On November 26, 2021, the US Commerce Department published a Proposed Rule that would amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (“ICTS Regulations”) to specifically address connected software applications. The Proposed Rule would make changes prompted by Executive Order 14034 (“EO 14034”) to the ICTS Regulations.  We previously blogged about the ICTS Regulations here, here, and here.  The Commerce Department is seeking public comments on the Proposed Rule by January 11, 2022.

The basis for the Proposed Rule appears to be a review conducted by the Biden Administration pursuant to EO 14034, which initiated a “rigorous, evidence-based analysis” of the national security risks associated with the transfer of or access to US persons’ data, particularly with regard to access by persons owned, controlled, or subject to the jurisdiction of “foreign adversaries.”  We previously blogged about EO 14034 here.

The Proposed Rule would add “connected software applications” to the definitions and purpose sections of the ICTS Regulations.  It would also confirm that certain transactions involving “connected software applications” would fall within the category of “Covered ICTS Transactions” under the ICTS Regulations.

In addition, the Proposed Rule would incorporate certain factors from EO 14034 into the ICTS Regulations that should be considered in evaluating the risks of a Covered ICTS Transaction. Specifically, EO 14034 lists the following as potential indicators of risk related to connected software applications:

  • ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
  • use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
  • ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
  • ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  • a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected;
  • the number and sensitivity of the users of the connected software application; and
  • the extent to which identified risks have been or can be addressed by independently verifiable measures.

If you wish to submit a comment on the Proposed Rule or have any questions, please contact any member of our Outbound Trade Compliance team.

Author

Mr. McMillan's practice involves compliance counseling; compliance programs; licensing; compliance reviews; internal investigations; voluntary disclosures; administrative enforcement actions; criminal investigations; customs inquiries, audits, detentions, and seizures; and trade-compliance due diligence and post-acquisition integration in mergers and acquisitions. His practice includes matters that implicate the US International Traffic in Arms Regulations (ITAR), US Export Administration Regulations (EAR), US National Industrial Security Program (NISP), the US Committee on Foreign Investment in the United States (CFIUS), and equivalent non-US laws. Mr. McMillan regularly advises on and represents clients in matters involving technology, including its control, protection, accidental disclosure, diversion, or unauthorized collection. Mr. McMillan has extensive experience working with companies in the aerospace and defense industry, as well as companies in the Middle East and other parts of Asia.

Author

Washington, DC

Author

Caroline focuses on all aspects of International Trade law, particularly compliance with US export controls, trade and economic sanctions, and US foreign investment restrictions. She represents clients in national security reviews before the Committee on Foreign Investment in the United States (CFIUS), including CFIUS-related due diligence, risk assessment, and representation before the CFIUS agencies.