Securing the Information and Communications Technology Services Supply Chain – Proposed Department of Commerce Rule
The Department of Commerce (Commerce) recently issued a proposed regulation to better secure the United States’ information and communications technology and services (ICTS) supply chain. The ICTS supply chain supports how government, industry and the public communicate and conduct their business. The ICTS supply chain encompasses the generation, storage and transmission of data for critical infrastructure and national security – including energy, transportation, telecommunications, banking, manufacturing, agriculture, and more.
The proposed rule seeks to address concerns about the design, development, manufacture, supply, and control of ICTS by “foreign adversaries,” which is defined to include “any foreign government or foreign non-government person determined … to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons” as identified in Executive Order 13783.
Under the proposed rule, a process would be established to review “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or services” (“transaction”) that “(1) … is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States; (2) … involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and (3) … was initiated, pending, or completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit, or authorization applicable to such transaction was granted. Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, would constitute transactions that ‘will be completed’ on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019.” Proposed Section 7.1.
Where such a transaction is identified, the proposed rule would provide for an “initial threat assessment” by the Office of the Director of National Intelligence and a “vulnerability assessment” by the Department of Homeland Security. This and other information would be developed and used by Commerce to assess the transaction to determine whether it poses an undue risk of, inter alia, sabotage or subversion of ICTS, “catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy,” or an “unacceptable risk to the national security” or “the safety of United States persons.” Parties to the transaction would be notified of Commerce’s preliminary determination and would be provided an opportunity to respond, including providing proposed mitigation. They also would be required to retain all records relating to the transaction once they have notice of the review.
Under the proposed rule, Commerce could approve the transaction, subject to it to a requirement for mitigation, prohibit it, or even seek to have it unwound. Commerce also could employ the proposed rule to establish a “class of transactions” that could be prohibited because they pose such “undue or unacceptable risks.”
Stay tuned for developments in this space.
Contact Susan Ebner for more information.