On May 15, 2019, President Trump issued Executive Order 13873 – Securing the Information and Communications Technology and Services Supply Chain (“EO” or “EO 13873”). After taking comments on a proposed implementing rule, the Department of Commerce (“DOC” or “Secretary”), on the very eve of the Biden Administration taking office, issued an Interim Final Rule implementing the EO and establishing procedures for its review of transactions involving information and communications technology and services (ICTS) designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a “foreign adversary” that may pose undue or unacceptable risk to the US or US persons. The DOC also sought further comments on the Interim Final Rule.

Since then the DOC announced that it had initiated certain investigations under the EO and the Interim Final Rule, and there were press reports of other investigations. Despite numerous investigations however, the DOC has only issued one Final Determination pursuant to EO 13873 since adoption of the Interim Final Rule.

On December 6, 2024, nearly three years later, the DOC published its “Final Rule” guiding review of ICTS Transactions, amending and, in some cases, removing terms or concepts which experience has shown to be unnecessary, inefficient or ineffective. The Final Rule was effective February 4, 2025.

The DOC committed to continue to review its procedures and possibly consider future rulemakings to further clarify aspects of the regulations. The new Trump Administration may also bring further adjustments. To date, the new Trump Administration has not indicated that it has “paused” enforcement under the Final Rule, as it has to other areas of regulatory enforcement. (And of course, the EO on which the Final Rule is based was issued by President Trump in his first term.)

Highlights of key adjustments reflected in the Final Rule include the following:

Scope of covered ICTS transactions – First, the DOC noted that its reviews and investigations of “ICTS Transactions” have thus far involved the review of all ICTS Transactions involving the subject entity of the review, rather than individual transactions between the entity and other parties, because the provision of anyICTS by that entity was the basis of the undue or unacceptable risks. Second, the Final Rule further refines the ICTS Transactions subject to further review by listing broad technology categories to indicate that the DOC is concerned about ICTS Transactions involving:

• Information and communications hardware and software
• ICTS integral to data hosting, computing or storage that uses, processes or retains sensitive personal data; connected software applications
• ICTS integral to critical infrastructure
• ICTS integral to critical and emerging technologies

Definitional changes –In response to certain comments, the Final Rule added or clarified certain definitions. Examples:

• New definition of “Dealing In” as used in the definition of “ICTS Transaction” – “The activity of buying, selling, reselling, receiving, licensing or acquiring ICTS, or otherwise doing or engaging in business involving the conveyance of ICTS.’’
• New Definition of “Importation” as used in the definition of “ICTS Transaction” – ‘‘The process or activity of bringing foreign ICTS to or into the US, regardless of the means of conveyance, including via electronic transmission.’’
• Revised definition of “Party or Parties to a Transaction” – ‘‘A person or persons engaged in an ICTS Transaction or class of ICTS Transactions, including but not limited to the following: designer, developer, provider, buyer, purchaser, seller, transferor, licensor, broker, acquiror, intermediary (including consignee), and end user.”
• Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” to exclude US citizens and permanent residents – A US citizen or permanent resident would not be considered a ‘‘person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary’’ merely due to dual citizenship, or residency in a country controlled by a foreign adversary.”
• Revised definition of “Person owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary” – “An entity may be subject to the jurisdiction of a foreign adversary if it has a principal place of business in, is headquartered in, is incorporated in or is otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary.”

Removal of one million unit or person threshold – This Final Rule removes the previous qualification that certain ICTS Transactions that involve the use, processing or retention of sensitive personal data must include the data of more than one million US persons to be subject to review. Additionally, it removes the one-million-unit sales minimum for internet-enabled sensors, webcams or other end-point surveillance or monitoring devices; routers, modems or any other home networking device; or drones or other unmanned aerial systems. Finally, the Final Rule also removes the qualification that software designed primarily for connecting with, and communicating via the internet be in use by over one million people to be considered ICTS for the purposes of the Rule

Committee on Foreign Investment in the United States (CFIUS) exemption – The Final Rule clarifies that the DOC will not review an ICTS Transaction that is also a covered transaction or covered real estate transaction, provided that it is either under review, investigation or assessment by CFIUS or CFIUS has concluded all action under section 721 of the Defense Production Act of 1950, as amended.

