The US Department of Commerce (“Department”) issued a final rule (the “Rule”) on December 6, 2024 to amend provisions related to the Department’s review of transactions involving information and communications technology and services (“ICTS”) “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary that may pose undue or unacceptable risk to the United States or U.S. persons.” The Rule implements important clarifications to the review process for ICTS transactions authorized under Executive Order 13873 (May 17, 2019) in response to comments submitted to the January 2021 interim final rule, including (1) clarifying the scope of ICTS transactions subject to the review process, (2) amending procedures for conducting reviews of ICTS transactions, and (3) amending the penalties for civil violations of the final determinations of ICTS transactions subject to review. The Rule also amends certain definitions used in the regulations. These changes to the regulations governing the process for reviewing ICTS transactions build on the Department’s experience since the process was established in January 2021, which we’ve previously reported on here, here, here, and here.
Brief summaries of key changes to the process for reviewing ICTS transactions set out in the Rule are provided below:
Amendments to the Scope of ICTS Transactions Subject to Review
While several commentators argued that the scope of ICTS transactions subject to review under the regulations was overly broad or unclearly defined, the Department generally declined to narrow the scope of ICTS transactions subject to the regulations. The Department explained that the broad scope is necessary to counter undue and unacceptable risks posed by foreign adversaries in the ICTS supply chain, such as malicious foreign actors who seek to commit industrial or economic espionage or foreign adversaries that seek to exploit unrestricted access to US critical infrastructure through acquisitions in the ICTS supply chain. The broad scope of the ICTS transactions subject to review ensures that the Department has the means to be able to address those risks (though the Department has to date only applied its review authority to transactions involving ICTS produced or supplied by a single entity that presents an undue or unacceptable risk). However, the Department introduced some limited amendments to the regulations governing the scope of ICTS transactions subject to review where the Department determined that such risks as sufficiently mitigated:
- Identifying Broad Categories of ICTS Transactions Subject to Review
The Department has amended the regulations at Section 791.3 (15 CFR 791.3) by listing broad technology categories subject to review, including: ICTS transactions involving information and communications hardware and software; ICTS integral to data hosting, computing, or storage that uses, processes, or retains sensitive personal data; connected software applications; ICTS integral to critical infrastructure; and ICTS integral to critical and emerging technologies. The Department has also clarified that “critical and emerging technologies” includes eleven categories of technology that consider technological developments since the interim final rule was introduced in January 2021. - CFIUS Review Exception
The Department generally declined to add exemptions or exceptions from the ICTS transaction review process that commenters requested. However, the Department clarified the exception for ICTS transactions that are reviewed by the Committee on Foreign Investment in the United States (“CFIUS”) provided in Section 791.3 (15 CFR 791.3). The amendment to the rule provides that ICTS transactions that qualify as covered transactions or covered real estate transactions and that are reviewed, investigated, or assessed by CFIUS are exempt from the ICTS transaction review process. However, this exception only applies to the ICTS transactions that have completed the CFIUS review process; other ICTS transactions (including those entered into by the same parties) would still be subject to the ICTS transaction review process. - Removal of One Million Unit, Users, or Person Threshold
The Department has removed numerical thresholds of users, units, and/or sales originally included in the interim final rule above which ICTS transactions would be deemed subject to the review process. The Department explained that the thresholds were used as proxies for determining whether an ICTS transaction posed an “undue or unacceptable risk” to national security. However, the Department has determined that such thresholds are not appropriate as they failed to account for certain ICTS transactions that pose a national security risk irrespective of the number of users involved, including ICTS transactions that implicate the storage, retention, or use of sensitive personal information. - Retroactive Applicability of ICTS Transaction Reviews
The Department has amended the regulations to clarify that the review process applies to ICTS transactions initiated, pending, or completed on or after the effective date of the interim final rule (i.e., January 19, 2021), even if the ICTS transaction at issue was related to a contractual or other agreement in effect prior to January 19, 2021.
Amendments to the ICTS Transaction Review Procedures
The Department has introduced several changes to the regulations governing the procedures for conducting reviews of ICTS Transactions in response to comments to the January 2021 interim final rule.
