Search for:

On June 16, 2023, the US Commerce Department published a final rule (“Final Rule”), implementing President Biden’s 2021 Executive Order 14034 on “Protecting Americans’ Sensitive Data from Foreign Adversaries,” to amend the Commerce Department’s “Securing the Information and Communications Technology Supply Chain” regulations, 15 C.F.R. Part 7 (“ICTS Regulations”). The amendments mainly relate to connected software applications. The Final Rule was issued in response to comments received to a notice of proposed rulemaking (“NPRM”) issued on November 26, 2021 and an interim final rule (“Interim Rule”) issued on January 19, 2021, implementing former President Trump’s 2019 Executive Order 13873 on “Securing the Information and Communications Technology and Services Supply Chain.” Our blog posts on the NPRM and Interim Rule are here and here, respectively. Additional blog posts on a prior advanced notice of proposed rulemaking and industry response are here and here, respectively.

ICTS Transaction Review Criteria

The Final Rule responds to comments received during the NPRM’s comment period by amending the ICTS Regulations to clarify that “connected software applications” are a subcategory of covered transactions (“ICTS Transactions”) and provide additional criteria under which the US Secretary of Commerce (“Secretary”) may review whether an ICTS transaction involving “connected software applications” presents an undue or unacceptable risk as defined under the ICTS Regulations. These Regulations afford the Secretary authority to “mitigate” (i.e., modify or prohibit) ICTS Transactions that pose such a risk.

Under the Final Rule, the criteria for review of an ICTS Transaction involving a “connected software application” are:

  1. Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
  2. Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
  3. Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
  4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  5. Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
  6. The scope and sensitivity of the data collected;
  7. The number and sensitivity of the users with access to the connected software application; and
  8. The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

These criteria are largely the same ones the Commerce Department proposed in the NPRM.

Definitions Related to “Connected Software Applications”

The Commerce Department retained the original definition of “connected software application” introduced under Section 3 of Executive Order 14034. The term is defined as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet” [emphasis added].

In relation to “connected software applications,” the Final Rule introduced definitions of “end-point computing devices” and “via the internet.” The Commerce Department defines “end-point computing devices” as devices “that can receive or transmit data and [include] as an integral functionality, the ability to collect, process, or transmit data via the internet.” “Via the internet” is defined as “using internet protocols to transmit data including, but not limited to, transmissions by cable, telephone line, wireless, satellite or other means.”

The ICTS Regulations: A Work in Progress

The rule is effective July 17, 2023. To date, there is no public indication that the Commerce Department has used the ICTS Regulations to review any ICTS Transaction. There is also still no mechanism for companies to seek prior clearance of ICTS Transactions. In the supplementary information to the Final Rule, the Department itself notes that it intends to revisit relevant sections of the ICTS Regulations as it gains more “experience” with ICTS Transactions involving connected software applications.

Author

Alison Stafford Powell co-leads the Firm's West Coast Trade Compliance team. She has considerable experience counseling US and non-US companies on managing trade compliance in the areas of export controls, trade and financial sanctions and US anti-boycott laws. As a dual-qualified lawyer, she provides practical advice to help non-US companies reconcile US and foreign trade regulations and on the extra-territorial impact of US trade restrictions. Chambers USA quotes clients' praise for her being "extremely knowledgeable, responsive, commercially strong and understanding complex issues well." Legal 500 describes here as an "outstanding specialist." She has worked in the Firm's London, Washington, DC and Palo Alto offices since 1996.

Author

Alexandre Lamy joined Baker McKenzie in 2009 and currently works in the Firm's International Trade Practice Group. He assists clients with sanctions and export controls (Export Administration Regulations (EAR); International Traffic in Arms Regulations (ITAR)) and he advises clients on corporate compliance matters. Alex contributes regularly to Baker McKenzie's Sanctions & Export Controls Update blog.
Since August 2021, Alex has been the co-chair of the ABA Section of International Law’s Export Controls & Economic Sanctions Committee. Prior to that appointment, he served on the steering group and as a Vice Chair of the Committee, starting back in August 2011. Alex has organized multiple events regarding recent developments in US trade sanctions and export controls for the Committee.
Alex was recognized in Who's Who Legal 2020 Edition of its Global Guide to Trade & Customs Lawyers as a "leading individual" in North America on International Sanctions and the publication reported that he "attracts applause for delivering 'a practical service which understands the needs of the business'. His 'ready availability to clients, thorough research and strong presentation skills' are further acclaimed." He was also recognized in the 2019 Edition of the same publication as being "much sought after by clients who praise his 'advice of the highest quality' and add, 'He is technically very good on OFAC sanctions issues and military/dual use export controls.'" Alex was named by Financier Worldwide in, “POWER PLAYERS: International Trade & Sanctions 2021 - Distinguished Advisers.

Author

Rob is an associate in the International Commercial & Trade Practice Group in Baker McKenzie's San Francisco office. He assists multinational companies on various aspects of US trade law, particularly OFAC sanctions and export control. Before joining the Firm, Rob interned with the US Department of Commerce, advising middle- and low-income countries on commercial laws and development, and worked as an open-source intelligence contractor with the Department of Defense. Rob graduated from UCLA School of Law, where he was the editor-in-chief of the UCLA Journal of Islamic and Near Eastern Law for three volumes.