10-year record keeping requirement – The Final Rule also clarifies that any records that a notified person must retain in connection with an ICTS Transaction must be retained for 10 years following issuance of a Final Determination, unless the Final Determination specifies otherwise. Previously there was no limit on the retention period.

Details on information provided in an Initial Determination –The Final Ruleprovides thatthe Initial Determination will provide parties with information regarding the factual basis supporting the DOC’s decision to either prohibit an ICTS Transaction or permit the ICTS Transaction with mitigation measures. As to publication of an Initial Determination, in consideration of the comments about publication of Initial Determinations, under the Final Rule the DOC retains discretion to publish a notice of an Initial Determination— rather than the full text of an Initial Determination—in the Federal Register.

Response and mitigation timing – TheFinal Rule does not establish a maximum timespan for imposed mitigations because the DOC continues to believe that such an across-the-board maximum would hinder the department in fully evaluating any implemented mitigations, resulting in national security vulnerabilities. The Final Rule allows an initial 30 days to respond to an Initial Determination and allows parties to seek, and the Secretary to allow for good cause shown, an extension of another 30 days. In total, parties may receive up to 60 days to respond to an Initial Determination (30 days initially with a potential 30-day extension).

Timing imposed on interagency consultation for Final Determinations – With respect to the requirement that the Secretary seek concurrence of all appropriate agency heads before issuing a Final Determination, the Secretary may presume concurrence if no response is received within 14 days from one of the appropriate agency heads or the designee of appropriate agency heads. The Final Rule also clarifies that if an agency objects to the Final Determination, the objection must be received by the Secretary within the 14 days and the objection must come from the agency’s Deputy Secretary or equivalent level.

Final Determination timeline – The Final Rule changes certain timing associated with the Final Determination process but continues to rely on the 180-day time limit despite calls to shorten the review period. To improve clarity, it revises the 180-day time limit so that it begins when a party or parties to a transaction are served a copy of an Initial Determination and grants the Secretary sole discretion to extend this timeline. The DOC refused to establish an appeals process, but reconsideration may be warranted in some cases. The Secretary is not obliged to adopt the least restrictive means to address a determined “unacceptable risk.” The Secretary is now obligated to issue a Final Determination in every case in which the Secretary has previously issued an Initial Determination. Under the Interim Final Rule, a Final Determination was only required if the Initial Determination proposed to prohibit an ICTS Transaction. Finally, Publication in the Federal Register is now mandatory in any case where there is a Final Determination, not just where it is a Final Determination prohibiting a transaction.

Penalties – The Final Rule now provides a list of activities that may lead to civil or crimination penalties. Persons can be held responsible for assisting in the violation of a Final Determination to mitigate an ICTS Transaction, through a mitigation agreement between the US Government and identified parties to an ICTS Transaction, if they have knowledge that such a mitigation agreement exists. Activities that are prohibited for those with knowledge of the existence of a mitigation agreement include aiding and abetting violations, commanding a violation, procuring a product that is prohibited and other prohibited activities. Finally, providing false information to the DOC in connection with an ICTS Transaction under review is also prohibited.

Still no licensing regime – The DOC did not establish a licensing regime for transactions (e.g., a type of pre-clearance option contemplated by the initial rule), but it is still considering the concepts related to providing licenses.

Still no blanket exempt categories – The Final Rule applies to types of ICTS transactions most affecting US national security and does not exempt categories of industries, sectors or entities.

What is next? –The new Secretary of Commerce has yet to take his position. Nothing that he said in his nomination hearing before the Senate Commerce Committee indicated that the changes in the Final Rule would be reconsidered or rescinded, or that existing investigations would be terminated. The Secretary’s further employment of the authority embodied in the Final Rule remains to be seen, as his and the Bureau of Industry Security agenda unfolds. However, it seems unlikely that this tool in securing the ICTS supply chain will be abandoned. As such, more enforcement in this area is expected.