WHEREAS, the security and privacy of Arizonans’ data is of the utmost importance to the State of Arizona, and it is in the best interest of the State to perform due diligence and exercise due care in safeguarding that data to reduce cybersecurity risks; and

WHEREAS, cybersecurity experts have expressed concerns about the collection of user data by the social networking service TikTok or any successor application or service of TikTok developed or provided by ByteDance Limited, a privately held company headquartered in Beijing, China, or any parent, subsidiary or entity under common control with Bytedance Limited (collectively, “TikTok”), including personal information, browsing history, and location data, that far exceed what is needed for the application to function. The handling of this data, particularly with regards to the potential for access by foreign governments, is of particular concern; and  

WHEREAS, TikTok has been found to have security vulnerabilities that, if unresolved, could expose State-owned or State-leased devices to malicious actors creating potential security and privacy risks to State agencies and the systems and data the State is charged with protecting; and

WHEREAS, TikTok has been banned on government devices by the federal government, several other states, countries, and organizations due to security concerns and concerns about the application’s potential to spread misinformation and propaganda. 

NOW, THEREFORE, I, Katie Hobbs, Governor of the State of Arizona, by the virtue of the authority vested in me by the Arizona Constitution and the laws of this State, do hereby order as follows:

1. Within 30 days of this Order’s issuance, all State Agencies shall remove TikTok from State-owned and State-leased information technology  and personal devices used for State work.

1. Personal devices used for State work include, without limitation, all devices that access State systems, such as email.  

2. The Arizona Department of Administration and the Arizona Department of Homeland Security shall jointly develop a plan to: (i) prohibit the download and installation of TikTok on all State-owned and State-leased information technology; and (ii) prohibit access to TikTok through State information technology within 180 days of this Order’s issuance.

1. Any State networks that allow guest user access must include such prohibitions in the terms of use acknowledged by such guest user as a term of network access.

3. Beginning on December 1, 2023 and on an annual basis thereafter, the Arizona Department of Administration and Arizona Department of Homeland Security shall jointly produce a report identifying other applications that pose potential cybersecurity threats and that may need to be similarly restricted, to be delivered to the Governor’s Office, annually on December 1. 

4. All State Agencies may seek exceptions to this Order at any time through a written request to the Arizona Department of Administration and the Arizona Department of Homeland Security. 

1. A request for an exception must include and will be evaluated based on the following information:

1. The need for the exception, including the intended use of the prohibited application.

2. The measures that will be taken to mitigate cybersecurity risks posed by the use of the prohibited application. 

3. The length of time the exception is needed, and the date by which the exception will cease.

2. Approval of exception requests shall be the responsibility of the Chief Information Officer at the Arizona Department of Administration, in consultation with the Chief Information Security Officer at the Arizona Department of Homeland Security.

5. The Arizona Department of Administration will develop appropriate procedures for administrative and personnel actions, including any appropriate progressive discipline, to be applied in the event of a violation of this Order.

6.  For the purposes of this Order, the terms “State Agency and "State Agencies" shall include, without limitation, all executive departments, agencies, offices, and all state boards and commissions and the employees and officers thereof, except for: (a) any State agency that is headed by a single elected State official; (b) the Corporation Commission; and (c) any board or commission established by ballot measure during or after the November 1998 general election. Other statewide elected officials, independent boards and commissions, and the judicial and legislative branches are encouraged to adopt comparable policies, procedures, and protocols for their employees and networks. Notwithstanding any provision herein to the contrary, State Agencies shall enforce the removal required by Section 1 above on any information technology maintained by such State Agencies regardless of the user of such information technology.

7. For purposes of this Order, the term “information technology” shall mean:  (a) any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by a State Agency, if the equipment is used by the State Agency directly or is used by a contractor under a contract with the State Agency that requires the use: (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product; and (a) any computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.

8. This Order does not confer any legal rights or remedies upon any person and shall not be used as a basis for legal challenges to any action or inaction of a State Agency. 

1. This Order shall take effect immediately upon signature.