On November 26, 2021, the U.S. Department of Commerce (Commerce) issued a notice of proposed rulemaking (Proposed Rule) implementing Executive Order 14034 on Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034). The Proposed Rule would bring “connected software applications” into the scope of Commerce’s authority to review certain transactions involving information and communications technology and services (ICTS) in the U.S. supply chain and approve or prohibit such transactions or require mitigating measures.1
The Proposed Rule would amend Commerce’s recent interim final rule that implemented a national security review mechanism for transactions involving any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries.”2 Specifically, the interim final rule would be amended to include transactions that involve “software, software program[s], or a group of software programs, that [are] designed to be used on an end-point computing device and include as an integral functionality, the ability to collect, process, or transmit data via the internet.” The amendment would also include risk factors related to connected software applications as part of Commerce’s evaluation as to whether a transaction involving connected software applications poses an undue or unacceptable risk to U.S. national security.
Commerce invited interested parties to submit comments on the Proposed Rule by December 27, 2021. As part of its request, Commerce asked parties to respond to specific questions. The questions suggest that the scope of the transactions may be expanded even further in the final regulations.
This update outlines the expanded scope of Commerce’s authority and what transactions may be covered based on the proposed rule. It also addresses what interested parties may want to consider as next steps to prepare for the potential expanded scope.
What is covered under the current ICTS review mechanism?
As explained in Sidley’s previous Update, an earlier interim final rule authorized Commerce to review and impose measures (e.g., prohibition, mitigation) on any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries.”3 The initial list of foreign adversaries included and continues to include China, Cuba, Iran, North Korea, Russia, and the Maduro regime in Venezuela. Failure to adhere to Commerce’s determinations to prohibit or mitigate reviewed ICTS transactions could result in the imposition of civil or criminal penalties.
The current categories of technology covered include critical infrastructure as designated by Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience; network, satellite, and cable infrastructure; data hosting and computing services; surveillance, monitoring, home networking, and unmanned aerial systems; communications software; and artificial intelligence, quantum, and advanced robotics technologies.
When and with what information may Commerce initiate a review under the ICTS review mechanism?
Commerce may initiate a review unilaterally or based on a referral from the head of another U.S. agency.4 When determining whether to initiate a review, Commerce may use publicly available, confidential, or classified data; data provided by state, local, tribal, or foreign governments; data provided by the parties to a transaction; information obtained through Commerce’s authority under the International Emergency Economic Powers Act; or information provided by another U.S. agency.5 Parties to covered transactions are not subject to any affirmative reporting requirements unless and until Commerce requests information from them.
How would the Proposed Rule change the current ICTS review mechanism?
The Proposed Rule would amend the current ICTS review mechanism in two material ways.
First, the Proposed Rule would add “connected software applications” to the definition of ICTS. Borrowing from EO 14034, the Proposed Rule defines “connected software applications” as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.”6
The definition is broad and could encompass a wide range of software — from virtual private network services (VPNs) to mobile applications and computer games. Moreover, the potential restrictions associated with the transactions could affect not only parties to the transaction but also entire supply chains — from designers and developers to manufacturers and suppliers. For example, a reviewed transaction may be related to the production of connected software applications in China or Russia but if restricted could affect businesses that rely on the connected software applications produced in these countries. Software companies in particular will want to assess their supply chains and data storage for exposure to countries identified as “foreign adversaries.”
Second, the Proposed Rule would require Commerce to consider new risk factors related to “connected software applications” when determining if an ICTS transaction under review poses an undue or unacceptable risk. The risk factors include
- ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities
- use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information or through sensitive personal data
- ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary
- ownership, control, or management of connected software applications by persons involved in malicious cyberactivities
- a lack of thorough and reliable third-party auditing of connected software applications
- the scope and sensitivity of the data collected
- the number and sensitivity of the users of the connected software application
- the extent to which identified risks have been or can be addressed by independently verifiable measures7
How could the ICTS review mechanism be further revised beyond what is contemplated under the Proposed Rule?
In its request for comments, Commerce poses questions that suggest it may expand the scope of Commerce’s review and what it may consider as part of its review. We highlight a few of the items on which Commerce requests comments.
First, the definition of “connected software applications” may change. Commerce specifically asks for input as to whether the definition “is sufficient to identify fully this category of ICTS” or if it should change. In particular, Commerce questions whether the definition should be extended from “end-point” devices to “end-to-end” technology and whether it should include other devices such as those that communicate through short-message-service messages or low-power radio protocols.
Second, Commerce may include additional risk factors that it would consider when determining whether an ICTS transaction involving connected software applications poses an undue or unacceptable risk. Commerce invited parties to comment whether the current risk factors are sufficient or whether new ones, such as “whether the software has any embedded out-going network calls or web server references, regardless of ownership, control, or management of the software” should be added.
What is the universe of information that Commerce may collect during a review?
As part of its review, Commerce may request information from persons involved in the reviewed transaction(s). The information requested may include, but is not limited to, the parties’ records related to data collection operations, policies, and procedures; land, equipment, and other infrastructure used in the provision of goods and services; current and historical contracts for the provision of goods and services; agreements with any contractors, affiliates, or commercial partners; non-U.S. citizens located in the United States involved with the reviewed transaction(s); business relationships and transactions with non-U.S. entities located outside of the United States that have access to U.S. user data collected pursuant to the reviewed transaction(s); and U.S. legal compliance measures. In short, the universe of information that Commerce may collect is broad.
Are there any exemptions or preapproval processes for transactions involving connected software applications?
The previously announced exemptions and preapproval process in the interim final rule should apply to the newly included covered software application transactions.
The exemptions include acquisitions of ICTS items by a U.S. person as a party to a transaction authorized under a U.S. government-industrial security program and covered transactions or covered real estate transactions under active review or that the Committee on Foreign Investment in the United States has reviewed.
The preapproval process will be undertaken through a licensing mechanism. Commerce intended to issue regulations that would implement the licensing process on May 19, 2021. However, Commerce has postponed the issuance of regulations outlining the licensing scheme and instead published an advance notice of proposed rulemaking seeking public input.8 Commerce has yet to disclose when it intends to implement the licensing process.
1 Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, 86 Fed. Reg. 67379 (Dep’t of Commerce, November 26, 2021).
2 See Protecting Americans’ Sensitive Data From Foreign Adversaries, 86 Fed. Reg. 31423 (June 11, 2021).
3 See Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4909 (Dep’t of Commerce, January 19, 2021).
4 See 15 C.F.R. § 7.103(a).
5 See 15 C.F.R. § 7.100(a).
6 Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, 86 Fed. Reg. 67379 (Dep’t of Commerce, November 26, 2021).
7 Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications, 86 Fed. Reg. 67379 (Dep’t of Commerce, November 26, 2021).
8 See Securing the Information and Communications Technology and Services Supply Chain: Licensing Procedures, 86 Fed. Reg. 16312 (Dep’t of Commerce, March 29, 2021). Comments were due by April 28, 2021.