Department of Commerce Releases Final Rule on Securing the Information and Communications Technology and Services Supply Chain

Department of Commerce Releases Final Rule on Securing the Information and Communications Technology and Services Supply Chain

June 23, 2023, Covington Alert

Overview

On June 16, 2023, the Department of Commerce (“Commerce”) published its Final Rule on Securing the Information and Communications Technology and Services (“ICTS”) Supply Chain (the “Final Rule”) to implement provisions of Executive Order 14034, “Protecting Americans’ Sensitive Data from Foreign Adversaries” issued by President Biden on June 9, 2021 (“E.O. 14034”). Subject to the few changes discussed below, the Final Rule retains the core elements of the Notice of Proposed Rulemaking (“NPRM”) released on November 26, 2021 (see Covington alert), which proposed so-called "connected software"-related amendments to Commerce’s Interim Final Rule on ICTS that was published on January 19, 2021 (the “Interim Rule”). The Interim Rule itself had implemented Executive Order 13873, “Securing the ICTS Supply Chain” issued by President Trump on May 15, 2019 (“E.O. 13873”).

In short, the Final Rule contains minor modifications that clarify the definitions and criteria relevant to evaluating whether certain ICTS transactions present an undue or unacceptable risk to U.S. national security. It cements the U.S. government’s effort to incorporate “connected software applications” as a category of ICTS and reaffirms the broader push within the U.S. government to secure U.S. ICTS infrastructure and personal data against exploitation by foreign adversaries through the development of a unified risk-based review framework.

Notably, the Final Rule clarifies that the application of the ICTS rules will focus on parties that are “subject to the jurisdiction or direction of a foreign adversary.” The Interim Final Rule had language that suggested a potentially broader scope by focusing on any party that could be subject to coercive influence by a foreign adversary. While the Final Rule does not mention the People’s Republic of China (“PRC”), these clarifications indicate the application of the rule will likely focus on companies that are headquartered and based in the PRC, rather than non-Chinese companies that have incidental operations in the PRC or relationships with Chinese parties. Commerce’s commentary also indicates that it will focus attention on broader classes of transactions, highlighting that while “individual transaction reviews are and will remain an important aspect of the Department’s authorities…such reviews may indicate or uncover concerns about more than the single transaction being reviewed, and the Department…has the authority to define and review classes of ICTS transactions as well.” The Final Rule further indicates that Commerce, in the future, may consider a more expansive approach that widens the scope of transactions and software applications subject to review, for example, by lowering the data threshold from one million persons to 250,000.

Background

E.O. 13873, issued by the Trump Administration in May 2019 and implemented by the Interim Rule, declared threats to the ICTS supply chain by foreign adversaries as a national emergency. It prohibited certain transactions that involve ICTS designed, developed, manufactured, or supplied by persons, owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, whenever the Secretary of Commerce, in consultation with other Federal officials, determines that such a transaction, or a class of transactions:

• Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
• Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
• Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

In June 2021, the Biden Administration issued E.O. 14034 to elaborate on the measures to address the national emergency declared by President Trump in E.O. 13873. In particular, E.O. 14034 focused on protecting the users of high-risk “connected software applications” and also set forth eight (8) specific risk criteria for determining whether an ICTS transaction involving “connected software applications” poses an undue or unacceptable risk.

The NPRM, released in November 2021, implemented E.O. 14034 by expanding both the definition of “ICTS” and “ICTS Transactions” to include “connected software applications,” defined as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet[.]” Consistent with E.O. 14034, the NPRM also proposed to adopt the eight (8) risk factors specific to transactions involving connected software applications.

Key Changes

The Final Rule further refines the NPRM by adopting the following modifications or clarifications to the definition of “connected software applications” and to the eight (8) risk criteria identified in E.O. 14034. Commerce specifically notes it sought to ensure that the definitions would not be “unduly narrow,” e.g., with respect to “end-point computing device.” Commerce highlighted that some comments submitted during the public comment period for the NPRM had advocated for a more expansive approach that could capture a broader set of transactions, for example by replacing “via the internet” with “communication network,” or lowering the data volume threshold from one million persons to 250,000. Such comments appear to have originated from a range of both organized and individual stakeholders.

