On January 19, 2021, the US Commerce Department (“Commerce”) published an interim final rule (“Interim Rule”) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services (“ICTS”) Supply Chain.” The Interim Rule was issued following the public comment period’s closure on January 10, 2021 on the proposed rules issued on November 27, 2019 (“Proposed Rules”). For more information on the Proposed Rules and the Interim Rule, please see our blog posts here and here.
When it requested comments on the Interim Rule, Commerce committed to publishing additional procedures for a licensing process by May 19, 2021. Shortly thereafter, on March 29, 2021, Commerce published an advance notice of proposed rulemaking (“ANPRM”) seeking public comment on potential licensing or other pre-clearance processes for transactions under the Interim Rule. Our blog post on the licensing ANPRM is available here.
The following analysis highlights the main concerns and suggestions from industry groups in response to the Interim Rule and licensing ANPRM.
Industry Groups’ Response to Interim Rule
Commerce received comments on the Interim Rule from more than 100 industry groups, companies, and individuals during the public comment period, which ended on March 22, 2021. This included telecommunications providers, hardware and software companies, Internet and digital service providers, trade associations, and non-profit organizations.
Industry groups generally agree that strengthening the ICTS supply chain is important to US national security and appreciate Commerce’s efforts to address some of industry’s concerns in the Proposed Rules. However, many groups remain concerned about the broad discretion granted to the US Secretary of Commerce (“Secretary”) and the Interim Rule’s sweeping scope. The following concerns reflect the most common critiques among industry groups’ public comments.
- Broad scope of covered ICTS transactions. Several commenters submit that the Interim Rule is overbroad and not sufficiently tailored, even with Commerce’s newly added six categories of covered technologies. The National Association of Manufacturers suggests detailed frequently asked questions with particular examples to provide additional insight into covered transactions, while others recommend focusing on ICTS imports, not exports, as a means to narrow the scope. Additionally, some commenters note that even with its broad scope, the Interim Rule fails to prevent or remedy some of the most concerning ICTS supply chain threats (e.g., SolarWinds). Some commenters believe the Interim Rule’s broad scope also raises due process concerns, because businesses lack adequate notice of what transactions may be subject to potential government regulation.
- Unclear definitions and terms. Commenters are concerned with definitions of “foreign adversary,” “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” and “any person subject to the jurisdiction of the United States.” Although the Interim Rule establishes a list of “foreign adversaries” (e.g., China, Cuba, Iran, North Korea, Russia, and Venezuela’s Maduro Regime), some commenters are concerned with the Secretary’s discretion to add or remove countries from this list. Additionally, the definition of “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” raised concerns. An industry association suggests this definition should be clarified to “only cover companies owned and controlled by foreign adversary nations, and not individual citizens of a foreign adversary who may be employed by a company.” Lastly, several groups are concerned with the phrase “any person subject to the jurisdiction of the United States.” The Coalition of Services Industries asks whether Commerce intends this to mean “United States person” or whether it more broadly covers non-US subsidiaries of US persons.
- Duplicate agency review. Commenters believe that subjecting ICTS transactions to multiple agency reviews is redundant and burdensome, and may do little to enhance US national security. The Interim Rule exempts ICTS transactions that the Committee on Foreign Investment in the United States (“CFIUS”) is actively reviewing or has reviewed. However, several industry groups are unsatisfied with this rather narrow exclusion and remaining potential for overlapping agency review. The Business Roundtable recommends that Commerce exempt all CFIUS reviews, as well as export controls and Team Telecom reviews. CTIA urges Commerce to exclude all transactions reviewed under existing regulatory regimes to prevent agency overlap.
- Retroactive application. Several commenters are concerned that retroactive application will deter US innovation and encourage off-shore investment. As written, the Interim Rule subjects ICTS transactions initiated, pending, or completed on or after January 19, 2021 to review “even if the service was provided pursuant to a contract initially entered into prior to January 19, 2021.” The Information Technology Industry Council urges Commerce to limit the Interim Rule to future transactions only.
Industry Groups’ Response to Licensing ANPRM
In response to the ANPRM, industry groups, companies, and individuals also submitted public comments related to the licensing process for entities seeking pre-approval before engaging in or continuing to engage in ICTS transactions. The following list reflects the most common recommendations for Commerce’s consideration.
- Voluntary process. Many industry groups urge Commerce to adopt a voluntary process, which they believe will reduce the burden on industry. Commenters also believe a voluntary process will better ensure Commerce can utilize the pre-clearance and licensing processes as useful tools without creating additional regulatory burdens for themselves. The BSA Software Alliance suggests a voluntary process modeled on advisory opinions issued by Commerce’s Bureau of Industry and Security (“BIS”).
- Borrow processes from CFIUS and BIS. Other commenters suggest adapting processes from CFIUS and BIS, such as “red flags” similar to Know Your Customer guidance. One commenter proposes adding validation and monitoring methods at the beginning of the pre-clearance or licensing process and the Information Technology Industry Council urges Commerce to create a safe harbor provisions, similar to those in CFIUS regulations. In suggesting the adaptation of CFIUS and BIS processes, industry groups warn against overlapping agency review in the licensing process. One commenter warns that existing process undertaken by BIS and CFIUS to review transactions already cover much of what the Interim Rule attempts to address.
- Application to similar or related transactions. Industry groups urge Commerce to apply licenses to similar or related transactions and ongoing activity connected to an original license. The US Chamber of Commerce suggests allowing multiple or batch ICTS transaction licensing for matters that are factually similar, or are part of longer-term engagements or contracts. The Competitive Carriers Association urges a blanket legal authority to similarly situated businesses, in order to reduce the number of license applications and reduce the regulatory compliance burden. The Aerospace Industries Association states that “it would seem illogical/time-consuming to review every transaction with a named entity.”
- Shorter timelines. The Interim Rule provides a 120-day fixed timeline for license application reviews, which many industry groups opposed. Some groups propose a 60-day review, while others advocate for a 30-day review. Additionally, CTIA suggests an automatic adoption mechanism if Commerce fails to issue its decision within the specified review timeline. Generally, industry groups stated that 120 days was inefficient and harmful to US competiveness, and that shorter timelines allowed Commerce sufficient time to determine the national security risk of certain transactions.
Compliance Challenges and Next Steps
The Interim Rule continues to pose many of the same compliance challenges for US businesses as we addressed in our analysis of industry comments to the Proposed Rule. Companies will need to create new supply chain-related compliance programs or otherwise modify existing programs to account for ICTS requirements under the Interim Rule, once Commerce shows signs of how it intends to implement and enforce the Interim Rule. Companies should carefully review transactions that may have a nexus to “foreign adversaries” (e.g., China, Cuba, Iran, North Korea, Russia, and Venezuela’s Maduro Regime), and should be aware that Commerce retains discretion to amend this list. In providing additional detail on the procedures Commerce will follow when reviewing ICTS transactions, Commerce has signaled important criteria for companies to monitor in their ICTS supply chain compliance programs. This includes relevant public information, confidential business or proprietary information, classified national security information, information from parties to a transaction, and information from local, State, federal, and foreign governments.
Commerce is evaluating these comments and will issue a final rule. The Biden Administration signaled its intention to implement the Interim Rule when it issued subpoenas to multiple Chinese companies that provide ICTS services in the United States. We will continue to monitor related ICTS developments.
The authors acknowledge the assistance of Alexandra Pasch in the preparation of this blog post.