WeVote

Bill

Bill

HB 4235

CD CORR-COMMITTED PERSON MAIL

104th Regular Session Introduced by Carol Ammons and 15 co-sponsors

Prohibits certain foreign-linked apps on government devices, mandates blocking/removal, and empowers DTMB to approve waivers and maintain a list to protect public systems.

Sent to the Governor
0
WeVote Research Nonpartisan
Bill Summary · HB 4235

HB 4235 — "Prohibited Applications on Government-Issued Devices Act" (Rep. Rachelle Smit)

Status and key dates
- Introduced: March 10–13, 2025.
- Passed House (with substitute H‑1): May 6, 2025 (Yeas 79 / Nays 31).
- Referred to: Committee on Government Operations (May 13, 2025).
- Effective date (as in H‑1 substitute): December 31, 2025.
- Companion: HB 4351.

Purpose
- To reduce cybersecurity and data‑security risks to state and local government systems by prohibiting certain internet applications on government‑issued devices and requiring public employers to block and manage such applications.

Definitions (selected)
- Department: Department of Technology, Management, and Budget (DTMB).
- Public employer: State, local governments and subdivisions, school districts/public school academies/intermediate school districts, community/junior colleges, and state universities.
- Government‑issued device: State‑owned or leased internet‑capable devices issued for work (cell phones, desktops, laptops, etc.).
- Foreign country of concern: PRC (China), Russian Federation, Iran, North Korea, Cuba, the Maduro regime in Venezuela, and Syria (and entities under significant control of those countries).
- Prohibited application: An internet app created/maintained/owned by a “foreign principal” that (a) engages in activities such as collecting keystrokes/sensitive data, enabling ransomware/email compromise, conducting cyber‑espionage, tracking/surveillance, or algorithmic disinformation; and (b) DTMB determines presents a security risk (unauthorized access or unavailability of public‑employer records/systems).

Major requirements and procedures
- Public employers must:
- Block prohibited applications from public access on any network or VPN they own, operate, or maintain.
- Restrict access to prohibited applications on government‑issued devices.
- Maintain the ability to remotely wipe and uninstall a prohibited application from a government‑issued device believed to be adversely impacted.
- Employees/officers are barred from downloading or accessing prohibited applications on government devices. Exception: law enforcement when needed for public safety or within scope of investigation.
- Waiver process: A public employer may request a DTMB waiver (written application) to allow specific employees/devices limited access. Waivers are limited to ≤1 year (extensions possible) and must include activity description, number of devices/users, time frame, and risk‑mitigation actions. DTMB must establish waiver procedures within 90 days after the act’s effective date.
- DTMB duties:
- Compile/publish a list of prohibited applications on its website within 90 days after the act takes effect; update quarterly and notify public employers.
- After any list issuance/update, government‑device users must remove listed apps within 15 calendar days.
- Promulgate implementing rules under Michigan’s Administrative Procedures Act.

Fiscal and operational impacts
- House Fiscal Agency estimates nominal costs for public employers; technical capability to block/wipe may require marginal software subscriptions (estimated < $100/year per license where needed).
- DTMB may incur additional administrative costs; if new staff are required, an average state FTE cost is estimated at about $128,000/year. Overall costs expected to be limited but may require resource allocation for compliance, rulemaking, waiver processing, and list maintenance.

Practical effect
- Establishes a state‑level process for identifying and restricting apps deemed security risks because of foreign ownership/controls and certain malicious behaviors. It centralizes identification and waiver authority at DTMB and imposes short removal and update timelines on public‑employer devices.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.