause 52.204-27 compliant and adheres to an established data security plan.
The Challenge of Enforcing the Ban
Experts and industry professionals have been vocal about the challenges posed by this new regulation. The subjective language used in the Federal Acquisition Regulation, such as “significant extent in the performance of a service or the furnishing of a product,” has sparked debates on its interpretation. This ambiguity leaves room for varied understanding among ISSMs, SCAs, and contractors, potentially leading to inconsistencies in enforcement. Additionally, Implementing FAR 52.204-27 faces privacy challenges as balancing employee concerns about personal data intrusion with national security goals requires navigating a complex legal and ethical landscape. Historically, the DoD has taken a strict stance on BYOD policies, with some contracts outright forbidding the use of personal devices for contract-related activities. This recent expansion of the TikTok ban reiterates the government’s cautious approach towards managing cybersecurity risks, particularly those posed by applications deemed to compromise the security of sensitive information.
TikTok Ban and Regulatory Compliance
The government’s decision to ban TikTok resonates with several critical security requirements outlined in NIST SP 800-171 and CMMC, emphasizing the significance of managing threats, safeguarding CUI, and implementing robust security policies. NIST 800-171 mandates monitoring, controlling, and protecting communications at organizational system boundaries. The ban of TikTok on government-owned, contractor information systems and personal BYODs acts as a measure to safeguard against external threats. Additionally, requirements such as controlling information on publicly accessible systems and protecting CUI from unauthorized disclosure underscore the risks associated with TikTok’s data collection practices, making the ban a proactive step in mitigating potential disclosure threats.
CMMC AC domain requires that organizations take some access control requirements. The TikTok ban reinforces the imperative to limit information system access to authorized users. Additionally, entities should meet requirements of the SC domain such as protection of CUI confidentiality at rest. However, there are strong views that TikTok may exfiltrate data to data centers located in mainland China. By adhering to the prohibition rule, you can rest assured that unless exfiltrated or compromised otherwise, your CUI will remain safe at rest. Enforcing the TikTok ban, organizations can help your NIST and CMMC compliance efforts. It also showcases commitment to mitigating risks, limiting the exposure of CUI, and compliance with stringent security protocols.
The Importance of CMMC 2.0 Compliance
CMMC compliance is highly beneficial for defense contractors and suppliers. It can provide a competitive edge, enhance relationships with prime contractors, enhance cybersecurity, boost trust with customers and partners, reduce liability, and simplify compliance efforts. As the DoD increases its NIST 800-171 audits and certification requirements for DoD contract eligibility, there is no better time than now to start the process of obtaining CMMC certification.
Increased Trust
Achieving CMMC compliance can also increase client and partner trust in a business, demonstrating their dedication to safeguarding sensitive information through a well-established and reliable metric.
Competitive Advantage
By becoming CMMC certified early, businesses can gain a competitive advantage as CMMC requirements will limit the pool of contractors eligible for new contracts. Obtaining compliance at an early stage will also make it easier to get certification more quickly as the assessment process becomes shorter.
Improved Cybersecurity Posture
CMMC provides a comprehensive roadmap for securing information systems and data. By implementing the controls required by CMMC, businesses can mitigate risks and improve their cybersecurity posture. This can protect them from costly and embarrassing hacks and breaches.
Reduced Liability
Finally, CMMC can help reduce a business’s liability in the event of a data breach or cybersecurity incident. By following best practices and complying with the framework, companies can prove they took the necessary steps to mitigate risks and did everything right, even if something goes wrong.
Prime Opportunities
CMMC requirements flow down from prime contractors to sub-contractors, and achieving compliance now can help businesses demonstrate their commitment to the framework. By doing so, they can prove that they take CMMC seriously and won’t cause any compliance issues for their affiliates. This can establish trust with prime contractors, which can be a significant opportunity for businesses.
Protecting the DIB with a Ban on Tiktok
By banning Tiktok on government-issued devices, the US government is taking proactive measures to protect the DIB from cyber threats. Tiktok’s questionable data handling practices make it an unacceptable risk to the sensitive information and systems used in the DIB. Additionally, banning Tiktok on government-issued devices helps companies in the DIB to maintain compliance with CMMC 2.0 regulations and avoid costly penalties.
In Conclusion
The US government’s possible ban on Tiktok on government-issued devices is a wise decision in the interest of protecting the DIB from cyber threats. With the implementation of CMMC 2.0 regulations, it is crucial that companies in the DIB maintain a high level of cybersecurity to safeguard sensitive information. By banning Tiktok, companies can avoid potential security breaches and remain compliant with the latest cybersecurity regulations.
Share in Social Media
See More Case Studies
Securing Defense Contracts: A DFARS 252.204-7012 Compliance Case Study
Discover how Cleared Systems helped a Federal Contractor successfully achieve DFARS 252.204-7012 compliance by strengthening its cybersecurity posture, giving it a competitive edge when bidding for DoD Contracts.
What is GCC High? For ITAR & CMMC 2.0
Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.
How to Get Help in Windows: Guide to Security and Compliance Support
In today’s digital landscape, ensuring your computer systems are secure and compliant with industry regulations is essential for both businesses and individuals. Windows, as one
Microsoft Copilot for GCC High: Enhancing Security and Compliance
In today’s fast-evolving digital landscape, organizations that handle sensitive data, particularly those in government sectors or defense contractors, face growing pressure to maintain strict security
ITAR Explained: Why It Matters for U.S. Companies
The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations designed to control the export and import of defense-related articles and
Partner with Us for Compliance & Protection
We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.
Your benefits:
- Client-oriented
- Security
- Compliance
- Peace of mind
- Efficiency
- Trust
What happens next?
Schedule an initial meeting
Arrange a discovery and assessment call
Tailor a proposal and solution