- Criteria for Determining Whether an ICTS Transaction Poses an “Undue or Unacceptable Risk”
In addition to clarifying that the Secretary of Commerce has discretion on whether to initiate a review of an ICTS transaction based on any information available to the Secretary, including referrals by other US Government agencies or on the Secretary’s own initiative, the Department has amended the criteria the Secretary will consider at Section 791.103(c) (15 CFR 791.103(c)) when determining whether an ICTS transaction poses an “undue or unacceptable risk.” Changes to the criteria include:
- Criteria applicable to connected software applications. The Department has amended the list of criteria the Secretary will consider for determining whether ICTS transactions involving connected software applications pose an “undue or unacceptable risk” to include the following:
- The number and sensitivity of users;
- The scope and sensitivity of data that the application collects;
- Use of the connected software application to conduct surveillance that enables espionage;
- Regular, reliable third-party auditing of the application; and
- The extent to which identified risks can be mitigated and verified.
- Clarifying the downstream impact criterion for reviewing ICTS transactions. The Department has replaced the criterion in Section 791.103(c)(7) originally described as “the nature of the vulnerability implicated by the ICTS Transaction” to describe more accurately “the nature and characteristics of the customer base, business relationships, and operating locations of the parties to the Covered ICTS Transaction.”
- Criteria applicable to connected software applications. The Department has amended the list of criteria the Secretary will consider for determining whether ICTS transactions involving connected software applications pose an “undue or unacceptable risk” to include the following:
- Initial Determinations
The Rule amends the procedures for issuing an initial determination in an ICTS transaction review, including notifying and consulting with appropriate heads of US Government agencies. Agency heads that are notified of initial determinations will have 21 days to provide comments on the initial determination as part of the consultation process, and the same agency heads will be notified 21 days before the Secretary issues an initial determination. The Secretary is not obligated to obtain consensus from agency heads but is directed to carefully consider the positions of agency heads before proceeding with issuing an initial determination. The Rule also amends the regulations to give the Secretary discretion to publish the full text of an initial determination, a notice of an initial determination, or forgo publishing a notice of initial determination in the Federal Register altogether. Finally, the Rule clarifies that parties to an ICTS transaction will be provided with the factual basis for supporting the Secretary’s initial determination to prohibit or permit (with mitigation measures) an ICTS transaction. This will ensure that parties to an ICTS transaction have sufficient information to permit them to respond and comment on the initial determination. - Response and Mitigation Procedures
The January 2021 interim final rule provided a 30-day period for parties to respond to an initial determination from the Secretary to prohibit or permit (with mitigation) an ICTS transaction. 15 CFR 791.107. The Rule amends this period for providing comments by establishing an initial 30-day period to respond, which could be extended up to an additional 30 days if, under the Secretary’s discretion, good cause is shown for such an extension. The Rule highlights factors the Secretary will consider for granting such extensions, including the complexity of the ICTS transaction under review, the severity of the risks identified in the initial determination, and the impact an extension would have on the overall timeframe for review. The Rule also imposes a 50-page limit on written submissions filed in response to an initial determination. - Final Determinations
The Rule implements several changes to the regulations governing final determinations in reviews of ICTS transactions. Notably, and in contrast to initial determinations, the Secretary is required to seek concurrence from all appropriate agency heads to a final determination. Agency heads are required to raise objections to final determinations within 14 days, and such objections must come from the applicable agency’s Deputy Secretary or equivalent level. If an agency fails to respond to a final determination during the consultation phase, then such a non-response will be deemed to be acceptance of the final determination by that agency.
The Rule also maintains the 180-day period for issuing a final determination originally set in the interim final rule but clarifies that the period runs from the date that the initial determination is served on relevant parties. The Rule also grants the Secretary the discretion to extend this time limit (though the Department notes that ICTS transaction reviews conducted to date have been completed within the 180-day period set in the interim final rule).
Finally, the Rule also amends the regulations to require that the Secretary issue a final determination when an initial determination has previously been issued, and to require publication of the notice of final determination in the Federal Register. The Department determined that publication of the actual final determination is unnecessary and could result in more information being disclosed than is necessary to inform the public.
Penalties
Several commenters argued that the Department should amend the ICTS transaction review penalty provisions to incorporate an intentionality standard for violations that could lead to civil penalties. The Department acknowledged that non-parties to an ICTS transaction reviewed by the Department could be liable for violating a prohibition against an ICTS transaction or the conditions in a mitigation agreement for a permitted ICTS transaction. However, the Department acknowledged the concerns raised by some commenters, and amended the penalty provisions to (1) impose liability on persons who know or have reason to know that a mitigation agreement exists for an ICTS transaction, and (2) provide a list of activities that could lead to civil or criminal penalties at Section 791.200 (15 CFR 791.200).
