On June 16, 2023, the US Commerce Department published a final rule (“Final Rule”), implementing President Biden’s 2021 Executive Order 14034 on “Protecting Americans’ Sensitive Data from Foreign Adversaries,” to amend the Commerce Department’s “Securing the Information and Communications Technology Supply Chain” regulations, 15 C.F.R. Part 7 (“ICTS Regulations”). The amendments mainly relate to connected software applications. The Final Rule was issued in response to comments received to a notice of proposed rulemaking (“NPRM”) issued on November 26, 2021 and an interim final rule (“Interim Rule”) issued on January 19, 2021, implementing former President Trump’s 2019 Executive Order 13873 on “Securing the Information and Communications Technology and Services Supply Chain.” Our blog posts on the NPRM and Interim Rule are here and here, respectively. Additional blog posts on a prior advanced notice of proposed rulemaking and industry response are here and here, respectively.
ICTS Transaction Review Criteria
The Final Rule responds to comments received during the NPRM’s comment period by amending the ICTS Regulations to clarify that “connected software applications” are a subcategory of covered transactions (“ICTS Transactions”) and provide additional criteria under which the US Secretary of Commerce (“Secretary”) may review whether an ICTS transaction involving “connected software applications” presents an undue or unacceptable risk as defined under the ICTS Regulations. These Regulations afford the Secretary authority to “mitigate” (i.e., modify or prohibit) ICTS Transactions that pose such a risk.
Under the Final Rule, the criteria for review of an ICTS Transaction involving a “connected software application” are:
- Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
- Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
- Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
- Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
- The scope and sensitivity of the data collected;
- The number and sensitivity of the users with access to the connected software application; and
- The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.
These criteria are largely the same ones the Commerce Department proposed in the NPRM.
Definitions Related to “Connected Software Applications”
The Commerce Department retained the original definition of “connected software application” introduced under Section 3 of Executive Order 14034. The term is defined as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet” [emphasis added].
In relation to “connected software applications,” the Final Rule introduced definitions of “end-point computing devices” and “via the internet.” The Commerce Department defines “end-point computing devices” as devices “that can receive or transmit data and [include] as an integral functionality, the ability to collect, process, or transmit data via the internet.” “Via the internet” is defined as “using internet protocols to transmit data including, but not limited to, transmissions by cable, telephone line, wireless, satellite or other means.”
The ICTS Regulations: A Work in Progress
The rule is effective July 17, 2023. To date, there is no public indication that the Commerce Department has used the ICTS Regulations to review any ICTS Transaction. There is also still no mechanism for companies to seek prior clearance of ICTS Transactions. In the supplementary information to the Final Rule, the Department itself notes that it intends to revisit relevant sections of the ICTS Regulations as it gains more “experience” with ICTS Transactions involving connected software applications.