This bill targets a single commercial application—DeepSeek—by directing federal authorities to eliminate its presence from executive-branch information technology. The statute names the application (and successors tied to its developer, High Flyer) and sets a process for agencies to follow.
The measure matters to IT managers, procurement officers, and security teams because it converts a vendor-specific security decision into a statutory requirement, creates a short implementation window for central agencies to issue removal guidance, and preserves narrow exceptions for law enforcement, national security, and security researchers provided agencies document risk mitigations.
At a Glance
What It Does
The bill requires the Office of Management and Budget to develop standards and guidelines—within a fixed period—for executive agencies that mandate removal of the covered application from agency information technology. The rules must be consistent with federal information-security law and include documented mitigation requirements for permitted exceptions.
Who It Affects
Executive agencies and their IT inventories, federal procurement and contract managers, agency cybersecurity teams, and the named vendor (High Flyer) and its successors. Contractors and third-party cloud providers that deliver or host agency IT may need to change configurations or contracts.
Why It Matters
This is an explicit, vendor-specific federal ban that relies on OMB guidance rather than new enforcement penalties; it sets a precedent for targeting a named commercial product for removal from government IT and creates immediate operational work for agencies and central IT governance bodies.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill defines the covered application narrowly: DeepSeek and any successor product developed or provided by High Flyer or an entity owned by High Flyer. It borrows existing statutory definitions for "executive agency" and "information technology," which confines the ban to the executive branch and to the statutory scope of federal IT.
That definitional choice matters for who must comply and what assets are in scope.
Substantively, the statute directs the Director of OMB to issue standards and guidelines that require removal of the covered application from agency information technology. OMB must consult with GSA, CISA, the Director of National Intelligence, and the Secretary of Defense as it drafts those standards.
The bill ties implementation to the federal information security framework in title 44, meaning agencies will carry out removals consistent with existing FISMA-style duties and agency security plans rather than under a new penalty regime written into this Act.The text builds in three narrow exception categories—law enforcement activities, national security interests and activities, and security research—and requires agencies to document risk mitigation measures for any authorized use under those exceptions. Practically, agencies will need to create exception workflows, record approvals, and maintain mitigation documentation.
IT teams should expect to run inventories, remove software from managed devices, update configuration baselines, and patch or reconfigure integrations where DeepSeek was embedded into workflows.Operationally, the statute raises immediate procurement and contract questions: agencies will need to review contracts, task orders, and cloud-hosting arrangements for embedded uses; modify or add contract clauses to prohibit the covered app going forward; and determine obligations for contractors who use the app on government-furnished equipment versus personal devices. Because the law references existing information-security authorities rather than spelling out enforcement penalties, compliance will fall to agency program managers, CIOs, and central OMB oversight rather than a new enforcement office.
The Five Things You Need to Know
The statute defines a "covered application" as the DeepSeek application or any successor developed or provided by High Flyer or an entity it owns.
OMB must develop standards and guidelines requiring removal of any covered application from executive-agency information technology within 60 days of enactment.
OMB must consult with the Administrator of GSA, the Director of CISA, the Director of National Intelligence, and the Secretary of Defense when drafting the guidance.
The bill creates exceptions for law enforcement, national security activities, and security researchers, but requires agencies to develop and document risk-mitigation actions for any authorized use under those exceptions.
The text does not create new civil or criminal penalties; it implements the ban through OMB guidance tied to existing federal information-security law rather than an explicit enforcement mechanism in the statute.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Gives the Act the name "No DeepSeek on Government Devices Act." This is purely stylistic and does not affect substantive obligations, but it signals the bill's narrow, product-specific focus, which matters for legal interpretation and communications.
Definitions — covered application, executive agency, information technology
Sets three operative definitions. "Covered application" ties the prohibition to DeepSeek and any successor provided by High Flyer or an entity it owns, which limits the statute to a single vendor lineage. "Executive agency" and "information technology" are defined by cross-reference to existing federal statutes, anchoring who and what is in scope to established statutory terms rather than drafting new categories.
OMB-led removal standards and interagency consultation
Directs the OMB Director to produce standards and guidelines that require removal of the covered application from agency IT and instructs OMB to consult GSA, CISA, DNI, and the Secretary of Defense. The guidance must be consistent with title 44 information-security requirements, so agencies will implement removals through their FISMA-style security planning and reporting processes. The statute sets a 60-day window for OMB action, creating an aggressive timeline for central policy development.
Exceptions and documented mitigations
Authorizes exceptions for law enforcement, national security, and security research. For any authorized exception, agencies must develop and document risk mitigation actions. The provision creates an exceptions process but does not prescribe approval authorities, mitigation standards, or review cycles, leaving those operational rules to OMB guidance or agency policy.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal IT and cybersecurity teams — gain a clear, central mandate to remove a named application, simplifying risk prioritization and reducing disagreement over whether to allow the app in agency environments.
- National security and intelligence community actors focused on supply-chain and data-exfiltration risk — the ban reduces one identified potential vector and centralizes review through OMB and CISA consultation.
- Competing commercial vendors — companies that offer alternative search or productivity tools may win new government contracts once a named competitor is excluded from agency use.
- Agency legal and procurement offices — receive a statutory basis to require contract amendments and justify deprovisioning the app in cloud and managed-service contracts.
Who Bears the Cost
- High Flyer and any corporate successors — lose access to executive-branch customers and will face revenue and reputation impacts from a statutory ban targeted at their product line.
- Executive agencies' CIOs and IT operations teams — must inventory assets, remove the app from devices and cloud environments, update baselines, and handle help desk and workflow disruptions.
- Contractors and service providers — those who supplied integrations or relied on the app for deliverables may need to refactor services, negotiate contract changes, or bear transition costs.
- OMB, GSA, CISA, DNI and DoD staff — required to consult and produce guidance within a compressed 60-day period, creating an administrative and technical workload without additional appropriations specified.
Key Issues
The Core Tension
The central dilemma is immediacy versus governance: banning a named product quickly addresses a discrete perceived security risk, but a vendor-specific prohibition sacrifices a durable, vendor-neutral security framework and raises enforcement, scope, and circumvention problems that the bill leaves to administrative guidance rather than solving in statute.
The statute adopts a vendor-specific approach rather than a vendor-neutral security standard. That makes the response immediate and narrowly focused, but it also invites implementation challenges: agencies must track not only the named product but any successor or rebranded variant tied to the same corporate lineage.
The narrow definition may create opportunities for circumvention if ownership structures change or if feature sets migrate into other products.
Key operational ambiguities remain. The bill ties the action to "information technology" as defined in title 40 and to "executive agency" as defined in title 41, but it does not explicitly say whether personally owned devices used for government business, contractor-managed IT, or third-party cloud-hosted integrations are in-scope beyond those statutory definitions.
The exceptions carve out broad categories (law enforcement, national security, security research) but leave the standards for approving exceptions and for what constitutes adequate "risk mitigation actions" unspecified. Finally, the statute relies on OMB guidance and existing information-security authorities rather than creating a standalone enforcement mechanism or funding for the removal and transition work, which may slow compliance in practice.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.