This bill prohibits executive-branch agencies from using the DeepSeek application or any successor application developed or provided by High Flyer (or an entity owned by High Flyer). It directs the Office of Management and Budget to issue standards and guidelines requiring agencies to remove the covered application from federal information technology, and it creates enumerated exceptions for law enforcement, national security, and security researchers.
The measure matters because it is a named-vendor prohibition that imposes a quick compliance timeline and a documentation requirement for any authorized uses. For federal CIOs, security teams, and procurement officers, the bill creates an immediate operational task: identify where DeepSeek exists in agency systems and implement removals or formal exception workflows with risk mitigations.
At a Glance
What It Does
The bill requires the Director of OMB to develop standards and guidelines—within 60 days of enactment—that obligate executive agencies to remove the defined 'covered application' from agency information technology. OMB must develop those standards in consultation with the Administrator of GSA, the Director of CISA, the Director of National Intelligence, and the Secretary of Defense and ensure consistency with federal information-security requirements under subchapter II of chapter 35 of title 44, U.S. Code.
Who It Affects
Federal CIOs, agency IT and cybersecurity teams, GSA procurement and contract managers, and components that use DeepSeek for mission work. The named vendor (High Flyer) and any entities it owns are directly targeted; law enforcement and national-security units that rely on the application face a formal exception process.
Why It Matters
A statute that singles out a commercial application is an unusual procurement and security tool; it signals a low-tolerance approach to a specific vendor or technology and raises immediate compliance and enforcement questions for agencies. The requirement to document risk mitigations for exceptions also creates a new records and oversight trail for sensitive uses.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill defines a 'covered application' narrowly: DeepSeek and any successor application or service developed or provided by High Flyer or an entity owned by High Flyer. It borrows existing federal definitions for 'executive agency' and 'information technology' so the prohibition applies across the usual universe of federal IT assets and systems.
Once enacted, OMB must act fast. The statute sets a 60-day clock for OMB to produce standards and guidelines that require agencies to remove the covered application from agency information technology.
Those standards must be developed in consultation with GSA, CISA, the Office of the Director of National Intelligence, and the Department of Defense, and must be consistent with existing federal information-security law. Practically, agencies will need to run inventories, use mobile-device and endpoint management tools to remove or block the app, update acceptable-use policies, and adjust procurement and onboarding practices to prevent reinstallation.The bill does not create a blanket prohibition without exception.
It permits authorized uses for law enforcement, national-security activities, and security researchers. But any agency that retains a covered application under an exception must develop and document risk mitigation actions for that use.
That documentation requirement creates an administrative pathway to approve limited uses while producing an audit trail that oversight entities can review.There is no penalty schedule in the text: the mechanism is administrative—OMB standards to compel removal and a documented exception process—not criminal or monetary sanctions. That makes the practical levers compliance guidance, oversight, and internal agency enforcement rather than statutory fines or civil liability contained in the bill text.
The Five Things You Need to Know
The bill defines 'covered application' as the DeepSeek application or any successor application or service developed or provided by High Flyer, including entities owned by High Flyer.
OMB must develop the removal standards and guidelines within 60 days of enactment.
OMB must consult with the Administrator of GSA, the Director of CISA, the Director of National Intelligence, and the Secretary of Defense when preparing the standards.
Exceptions are explicit for law enforcement activities, national-security interests and activities, and security researchers; any authorized use under an exception requires the agency to develop and document risk-mitigation actions.
The standards must be consistent with federal information-security requirements found in subchapter II of chapter 35 of title 44, U.S. Code (the federal information security framework).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the Act's name: 'No DeepSeek on Government Devices Act.' This is a signaling device that makes the statute easily referable and identifies the legislative target; while ceremonially minor, named-bill titles can matter in procurement debates and public messaging.
Who and what the ban covers
Sets the scope by defining 'covered application' to include DeepSeek and any successor application or service developed or provided by High Flyer or an entity owned by High Flyer. It also adopts statutory definitions of 'executive agency' and 'information technology' from existing federal law. The ownership hook ('entity owned by High Flyer') expands the reach beyond the immediate vendor and creates a mechanism to capture successor products tied to corporate structures.
OMB must produce removal standards within 60 days
Directs the Director of OMB to issue standards and guidelines that require agencies to remove the covered application from information technology, and to do so within a 60-day clock from enactment. OMB must work with GSA, CISA, DNI, and the Department of Defense when crafting the guidance and must align the guidance with federal information-security law. Practically, this assigns OMB an implementation leadership role and signals that removal is intended to be swift; it also centralizes interagency coordination through named security and procurement agencies.
Limited exceptions plus required risk-mitigation documentation
Authorizes exceptions for law enforcement, national-security activities, and security researchers but conditions those exceptions on agencies developing and documenting risk mitigation measures for each authorized use. This creates an administrative approval path for cases where use of the tool is mission-essential, while requiring agencies to record how they will manage privacy, security, and operational risk.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal cybersecurity teams: They gain an explicit statutory lever to remove a named tool quickly and a centralized OMB process to coordinate technical mitigations and policy changes.
- Privacy and civil-liberties advocates: The ban on a named AI application reduces use-cases that could raise privacy, surveillance, or algorithmic-risk concerns and creates an auditable exception process.
- Competing vendors of similar tools: Vendors that are not affiliated with High Flyer could capture displaced demand in federal procurements once agencies seek replacement solutions.
- Oversight bodies and auditors: The documentation requirement for exceptions creates records that inspectors general and congressional oversight committees can use to assess and challenge agency decisions.
Who Bears the Cost
- High Flyer and related entities: The named-vendor prohibition directly targets the company’s federal market and could curtail existing and future government contracts.
- Agency IT and procurement teams: Agencies must inventory, remove, block, and prevent reinstallation across heterogeneous devices and systems—work that consumes staff time and budget.
- Operational components using DeepSeek: Units that rely on the tool for mission work (including data analysis, investigations, or mission-specific automation) may face capability gaps and will need transition plans.
- GSA, CISA, and OMB staff: These agencies must support the guidance, consultations, and potentially ongoing oversight without appropriation language—an unfunded administrative burden.
Key Issues
The Core Tension
The central tension is between immediate security precaution—removing a specific, potentially risky commercial AI tool from government systems—and preserving operational flexibility and technological innovation for mission-essential work. The bill favors a quick, blunt preventive action, but that approach can produce capability gaps, administrative burdens, and contested lines over what counts as an acceptable exception.
The bill raises several practical and legal implementation challenges. First, identifying all instances of a named application across agency IT is nontrivial: installations may be on managed endpoints, removable media, cloud accounts, contractor systems, or embedded in other workflows.
Agencies will need device-management controls, inventory processes, and potentially contract amendments to ensure removal. Second, the ownership-based definition ('entity owned by High Flyer') may generate disputes over successor products, corporate restructurings, or rebranding; agencies and vendors can reasonably disagree about whether a product is a 'successor' or whether an independent developer’s product falls within the ban.
Third, the statute relies on administrative standards rather than explicit enforcement provisions. That design centralizes authority at OMB and the named consultative agencies but leaves open questions about consequences for noncompliance, the degree of agency discretion in granting exceptions, and how thoroughly risk mitigations must be documented.
Finally, the exception regime is brief: permitting law enforcement and national-security uses while requiring documented mitigations. In practice, agencies may interpret the exception language broadly or narrowly, and the balance between mission needs and security caution will depend largely on internal agency governance and external oversight.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.