On November 26, 2021, the Commerce Department of Commerce published a Proposed Rule that would amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (“ICTS Regulations”) to specifically address connected software applications. The Proposed Rule would make changes prompted by Executive Order 14034 (“EO 14034”) to the ICTS Regulations. We previously blogged about the ICTS Regulations here, here, and here. The Commerce Department is seeking public comments on the Proposed Rule by January 11, 2022.
The basis for the Proposed Rule appears to be a review conducted by the Biden Administration pursuant to EO 14034, which initiated a “rigorous, evidence-based analysis” of the national security risks associated with the transfer of or access to US persons’ data, particularly with regard to access by persons owned, controlled, or subject to the jurisdiction of “foreign adversaries.” We previously blogged about EO 14034 here.
The Proposed Rule would add “connected software applications” to the definitions and purpose sections of the ICTS Regulations. It would also confirm that certain transactions involving “connected software applications” would fall within the category of “Covered ICTS Transactions” under the ICTS Regulations.
In addition, the Proposed Rule would incorporate certain factors from EO 14034 into the ICTS Regulations that should be considered in evaluating the risks of a Covered ICTS Transaction. Specifically, EO 14034 lists the following as potential indicators of risk related to connected software applications:
- ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
- ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
- ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
- a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected;
- the number and sensitivity of the users of the connected software application; and
- the extent to which identified risks have been or can be addressed by independently verifiable measures.
If you wish to submit a comment on the Proposed Rule or have any questions, please contact any member of our Outbound Trade Compliance team.