National Security Update—Department of Commerce Releases Notice of Proposed Rulemaking Regarding Amendments to the ICTS Interim Final Rule
December 6, 2021, Covington Alert
I. Overview
On November 26, 2021, the Department of Commerce (“Commerce”) published a Notice of Proposed Rulemaking (the “Notice”) to implement provisions of Executive Order (“EO”) 14034, “Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries,” issued by President Biden on June 9, 2021 (the “Connected Software EO”). The Notice proposes amendments to Commerce’s Interim Final Rule on Securing the Information and Communications Technology and Services (“ICTS”) Supply Chain (the “ICTS Rule”), which implemented EO 13873 and was published on January 19, 2021. The Notice represents another step in the U.S. Government’s broader effort to secure U.S. ICTS infrastructure and personal data against exploitation by foreign adversaries through the development of a unified risk-based review framework. Comments on the Notice are due by December 27, 2021.
As discussed in our prior client alert, the ICTS Rule creates a framework for Commerce to review and prohibit transactions involving ICTS that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” and that pose an “undue or unacceptable risk” to the national security of the United States (initially discussed in our May 16, 2019 and November 27, 2019 client alerts). After Commerce published the ICTS Rule, President Biden issued the Connected Software EO, which focuses on protecting high-risk “connected software applications”—which can “access and capture vast swaths” of U.S. personal data—from national security threats, and is intended to “elaborate upon [the] measures” set forth in the ICTS Rule to address ICTS-based national security concerns.
In the Notice, Commerce now proposes to implement the Connected Software EO by amending the ICTS Rule to encompass “connected software applications” as a category of ICTS. Accordingly, the proposed rulemaking would result in a single, yet expanded, national security review framework covering both ICTS and connected software applications collecting U.S. personal data. The Notice also expands the criteria that Commerce may use to determine whether an ICTS transaction poses an undue or unacceptable risk. While the Notice contemplates such risk criteria will apply only to transactions involving connected software applications, Commerce notably requested public comment on whether the risk criteria should also apply to all other ICTS transactions covered by the ICTS Rule. Finally, Commerce poses a handful of other questions in the Notice, giving industry an opportunity to weigh in on both the specific proposals in the Notice, as well as the broader construct of the ICTS Rule.
II. Proposed Changes to ICTS Rule
The Notice proposes amending the current scope of the ICTS Rule by expanding both the definition of “ICTS” and “ICTS Transactions” to include “connected software applications” and expanding the list of “Covered ICTS Transactions.” Consistent with the Connected Software EO, the Notice defines “connected software applications” as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet[.]” In parallel, Commerce notes that it will expand the ICTS Rule’s list of “software ‘designed primarily for connecting with and communicating via the internet that is used by greater than one million U.S. persons’ involved in ICTS Transactions” to include “[c]onnected software applications[.]” Currently, that list includes desktop, mobile, gaming, and web-based applications.
The Notice also proposes adding new risk factors that Commerce should consider when evaluating whether an ICTS transaction involving connected software applications may pose an “undue or unacceptable risk” to U.S. national security. The risk factors are identical to those listed in the Connected Software EO and include the following:
- Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
- Ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
- Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
- A lack of thorough and reliable third-party auditing of connected software applications;
- The scope and sensitivity of the data collected;
- The number and sensitivity of the users of the connected software application; and
- The extent to which identified risks have been or can be addressed by independently verifiable measures.
These risk factors are closely related to, but distinct from, the risk factors already listed in the ICTS Rule for evaluating ICTS transactions generally. Those factors include, for example: (1) the nature and characteristics of the ICTS, including technical capabilities, applications, and market share considerations; (2) the nature and degree of a foreign adversary’s ownership, control, direction, or jurisdiction over the ICTS design, development, manufacture, or supply; and (3) the statements and actions of the foreign adversary at issue in the transaction.
III. Request for Comments
The comments solicited by Commerce in the Notice are as notable as the proposed changes, as Commerce is clearly seeking industry input to ensure that its rulemaking captures technical nuances and employs relevant terms of art. Importantly, because the Notice contemplates a proposed amendment to the ICTS Rule, commenters are afforded another opportunity to provide comments that do not focus solely on the proposed changes with respect to connected software applications, but which also may address the substance of the ICTS Rule more broadly.
With respect to the “connected software application” definition, Commerce asks whether it is sufficient or should be amended further. Specifically, Commerce asks for input on the following questions:
- Are there technical aspects to the definition that are used in industry or engineering that should be incorporated into the definition?
- Should Commerce include other devices, such as those that communicate through short message service (SMS) messages, or low-power radio protocols?
- Should the definition be extended from “end-point” devices to “end-to-end” technology, and is “end-to-end” a term of art that we should employ?
- Are there other means of communication or transmission that are not encompassed by this definition but should be included?
Through its questions, Commerce signals that it is open to reworking the “connected software application” definition to clarify or expand the rule, and seeks to ensure that the rulemaking reflects the technical reality in the industry.
Commerce also asks several questions with respect to proposed risk factors. First, for ICTS transactions involving connected software applications, Commerce requests feedback on the enumerated risk factors, including how they should be applied and whether additional criteria should be considered. Specifically, the Notice asks whether Commerce should “add a criterion such as whether the software has any embedded out-going network calls or web server references, regardless of the ownership, control, or management of the software[.]” Commerce also seeks input on the interpretation of the risk factors, including whether “ownership, control or management” must be continuous, as opposed to sporadic. It solicits input on the scope of several phrases, including “reliable third-party,” “independently verifiable measures,” and “third-party auditing of connected software applications[.]” Second, and relatedly, Commerce seeks comments on other risk factors that the Secretary should consider in deciding whether to allow, mitigate, or prohibit such transactions.
Finally, Commerce requests input as to whether the risk factors should apply more broadly to all ICTS transactions—not only those involving connected software applications. In this way, the proposed rulemaking opens the door for Commerce to reconsider and amend the ICTS Rule more generally. The proposed rulemaking therefore highlights that although Commerce’s authority to review ICTS and connected software application transactions stems from different executive orders, the executive orders fundamentally are components of an overarching effort by the U.S. Government to address national security risks posed by foreign adversaries to U.S. ICTS and personal data.
IV. Looking Ahead and Comment Period
Commerce has requested comments on the Notice by December 27, 2021. Following its review and adjudication of these comments, Commerce may revise its proposed amendments before incorporating them into the ICTS Rule. It will be important to continue monitoring developments in the ICTS landscape over the coming months.
If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice group.