Prohibited Software & Services (SS-22-002)

Effective Date: 12/1/2022

PURPOSE

Technology providers, products, applications, software, services, and websites may be developed, managed or connected to entities that have direct or indirect ties to those deemed unfriendly and/or hostile to the interests of the state of Georgia. These ties may include hostile private actors and/or foreign governments.  As such, they may access, collect, store or process information from users and state systems, which poses an unreasonable and unacceptable level of risk to the state of Georgia. 

The purpose of this standard is to secure the integrity and confidentiality of state information, data, and systems, and to prohibit the integration, use or deployment of certain Technology in state-owned, leased or otherwise controlled systems or equipment. 

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

STANDARD

In the interest of maintaining the highest standards of security, all Technology shall be closely scrutinized by GTA, including the GTA Office of Information Security, for its overall risk to the state of Georgia and the enterprise.

GTA shall restrict or prohibit access and use of any Technology it deems to pose a risk to the state of Georgia and its networks.  If required by GTA, a state entity shall immediately take necessary action(s) to remove all instances or access to the Technology and effectively prohibit further use of such Technology. 

If after review of said Technology, it is deemed by GTA or the GTA Office of Information Security that the Technology presents an unacceptable level of risk to the security, confidentiality or operational integrity of state data or systems, including a risk of unauthorized access by any entity that may fall under the jurisdictional reach of any foreign government or power, then that Technology shall be prohibited from use on state-owned, controlled or leased information technology systems and devices. If such Technology is already deployed, then immediate steps shall be taken to remove it from state of Georgia-owned, leased or controlled systems or devices.

The following list includes Technology that has been reviewed and deemed prohibited from use on state-owned, controlled or leased information technology systems and devices.  If the following Technology is currently deployed on any state-owned, controlled or leased information technology system and devices, the state entity shall take immediate action to remove all instances or access and establish restrictions to further prohibit further use of such Technology.

Prohibited Vendors, Software and/or Services

1. ByteDance products including but not limited to: TikTok
2. Tencent Holdings products including but not limited to: WeChat
3. Telegram

State entities may request a one (1) year exemption to enable law enforcement investigations and other legitimate business use of prohibited vendors, software and/or services on state-issued devices pursuant to SM-11-007 – Exemption from State Policies and Standards by completing the “PSG Exemption Request” form and submitting it to GTA by emailing: [email protected].  The “PSG Exemption Request” form shall identify the individual submitting the request on behalf of the agency.

A final decision to approve or deny the state entity’s PSG Exemption Request shall be made by the State CIO who may also specify one or more conditions to be addressed by the state entity.  The State CIO shall transmit the decision in writing to a senior executive of the requesting state entity and to the person who submitted the PSG Exemption Request. 

If an extension is required, the exempted state entity shall submit a renewal request pursuant to SM-11-007 Exemption from State Policies and Standards thirty (30) days prior to the expiration of the approved exemption.

RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES

PS-08-031 Information Security – Risk Management

SM-11-007 Exemption from State Policies and Standards

TERMS AND DEFINITIONS

Technology - Providers, products, applications, software, services, and websites used to process, store, secure and exchange all forms of electronic data.

State entity – All state agencies, boards, authorities, and commissions of the executive branch of Georgia state government.