On June 16, 2023, the US Department of Commerce published a final rule (the "June 16 rule") to implement Executive Order (EO) 14034, Protecting Americans' Sensitive Data From Foreign Adversaries, by amending Commerce's previously-issued Securing the Information and Communications Technology Supply Chain regulations (the "ICTS rule"). Among other requirements, EO 14034 directed the Secretary of Commerce to consider the risks posed by "connected software applications" and take "appropriate action" in accordance with the previously issued ICTS rule and EO 13873, Securing the Information and Communications Technology and Services Supply Chain, pursuant to which the ICTS rule was issued.

The ICTS rule authorizes Commerce to prohibit or otherwise regulate certain transactions involving information and communications technology or services ("ICTS") with a nexus to "foreign adversaries" that pose an "undue or unacceptable risk" to US national security. (For additional detail on the ICTS rule, see our prior blog post.) The June 16 rule amends the ICTS rule to clarify Commerce's ability to regulate transactions involving software, including so-called "connected software applications," and to further enumerate the criteria that Commerce will consider when reviewing such transactions. The changes are effective July 17, 2023.

Changes to Definitions in ICTS Rule

Under the current regulations, available at 15 CFR Part 7, Commerce may review a transaction involving a "foreign adversary," currently determined to be China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela, and meeting other enumerated criteria, that involves one or more specific categories of ICTS. Among the listed categories is "[s]oftware designed primarily for connecting with and communicating via the internet that is in use by greater than one million U.S. persons at any point over the twelve (12) months preceding an ICTS Transaction." This includes: "(A) [d]esktop applications; (B) [m]obile applications; (C) [g]aming applications; and (D) [w]eb-based applications." It is important to note that for purposes of calculating whether a connected software application is in use by greater than one million US persons, the June 16 rule states, in response to public comments, that Commerce counts both active users as well as inactive and historical users whose data is still stored in the application.

The June 16 rule revises the above definition by clarifying that it applies to software designed to enable connecting and communicating via the internet, "which is accessible through cable, telephone line, wireless, or satellite or other means...." It also revises the list of application types to add a fifth type called "connected software applications."

A connected software application is defined broadly to include "software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet." The June 16 rule defines "end-point computing device" to mean "a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet."

The June 16 rule also adds a new definition of "via the internet," which it similarly defines to mean "using internet protocols to transmit data, including, but not limited to, transmissions by cable, telephone lines, wireless methods, satellites, or other means."

Additional Criteria for Review of ICTS Connected Software Application Transactions

The ICTS rule currently lists ten broad criteria that Commerce may consider when determining whether ICTS transactions present "undue or unacceptable risks" to US national security. The June 16 rule adds eight new criteria specific to connected software applications (to be considered in connection with the10 broader criteria).

These new criteria include:

  1. Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities;
  2. Use of connected software applications to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;
  3. Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
  4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  5. Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
  6. The scope and sensitivity of the data collected;
  7. The number and sensitivity of the users with access to the connected software application; and
  8. The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

The Federal Register notice discussing these additional criteria, and changes to the criteria from those contained in the proposed version of the rule, reveal a number of interesting and important nuances:

  • Commerce may consider both permanent and sporadic "ownership, control, or management" by foreign adversaries, such as those where foreign adversaries have access to deploy updates and patches to software applications.
  • For purposes of evaluating ICTS transactions involving connected software applications, Commerce will not consider the software's ability to execute embedded out-going network calls or web server references, regardless of the "ownership, control, or management" of the software based on concerns that this criterion would inadvertently capture ICTS transactions involving "domestic vendors." However, Commerce suggested that such a factor could be considered in the future once the agency "gains experience" evaluating ICTS transactions involving connected software applications.
  • Commerce is revising the third criterion to apply to situations where persons are "subject to the jurisdiction or direction of a foreign adversary," as opposed to "subject to coercion or cooption" by a foreign adversary, as contained in the proposed version of the rule.
  • Also, with respect to the criterion regarding third-party auditing, Commerce clarifies that, while use of specific third-party standards such as ISO/IEC 207001 are encouraged, there is no specific standard that is mandated, and Commerce will consider the appropriateness of any standard on a case-by-case basis.
  • Finally, Commerce "has determined that not all of the criteria ... are applicable to transactions not involving connected software applications." For instance, Commerce distinguishes between ICTS transactions involving critical infrastructure services and consumer services, noting that "the number of users might not be an appropriate factor for evaluating ICTS transactions that have low numbers of users but that service critical infrastructure or that might have significant risks if misused." Therefore, parties to transactions involving other types of ICTS that do not involve connected software applications should not reflexively seek to apply all of the connected software criteria when seeking to assess the potential risk posed by their unrelated transaction.

Notably, the above criteria are factors Commerce will consider when assessing the national security risk posed by a given transaction, but they are not criteria to be used in assessing whether a given ICTS transaction is subject to Commerce's jurisdiction under the ICTS rule (the jurisdictional scope is laid out in other parts of the rule, principally Section 7.3).

Note on Implementation

Unlike the interim final rule promulgating the ICTS rule, the June 16 rule identifies the Under Secretary of Commerce for Industry and Security as the responsible person within Commerce, which indicates that implementation of the ICTS rule has been delegated to the Bureau of Industry and Security (BIS). While many observers have long anticipated BIS would play a leading role, the publication of the June 16 rule confirms that expectation.

Implications for Industry

To date, the ICTS rule has been used sparingly by Commerce. Commerce has reportedly served subpoenas on multiple Chinese companies that provide ICTS in the United States and is also reportedly weighing additional actions under the rule. However, concern has only continued to grow with respect to ICTS in the United States linked to "foreign adversaries." Members of Congress from both parties, as well as Biden administration officials, have been increasingly concerned by the use of such applications, particularly those with a nexus to China. As the popularity of many of these applications, including social media, increases, it seems likely that Commerce will move to use the ICTS rule more aggressively as BIS builds out its team, expertise, and regulatory and enforcement infrastructure. There has also been some uncertainty and likely delays in implementation caused by complementary efforts by key members of Congress to move legislation that would similarly regulate social media and other types of connected software applications and additional forms of ICTS.

The Federal Register notice mentions several times that, as Commerce gains experience reviewing ICTS transactions involving connected software applications, it may add additional review criteria or expand Commerce's jurisdiction to review ICTS involving connected software applications by lowering the current user threshold of one million.

Companies involved in ICTS transactions that are within the ICTS rule's jurisdiction should consider whether their transactions are likely to generate concern from Commerce (or other US government agencies) and, if so, consider options to mitigate those concerns.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.