On June 16, 2023, the U.S. Department of Commerce ("Commerce") issued a long-awaited final rule (the "Final Rule"), effective July 17, 2023, related to the Information and Communications Technology Supply Chain.1 Among other clarifications, the Final Rule identifies the Under Secretary of Commerce for Industry and Security as responsible for the administration of the specialized regulations related to Information and Communication Technology and Services ("ICTS") transactions, meaning Commerce's Bureau of Industry and Security ("BIS") will implement the provisions of this specialized regulation (the "ICTS Supply Chain Rule"). (For more information on the ICTS Supply Chain Rule, see our previous article, New U.S. Rules on Securing the Information and Communications Technology and Services Supply Chain Mean Increased Scrutiny of ICTS Transactions.)

ICTS Supply Chain Rule Background

On May 15, 2019, President Trump issued Executive Order ("EO") 13873, Securing the Information and Communications Technology and Services Supply Chain. EO 13873 prohibits transactions involving foreign ICTS that present (1) an undue risk of sabotage or subversion to ICTS in the United States, (2) an undue risk of catastrophic effects on the security or resiliency of critical infrastructure or the digital economy in the United States, or (3) an unacceptable risk to U.S. national security or the security and safety of U.S. persons.

The ICTS Supply Chain Rule, issued as an interim final rule on the last full day of the Trump administration on January 19, 2021,2 codifies provisions of EO 13873 in 15 C.F.R. Part 7. These regulations permit Commerce to initiate a review of ICTS transactions to determine if they pose an "undue and unacceptable risk" and whether to prohibit a transaction or propose mitigation. The ICTS Supply Chain Rule defines an "ICTS Transaction" to include any acquisition, importation, transfer, installation, dealing in, or use of any ICTS including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. The ICTS Supply Chain Rule applies to transactions involving specified ICTS designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to jurisdiction or direction of "foreign adversaries," which include China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Maduro Regime of Venezuela.

On June 9, 2021, President Biden issued EO 14034, ''Protecting Americans' Sensitive Data from Foreign Adversaries." (See our previous article for more information on EO 14034, Biden Signs Executive Order Protecting Americans' Sensitive Data from Foreign Adversaries.) On November 26, 2021, Commerce published a proposed rule to amend the ICTS Supply Chain Rule to incorporate relevant provisions of EO 14034 (the "Proposed Rule"), including the addition of "connected software applications," or "apps," to the list of ICTS that may be reviewed under the ICTS Supply Chain Rule.3 Upon publishing the Proposed Rule, Commerce requested public comments on additional criteria for reviews of connected software applications. The Final Rule, published on June 16, 2023, finalizes certain aspects of the Proposed Rule and revises other portions.

Changes to the ICTS Supply Chain Rule

The Proposed Rule defined "connected software application" as "software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet." The Final Rule revises and adds definitions to include and clarify the meaning of "connected software application" from EO 14034.

Under the Final Rule, the definition of ICTS is revised as follows to explicitly include connected software applications:

Information and communications technology or services or ICTS means any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.

The Final Rule also adds a definition of "via the internet" to mean "using internet protocols to transmit data, including, but not limited to, transmissions by cable, telephone lines, wireless methods, satellites, or other means." Additionally, the Final Rule defines "end-point computing device," which means "a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet."

After addressing related public comments, the Final Rule finalizes review criteria for ICTS Transactions involving connected software applications. Specifically, Commerce will now consider the following criteria when reviewing connected software applications ICTS Transactions for undue or unacceptable national security risks:

  1. Ownership, control, or management by persons that support a foreign adversary's military, intelligence, or proliferation activities;
  2. Use of connected software applications to conduct surveillance that enables espionage, including through a foreign adversary's access to sensitive or confidential government or business information, or sensitive personal data;
  3. Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
  4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  5. Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
  6. The scope and sensitivity of the data collected;
  7. The number and sensitivity of the users with access to the connected software application; and
  8. The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

Importantly, although Commerce revised the "Scope of Covered ICTS Transactions" section to include reference to connected software applications, the ICTS Supply Chain Rule limits its jurisdiction to connected software applications that are "in use by greater than one million U.S. persons at any point over the 12 months preceding an ICTS Transaction."

Implications for Industry

Upon publication in early 2021, the ICTS Supply Chain Rule concerned industry due to the breadth of the rule and the uncertainty regarding its use. To date, the ICTS Supply Chain has been used only rarely, including the sending of subpoenas to multiple Chinese companies requesting information regarding ICTS operations in the United States.4

However, with the finalization of the connected software applications aspects of the ICTS Supply Chain Rule, Commerce will have an additional tool in the toolbox when it comes to potential regulation of certain apps. This development may impact the U.S. government's larger strategy with respect to hot-button issues like the operation of TikTok within the United States. (See, for example, our previous article, Amid TikTok Tensions, CFIUS Signals Increased Enforcement and Other Updates.)

While Commerce's ultimate use of the ICTS Supply Chain Rule remains to be seen, companies involved in ICTS should determine whether any potential transactions could cause national security risks based on the criteria outlined in the ICTS Supply Chain Rule, including the additional criteria for connected software applications in the Final Rule. If a prospective ICTS Transaction may trigger Commerce jurisdiction and pose national security concerns based on the outlined ICTS Supply Chain Rule criteria, businesses should consider mitigation strategies to address the national security risks.

Conclusion

Commerce has not yet truly flexed its muscles when it comes to the use of the ICTS Supply Chain Rule, but companies involved in ICTS should continue to stay abreast of changes to these regulations and familiarize themselves with jurisdictional triggers. This is especially important for companies that do business with China due to its continued growth in the ICTS space. If you have any questions about the revisions to the ICTS Supply Chain Rule or ICTS Transactions and Commerce jurisdiction generally, please reach out to the attorneys at Torres Trade Law.

Footnotes

1. Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, U.S. Dept. of Commerce, 88 Fed. Reg. 39,353 (June 16, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-06-16/pdf/2023-12925.pdf.

2. Securing the Information and Communications Technology and Services Supply Chain, U.S. Dept. of Commerce, 86 Fed. Reg. 4,909 (Jan. 19, 2021), available at https://www.govinfo.gov/content/pkg/FR-2021-01-19/pdf/2021-01234.pdf.

3. Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications , U.S. Dept. of Commerce, 86 Fed. Reg. 67,379 (Nov. 26, 2021), available at https://www.govinfo.gov/content/pkg/FR-2021-11-26/pdf/2021-25329.pdf.

4. U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order, U.S. Department of Commerce, https://www.commerce.gov/news/press-releases/2021/03/us-secretary-commerce-gina-raimondo-statement-actions-taken-under-icts (Mar. 17, 2021).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.