On November 27, 2019, the Department of Commerce published a notice (84 FR 65316) proposing new regulations on Information and Communications Technology and Services (ICTS) supply chain transactions with “foreign adversaries” The proposal would add 15 CFR Part 7 to implement Executive Order 13873 of May 15, 2019. The executive order had directed the Commerce Department to come up with regulations under the International Emergency Economic Powers Act (IEEPA).
In the proposal, “transaction” is are defined broadly as:
any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service.
“Information and Communications Technology and Services (ICTS)” are defined as:
any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display.
The proposal does not specifically identify “foreign adversaries” but these will be determined by the Secretary of Commerce.
Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783.
It is anticipated that foreign adversaries could include parties on the Entity List such as Huawei.
The review of transactions would begin at the discretion of the US government, including when based on credible information from private parties. Unlike the Committee on Foreign Investment in the United States (CFIUS), the Commerce Department’s review does not include an approval process and specifically excludes issuing advisory opinions and declaratory rulings.
Potentially prohibited transactions include those where:
The transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
…
(i) Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
(ii) Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
(iii) Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States Persons.
ICTS transactions with foreign adversaries may be subject to mitigation, prohibition, or unwinding.
Violations (including misrepresentation and concealment of material facts) may be subject to civil penalties of up to $302,584 (as adjusted annually for inflation).
The Department of Commerce specifically requests comments on the following areas:
- Categories of transactions or persons that would never be prohibited under the EO;
- Types of transactions that may be prohibited, but where risks can be mitigated;
- The proposed definition of “transaction”; and
- Recordkeeping requirements.
Comments may be submitted through December 27, 2019. Review the Federal Register Notice for the full proposed rule and how to submit comments. Detailed comments and proposed revisions may be particularly helpful in completing the final rule.