On January 19, 2021, the Department of Commerce ("Commerce") published its interim final rule on "Securing the Information and Communications Technology and Services Supply Chain" (the "Final Rule") to implement the provisions of a May 15, 2019 Executive Order on the same topic.

Scheduled to take effect on March 22, 2021, the Final Rule is intended to address the growing security risk to the nation's information and communications systems from using technology developed by "foreign adversaries." Commerce has requested public comment on the rule up until the time the rule takes effect (feedback must be received by March 22, 2021).

The Final Rule sets forth the processes and procedures that Commerce will use both to identify and block the types of transactions, technologies, and "foreign adversaries" that pose unacceptable risks to U.S. national security as well as the broad jurisdiction granted to Commerce to eliminate those risks.

Individuals and businesses that source information and communications technology and services ("ICTS") outside the United States should consider revising internal policies and procedures for foreign transactions, as relates to the following key elements of the Final Rule.

Foreign Adversaries

In response to requests for additional clarity on what it considers to be "foreign adversaries," Commerce sets out the list of governments and individuals that are covered by the Final Rule:

"The People's Republic of China, including the Hong Kong Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People's Republic of Korea (North Korea); the Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime)."

It is important to note that the Final Rule clarifies that this list is not exhaustive, and that future revisions will be made as necessary through publication in the Federal Register.

ICTS Transactions

In the Final Rule, Commerce defines "ICTS transactions" to include ''any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service."

Commerce acknowledges that this definition is broad and adds in response to public comment that the definition should also include "(1) 'ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download;' and (2) 'any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order.'"

Finally, Commerce makes clear that it will closely scrutinize all transactions that may provide foreign adversaries the opportunity to threaten U.S. national security (including, for example, services such as software updates), and that it will consider any attempt to structure a deal in such a way that circumvents these rules an "ICTS Transaction" that is itself subject to the Final Rule.

Technologies Covered

In response to public comment, Commerce provides a lengthy list of the technologies it considers to be the greatest national security risks to the country, including software or hardware used in telecommunications and networking systems, software or hardware that uses, processes, or retains sensitive personal data on more than one million individuals in the U.S., and technology that is integral to artificial intelligence, machine learning, quantum computing, drones, and advance robotics.

To provide greater certainty to individuals and businesses that engage in activity involving ICTS, Commerce will implement a procedure that will allow persons to obtain advance approval of transactions. This licensing process will be implemented within 120 days of the publication of the Final Rule on January 19, 2021.

Relationship to Existing Export Controls

The Final Rule states that it is intended to complement, not supplant, existing national security regulatory regimes, including the Committee on Foreign Investment in the United States, the Export Administration Regulations, the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, the Department of Homeland Security ("DHS"), and other regulatory regimes. As such, individuals and entities engaged in ICTS transactions should take steps to ensure compliance with all relevant rules and regulations in addition to those laid out in the Final Rule.

Review Process

The Final Rule lays out a comprehensive overview of the review process, criteria under consideration, notification of decisions, confidentiality, and the like. Some key considerations:

  • Commerce may consider information from a wide variety of sources when reviewing proposed ICTS transactions, including public, confidential and proprietary business, and classified national security information as well as information received from other governments (including foreign governments).
  • Similarly, Commerce can access a broad range of agencies and information when determining if an ICTS transaction poses an unacceptable risk, such as Director of National Intelligence ("DNI") threat assessments and reports, removal orders issued by the Secretary of Homeland Security, the Secretary of Defense, or the DNI, vulnerabilities identified by DHS, and more.
  • Individuals and entities seeking approval of ICTS transactions may be asked to provide a variety of internal information in support of their request, including contracts, letters, reports, and other materials relevant to the deals. Commerce may also conduct investigations, call hearings, examine witness, take depositions, and subpoena any materials it may need to thoroughly investigate the transaction.
  • Commerce will seek to preserve the confidentiality of information it receives while reviewing an ICTS transaction if the parties requesting approval of transactions indicate the confidentiality of documents and other materials.
  • After review of an ICTS transaction, Commerce will provide a written initial determination of its findings. Parties involved in the transaction will have 30 days from the preliminary determination to submit a response, which Commerce will review in consultation with other relevant agencies before issuing a final determination through publication in the Federal Register.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.