This bill bars downloading or using applications that are developed, owned, or controlled by entities connected to the People’s Republic of China on any Federal Government device, while allowing a narrow, agency-head authorized exception for research or intelligence purposes. It centralizes the process for identifying covered apps and pushes removal decisions to agency leaders with an expectation of documented safeguards for any approved exceptions.
For compliance officers and federal IT managers, the bill changes how app risk is identified and managed: it compels formation of a cross-agency process to define covered applications, imposes a statutory removal requirement once an app is listed, and forces agencies to adopt formal exception procedures with cybersecurity safeguards and documented mitigation steps. That shifts programmatic responsibility from discretionary IT policy to statutory process and deadlines.
At a Glance
What It Does
The bill prohibits downloading or using any application that is developed, owned, or controlled by entities tied to the People’s Republic of China on Federal devices, subject to a limited research/intelligence exception granted by an agency head. It directs the Office of Management and Budget, in consultation with DHS, DoD, and the DNI, to issue guidance on creating and updating a list of covered applications and requires agencies to remove identified apps from devices within 60 days.
Who It Affects
All executive-branch agencies (including the Executive Office of the President and independent regulatory agencies) must implement removals, craft exception guidance, and document mitigation. The bill also affects app developers and vendors that are headquartered in, controlled by, or affiliated with PRC-linked entities, as well as federal IT service contractors and cybersecurity vendors supporting removal and compliance efforts.
Why It Matters
This statute puts app-level restrictions into law rather than policy, creating recurring OMB-driven reviews of risky applications and a short statutory removal window. It brands a category of software as a national-security risk and allocates responsibility across OMB, DHS, DoD, and the intelligence community—raising implementation, procurement, and operational questions for federal IT programs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The core of the bill makes certain mobile or desktop applications off-limits on government-owned or controlled devices when those apps are tied to Chinese entities or judged by Defense to pose an undue national security risk. Rather than leaving identification to informal agency rules, the bill mandates a named process: OMB, working with DHS, DoD, and the DNI, will set how the government prepares and updates a list of covered applications.
Once an app lands on that list, agencies must act to remove it from federal devices within a statutorily short window.
Agencies are not left without a path to access: heads may authorize use of a covered application if needed for research or intelligence functions required by law, but only after they adopt guidance that includes cybersecurity safeguards and documented risk-mitigation steps. That requirement forces agencies to translate operational exceptions into written controls and to show that they considered and reduced cybersecurity risk before permitting continued use.The bill also defines the universe it targets: covered applications include those developed, owned, or controlled by PRC-headquartered entities, entities controlled by the PRC or the Chinese Communist Party, and their parents, subsidiaries, or affiliates; additionally, the Secretary of Defense can designate an application as posing an undue national security risk.
Because the statute places identification, consultation, removal timing, and exception documentation into law, it transforms discretionary IT governance into a repeatable, interagency process that federal CIOs will need to operationalize.
The Five Things You Need to Know
The bill bans downloading or using on Federal Government devices any application developed, owned, or controlled by entities tied to the People’s Republic of China.
Agency heads may permit a covered application only for research or intelligence functions required by law—and must document risk mitigation and cybersecurity safeguards for such exceptions.
OMB must issue guidance, in consultation with DHS, the Department of Defense, and the Director of National Intelligence, on how the government will create and update the list of covered applications.
When an application is identified as covered, agencies must remove it from Federal devices within 60 days of that identification.
The Secretary of Defense may determine that an application poses an undue national security risk; that determination is one of the bases for an app being treated as 'covered.'.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
States the Act’s name: the 'Securing Federal Devices from Chinese Applications Act.' This is purely stylistic but signals the bill’s national-security framing and will be the reference title used in guidance and agency communications.