1. Definitions

As noted above, E.O. 14034 (and the NPRM that implemented E.O. 14034) defined “connected software applications” to mean “software, a software program, or a group of software programs that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet” (emphasis added). The Final Rule adopts the following modifications to clarify the definition of “connected software applications”:

• “End-Point Computing Device” is clarified to mean “a device that can receive or transmit data and includes as an integral functionality the ability to collect or transmit data via the internet, as that term is defined in the final rule.”
• “Via the internet” is clarified to mean “using internet protocols to transmit data including, but not limited to, transmissions by cable, telephone line, wireless, satellite, or other means.”

These clarifications have the effect of providing greater technical precision, while still preserving some flexibility within the definitions to encompass a broad range of applications as needed (e.g., “but not limited to…other means”).

2. Risk Criteria

As discussed in the prior client alert, the NPRM had proposed eight (8) new criteria for determining whether ICTS transactions involving connected software applications pose undue or unacceptable risks. In addition to the minor changes below (boldfaced), the Final Rule confirms that the new criteria will apply specifically and exclusively to ICTS transactions involving connected software applications (versus other types of ICTS transactions not involving connected software applications).

1. Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;

2. Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;

3. Ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary the jurisdiction or direction of a foreign adversary;

4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;

5. A lack of Whether there is regular, thorough and reliable third-party auditing of connected software applications;

6. The scope and sensitivity of the data collected;

7. The number and sensitivity of the users of with access to the connected software application;

8. The extent to which identified risks have been or can be addressed by independently verifiable measures mitigated using measures that can be verified by independent third parties.

With respect to Criterion 1, Commerce notes that it does not intend to “scrutinize every ICTS transaction involving temporary or sporadic access to software to, for example, provide security updates, but rather to be more targeted in its reviews to address the types of risks identified in E.O. 13873.” As noted above, changes to Criterion 3 are also notable, suggesting that the ICTS process will likely be focused on PRC-based/founded companies rather than non-Chinese companies that have incidental operations in the PRC or relationships with Chinese parties. With respect to Criterion 7, Commerce clarifies that it will consider “not just active users of a connected software application” but also “stored or past users who still may have sensitive data on the application[.]”

Other Observations

Ultimately, the Final Rule reflects only a few modifications that clarify, rather than fundamentally change, the core elements of the NPRM; where Commerce considered potential amendments but determined not to adopt such amendments also provides some further insight into its broader thinking. Note, for instance, that Commerce declined to adopt any revisions to the scope of “covered transactions” at this time, which was previously defined to include those “involving software, including desktop applications, mobile applications, gaming applications, and web-based applications, designed primarily for connecting with and communicating via the internet that is in use by greater than one million U.S. persons at any point over the twelve months preceding an ICTS transaction.” The Final Rule specifically notes that Commerce may, in the future, consider decreasing the user requirements for software from one million to 250,000 U.S. persons. The decision by Commerce not to adopt changes to the scope of “covered transactions” at this time is indicative of a general inclination to defer material amendments until it has had the opportunity to “gain[] experience with ICTS involving connected software applications.”

With this Final Rule, the question and focus on ICTS turns to whether and how Commerce will actually enforce it. To date, such enforcement has been constrained not only by the interim nature of the rulemaking, but, significantly, by a lack of federal government resources dedicated to implementation. Commerce has sought and received additional appropriations to add resources, and is reportedly focused on hiring, but there will inevitably be some lag between resource acquisition and a more fulsome implementation. In this context, there remain significant questions as to how the Final Rule will ultimately be applied; which ICTS business types, companies, and transactions will be prioritized; and whether this new regulatory process will be used principally to erect a wall between ICTS users in the United States and suppliers from countries of concern, or instead will be used more surgically to mitigate risks without precluding broad market access.

We will continue monitoring developments in the ICTS landscape over the coming months. In the meantime, if you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice group.