On January 19, 2021, the U.S. Department of Commerce (“DOC”) issued an interim final rule governing transactions in Information and Communication Technology or Services (“ICTS”) involving “foreign adversaries.” Although the rule takes effect on March 22, 2021, it allows DOC to review covered transactions initiated, pending, or completed on or after January 19, 2021.
The interim rule grants DOC the authority to regulate certain transactions between U.S. persons and foreign adversaries involving ICTS that pose under or unacceptable risks.[1]
The DOC is accepting public comments on the rule through March 31, 2021.
Background
The rules are designed to implement EO 13873, issued on May 15, 2019, entitled “Securing the Information and Communications Technology and Services Supply Chain.” That EO sought to address concerns that foreign adversaries are exploiting ICTS to economic and industrial espionage and other adverse actions against the U.S.[2] The new rules follow the issuance of a proposed rule on November 26, 2019 (see our prior post here).
ICTS Products
ICTS includes any hardware, software or service (e.g., cloud computing services) that is “primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means,” including by “transmission, storage, or display.” Such products and services include ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.
“Foreign Adversaries”
The interim rule identifies the following as “foreign adversaries”:
-
China (including Hong Kong);
-
Cuba;
-
Iran;
-
North Korea;
-
Russia; and
-
Nicolas Maduro (Maduro Regime)
The list is not exhaustive or final, but can be revised by DOC as necessary.
The scope of prohibited transactions are those between U.S. persons and a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” which includes:
-
Any person, wherever located, who acts as an agent, representative, employee, or any other capacity at the order, request, direction, or control of a foreign adversary;
-
A person whose activities are directly or indirectly supervised, directed, controlled, financed or subsidized in whole or in majority part by a foreign adversary;
-
Any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary;
-
Any corporation, partnership, association, or organization organized under the laws of a nation-state controlled by a foreign adversary; or
-
Any corporation, partnership, association, or organization, regardless of where it is organized, that is owned or controlled by a foreign adversary.[3]
Covered ICTS Transactions
The rule covers six main types of ICTS Transactions:
-
Critical Infrastructure[4]
-
Network Infrastructure/Satellites[5]
-
Data Hosting or Computing of Sensitive Personal Data[6]
-
Certain Surveillance and Monitoring Devices, Networking Devices, and Drones[7]
-
Certain Communication Software[8]
-
Emerging Technologies[9]
The rule applies to covered transactions that are initiated, pending, or completed on or after January 19, 2021. Any act or service with respect to a covered transaction, such as execution of any provision of a managed services contract, installation of software updates, or the conducting of repairs, is a transaction on the date that the service, update, or repair is provided, even if it was provided pursuant to a contract entered prior to January 19, 2021.
CFIUS Considerations
The rule does not apply to ICTS transactions that the Committee on Foreign Investment in the United States (“CFIUS”) is actively reviewing, or has reviewed, as a “covered transaction” (i.e., subject to CFIUS’ jurisdiction). However, this exclusion does not preclude a review of a subsequent transactions if distinct from the previously CFIUS-reviewed transaction or if new information is discovered.
Regulatory Review Process for Covered ICTS Transactions
The DOC process for review of ITCS covered transactions includes 6 key steps: referral; initial review of the referral; first interagency consultation; initial determination; second interagency consultation; and final determination.
At the initial determination stage, if the transaction is deemed to pose an undue or unacceptable risk, the DOC will either prohibit the transaction or propose mitigation measures.[10] Within 30 days of notification,[11] a party may respond in writing by:
-
Submitting arguments or evidence that the party believes establishes that insufficient basis exists for the initial determination, including any prohibition of the transaction;
-
Proposing remedial steps on the party’s part, such as corporate reorganization, disgorgement of control of the foreign adversary, engagement of a compliance monitor, or similar steps, which the party believes would negate the basis for the initial determination.
Following consultation with the interagency, the DOC will make a final determination on whether to prohibit the transaction, approve, or approve with conditions. Absent extensions, DOC will issue decisions within 180 days.
Licensing
DOC will establish procedures for parties to seek a license. License application reviews will not exceed 120 days. If DOC does not issue a license decision within that timeframe, the application will be deemed granted.
Recommendations
-
Companies affected by the interim rule may wish to consider submitting comments before the March 22, 2021 deadline.
-
Companies are encouraged to review their supply chains to ensure that their activities are not be captured under the rule (i.e., that it is not a covered ITCS transaction).
FOOTNOTES
[1] See Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4909 (Jan. 19, 2021).
[2] EO 13873 noted, “foreign adversaries are increasingly creating and exploiting vulnerabilities in [ICTS], which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.”
[3] In making determinations of whether an ITCS Transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, the DOC will consider: (1) whether the party or its component suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary; (2) personal and professional ties between the party—including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary; (3) laws and regulations of the foreign adversary in which the party is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and (4) any other criteria that the Secretary deems appropriate.
[4] Designated as critical infrastructure by Presidential Policy Directive 21—Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors.
[5] Software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems
[6] The term “sensitive personal data” includes: (1) Personally Identifiable Information (i.e., data that can identify individuals) that is maintained or collected by a U.S. business operating in specific areas, and that is maintained or collected on over one million people over a 12 month period; and (2) results of individual genetic testing.
[7] More than 1 million units of the product must have been sold to U.S. persons in the 12 months prior to the transactions
[8] The products must be designed primarily for connecting with and communicating via the internet that is in use by more than 1 million U.S. persons at any point over the twelve months preceding the Transaction. Some examples include desktop applications; mobile applications; and gaming applications.
[9] “Emerging Technologies” are ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
[10] Notification can be accomplished either through publication in the Federal Register or by serving a copy of the initial determination on the parties via US mail, facsimile, and electronic transmission, or third-party commercial carrier, to an addressee’s last known address or by personal delivery.
[11] If the Department receives no response from the parties within 30 days of service, the DOC may determine to issue a final determination without the need to engage in a further consultation process provided for under the rule.