As of September 2025, TikTok remains in legal limbo in the United States. A framework deal is reportedly in progress that would transfer TikTok’s U.S. operations to a consortium of American investors, including Oracle and Silver Lake. While this may preserve the app’s availability, it underscores a deeper shift in how the U.S. government views software and third-party app risk, not just in terms of ownership, but also technical integrity and national security.
This evolving landscape raises a critical question for organizational leaders: How do you govern third-party app usage when even the most popular platforms face sudden bans or divestment orders?
Let’s explore this challenge and offer a practical framework for assessing application risk in today’s complex threat environment.
The rules for using software at work are becoming increasingly complex. The U.S. government has begun evaluating commercial applications in new ways, creating confusing—and often conflicting—messages for organizational leaders. For anyone responsible for security or policy, understanding this shift is critical to protecting your organization.
On one hand, you’re told to worry about where an app originates. On the other, you see popular American-made apps being banned for technical reasons. So how can you create a clear, consistent policy for your employees?
This article cuts through the confusion. We’ll explain the evolving risks and introduce a straightforward resource guide to help you build a policy that makes sense and keeps your organization safe.
Third-party app risk is no longer just about hackers. Today, leaders must monitor two key factors: who owns the app and how technically secure it is.
The government has introduced a new “divest-or-ban” model. If an app’s parent company is based in a country considered a foreign adversary, the U.S. government can mandate a sale or ban the app entirely. This signals that the ownership and origin of any software vendor are now critical risk factors for your organization.
It’s not just foreign-owned software at risk. Even popular American applications can be flagged as high-risk. For example, in June 2025, the U.S. House of Representatives banned WhatsApp on all official devices—despite it being owned by Meta, a U.S. company. The ban was based purely on technical concerns.
Cybersecurity officials identified three key issues:
This case proves that any app—regardless of origin—can be banned if its security practices are insufficient. Your internal review process must evaluate both ownership and technical security.
Features that enhance personal privacy, like disappearing messages, can create major legal and compliance issues for organizations.
For government agencies, laws like the Freedom of Information Act (FOIA) require that records of official business be preserved and made publicly accessible. It doesn’t matter whether the record is an email or a text message on a personal phone—if it concerns public business, it’s a public record.
For private companies in regulated industries like finance or healthcare, agencies such as the SEC enforce strict rules around retaining business communications. Using personal apps like WhatsApp for work has led to over a billion dollars in fines for major financial firms due to unsaved conversations.
Federal agencies have made their expectations clear. The Department of Justice (DOJ) and the Federal Trade Commission (FTC) now require organizations to preserve and produce messages from all applications—including ephemeral ones. Claiming messages are “gone” or “unretrievable” is no longer acceptable and could even result in obstruction of justice charges. The responsibility to capture these communications lies squarely with the organization.
Many leaders ask whether an app is encrypted—but that’s not enough. You must ask who controls the app. There’s a major difference between apps designed for personal privacy and platforms built for organizational governance.
For your organization, the ability to manage, govern, and audit your communication platform is just as important as the app’s security features.
Feeling overwhelmed? You don’t have to be.
To support leaders at SMBs and SLTTs, we’re introducing two new resources:
By attending the webinar and using the guide, you’ll gain practical steps to:
Workplace software is more complex than ever. A reactive approach is no longer enough to protect against security threats and legal pitfalls.
The most effective strategy is to implement a simple, bright-line rule:
If it’s for work, it happens on a work-approved platform.
This proactive approach will safeguard your data, simplify compliance, and build trust.
For more information on how to secure your workplace, ask us about our security assessments.
Editor’s note: Following is part two of Valiant Puck’s report from DEF CON 33. As said last week, it is based off of real events, but elements may be exaggerated ...