Prohibition on download or use
Establishes the core prohibition: covered applications may not be downloaded or used on a Federal Government device unless the head of the agency makes a specific determination allowing use for research or intelligence purposes. Practically, this converts what many agencies now treat as policy-level blacklist decisions into a statutory prohibition that requires affirmative, documented authorization to override.
Agency exception guidance and documentation
Directs each agency to issue guidance for implementing the exception within a statutory period after enactment; that guidance must include cybersecurity safeguards and require development and documentation of specific risk mitigation steps. The provision requires agencies to translate exceptions into controlled, auditable processes, which will be central to internal audits and inspector-general reviews.
OMB-led process to identify covered applications
Assigns OMB responsibility for issuing guidance on how the list of covered applications will be created and updated, and mandates consultation with DHS, DoD, and the DNI. The provision establishes a recurring review model (initial guidance followed by periodic updates), institutionalizing interagency collaboration rather than leaving designations to a single agency.
Removal deadline
Requires agency heads to ensure that any application identified as covered is removed from Federal devices within 60 days of identification. That short timeline will require rapid inventorying, technical controls (MDM/endpoint management), and coordinated rollout of removals across agency fleets.
Definitions (agency, covered application, cybersecurity)
Defines key terms: 'agency' captures virtually all executive-branch entities but expressly excludes the governments of the District of Columbia and U.S. territories; 'covered application' covers apps tied to PRC-headquartered or PRC-controlled entities as well as apps the Secretary of Defense designates as undue national security risks; and 'cybersecurity' is defined in operational terms to orient the safeguards required for exceptions.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal cybersecurity teams and CIO offices — Benefit from a clear statutory mandate and an OMB-coordinated list that centralizes threat identification, enabling prioritized mitigation and contract planning.
- National security and intelligence components — Gain a formal exception pathway that preserves access for statutory intelligence and research missions while forcing standardized safeguards and documentation.
- Cybersecurity vendors and integrators — Stand to win new contracts to inventory devices, implement removals, enforce policy via endpoint management, and design mitigation controls for approved exceptions.
Who Bears the Cost
- Executive-branch agencies broadly — Face operational and compliance costs to inventory devices, roll out removals within 60 days, draft exception guidance, and document mitigation measures; those costs fall heaviest on agencies with large device fleets.
- Federal employees and contractors using apps for productivity — May lose access to popular consumer apps that agencies decide are covered, disrupting workflows and requiring retraining or replacement tooling.
- App developers and parent companies with PRC ties — Will see exclusion from federal devices and potentially indirect reputational or commercial impacts when listed as 'covered,' affecting contracts and partnerships with U.S. government entities.
Key Issues
The Core Tension
The bill balances the legitimate need to protect federal networks from foreign influence and exploitation against the operational and procedural burdens of sweeping app restrictions: a short removal deadline and broad ownership definitions close security gaps quickly but risk overreach, disrupted operations, and limited procedural recourse for affected vendors or agencies.
The bill raises several implementation and legal questions. First, the mechanics of identification and designation leave room for uncertainty: OMB issues guidance 'on how' the list will be created, but the statute does not prescribe transparent criteria or an appeals process for vendors or agencies that contest a designation.
That gap creates risk of inconsistent treatment across update cycles and potential friction with vendors who may be delisted only after operational disruption.
Second, the mixture of ownership-based and risk-based standards could sweep in companies with indirect ties to PRC entities (parents, subsidiaries, affiliates) even if their software operates independently. The statute explicitly authorizes the Secretary of Defense to deem an app an 'undue risk,' concentrating a substantive national-security judgment in DoD while leaving day-to-day list curation to OMB and DHS consultation.
Agencies will also shoulder the logistics of removing apps within 60 days—an aggressive timeframe that may collide with procurement rules, legacy systems, and devices that are personally owned but used for work under Bring-Your-Own-Device policies. Finally, excluding DC and territorial governments from the definition of 'agency' creates a patchwork where devices used in similar roles are regulated differently, potentially complicating intergovernmental cooperation and shared services.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.