State details how agencies must apply TikTok ban
The Texas plan requires agencies to ban employees and contractors from downloading the app and other prohibited tech on connected state devices, identify areas where sensitive information could be exposed and implement network-based restrictions.
Less than two months after he announced one of the first state bans on using TikTok on government devices, Texas Gov. Greg Abbott unveiled a statewide model security plan so agencies can implement that ban.
Abbott’s ban goes beyond TikTok and also prohibits the use of a slew of applications, software and hardware from China, Russia and other countries, including popular apps such as WeChat and Alipay. Also on the prohibited list are companies like Huawei and ZTE, which are already subject to federal bans and have also been the subject of state-level bans.
Technologies will be regularly monitored for possible inclusion on the banned list, which could be updated in the future.
Agencies are directed to “identify, track, and control” state-owned devices to ban the access to or installation of TikTok and other banned technologies under the model plan developed by the Texas Department of Public Safety (DPS) and the Texas Department of Information Resources (DIR). That includes restricting access to app stores, remotely wiping any mobile devices not in compliance and configuring firewalls to block prohibited domains.
The plan covers all state-issued cell phones, laptops, tablets, desktop computers and other internet-connected devices. “Each agency’s IT department must strictly enforce this ban,” the plan states.
The model plan also prohibits employees and contractors from carrying out state business on personal devices that use any of the banned technology. It requires any agency that wishes to implement a bring-your-own-device program be able to manage those devices and prevent the installation of banned software.
Agencies must also create a guest security profile that prevents the use or download of prohibited technologies and retain the ability to remove any state-related business or applications from the personal device.
To protect sensitive information such as IT configurations, criminal justice and financial information as well as personally identifiable data, the plan calls for agencies to identify sensitive locations, meetings—physical and virtual—and personnel that could be exposed to personal devices that have prohibited technology.
They must also indicate when someone is entering a sensitive location, prohibit the use of unauthorized devices in those spaces and allow for their storage outside sensitive areas. Visitors are also subject to these restrictions, with agencies responsible for securing areas they wish to control.
And in addition to DIR’s existing firewalls that prevent the use of prohibited technologies on the state network, agencies must configure their firewalls to block their use throughout their technology infrastructures, including local networks and through virtual private networks. Prohibited technologies can be used through a separate network, subject to the agency head’s approval, the plan says.
There are exceptions to this plan, however. Agency heads can approve exceptions to help investigations by law enforcement or for other “legitimate business uses.” Devices granted an exception should be used on separate networks, according to the plan, with cameras and microphones disabled. Personal devices used for state work can also receive exceptions for “extenuating circumstances and only granted for a pre-defined period of time,” the plan says.
Public higher education institutions also can issue exceptions to accommodate student use of state email addresses. Those exceptions will be restricted to the student’s use of a personal device either owned or leased by themselves or a member of their immediate family and shall have what the plan describes as “network security considerations” to protect the university’s network and data.
Agencies have until Feb. 15 to provide the state with their own plan to implement the directive. Abbott said in a statement that it is “critical that state agencies and employees are protected from the vulnerabilities presented by the use of this app and other prohibited technologies as they work on behalf of their fellow Texans.”