On January 19, 2021, the Department of Commerce ("Commerce") published an interim final rule, "Securing the Information and Communications Technology and Services Supply Chain," ("ICTS Rule") implementing Executive Order 13873.
The ICTS Rule, which became effective March 22, 2021, is designed to address national security threats by prohibiting certain transactions involving information and communications technology and services ("ICTS"), defined as:
- Critical infrastructure;
- Network, satellite and cable infrastructure;
- Data hosting and computer services;
- Surveillance, monitoring, home networking, and unmanned aerial
- Communications software; and
- Artificial intelligence, quantum, and advanced robotics
This rule permits agency heads to request, or the Secretary of Commerce to initiate, review of ICTS transactions to determine if they pose an "undue and unacceptable risk" and whether to prohibit a transaction or propose mitigation.
ICTS transactions subject to review may include an acquisition, importation, transfer, installation, dealing in, or use of any ICTS including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to jurisdiction or direction of "foreign adversaries:" China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela.
After a review is initiated by an agency head under the ICTS Rule, parties have 30 days to respond, after which Commerce will issue a final determination to prohibit or permit the transaction, or to permit it subject to negotiated mitigation. The total process is to take no longer than 180 days.
In its publication of the ICTS Rule, to respond to public comments requesting a process to reduce uncertainty for entities seeking to engage in ICTS transactions, Commerce stated it would implement a licensing process by May 19, 2021. On March 29, 2021, Commerce published an advanced notice of rulemaking requesting public comment on a licensing process, and in particular on issues related to its implementation, including:
- If the processes involving notifications to the Committee on Foreign Investment in the United States ("CFIUS") or voluntary disclosures to Commerce's Bureau of Industry and Security ("BIS") can be used as models for ICTS clearance;
- If the clearance process should involve obtaining authorization prior to engaging in an ICTS transaction and/or an advisory opinion from Commerce stating that the transaction would not be prohibited;
- The possibility of mitigating the impact on small business in a way that would not impair the goal of protecting U.S. national security;
- If certain categories or types of ICTS transactions should be exempt from or excepted from licensing requirements, or should follow a separate process;
- What specific information should be required as part of the review process;
- The appropriate time frames for review of the transaction and related communication;
- How potential mitigation of a transaction should be assessed as part of the review process;
- The process to follow if a transaction is modified after a license or pre-clearance is issued; and
- Whether or how holders of transaction licenses or pre-clearance can renew such authorizations.
It appears that the Biden Administration will focus on implementation of this rule, as evidenced by the March 17, 2021 issuance of subpoenas to Chinese companies involved in ICTS in the United States. This action in particular seems to identify concerns regarding ICTS involving critical infrastructure. In addition, it is believed that recent cyber breaches in the United States, attributed to China and Russia, may also be driving the administration's attention on implementation and enforcement under the ICTS Rule.
Given the continued push by the Biden Administration to implement the ICTS Rule and the issuance of subpoenas that indicate an intent to use and enforce authority under EO 13873 and the ICTS Rule, companies active in the ICTS industry should assess their potential risk with respect to any existing or pending business involving parties from "foreign adversary" countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.