On June 16, 2023, the US Commerce Department published a final rule (“Final Rule”), implementing President Biden’s 2021 Executive Order 14034 on “Protecting Americans’ Sensitive Data from Foreign Adversaries,” to amend the Commerce Department’s “Securing the Information and Communications Technology Supply Chain” regulations, 15 C.F.R. Part 7 (“ICTS Regulations”). The amendments mainly relate to connected software applications. The Final Rule was issued in response to comments received to a notice of proposed rulemaking (“NPRM”) issued on November 26, 2021 and an interim final rule (“Interim Rule”) issued on January 19, 2021, implementing former President Trump’s 2019 Executive Order 13873 on “Securing the Information and Communications Technology and Services Supply Chain.” Our blog posts on the NPRM and Interim Rule are here and here, respectively. Additional blog posts on a prior advanced notice of proposed rulemaking and industry response are here and here, respectively.

ICTS Transaction Review Criteria

The Final Rule responds to comments received during the NPRM’s comment period by amending the ICTS Regulations to clarify that “connected software applications” are a subcategory of covered transactions (“ICTS Transactions”) and provide additional criteria under which the US Secretary of Commerce (“Secretary”) may review whether an ICTS transaction involving “connected software applications” presents an undue or unacceptable risk as defined under the ICTS Regulations. These Regulations afford the Secretary authority to “mitigate” (i.e., modify or prohibit) ICTS Transactions that pose such a risk.

Under the Final Rule, the criteria for review of an ICTS Transaction involving a “connected software application” are:

  1. Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
  2. Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
  3. Ownership, control, or management of connected software applications by persons subject to the jurisdiction or direction of a foreign adversary;
  4. Ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
  5. Whether there is regular, thorough, and reliable third-party auditing of connected software applications;
  6. The scope and sensitivity of the data collected;
  7. The number and sensitivity of the users with access to the connected software application; and
  8. The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.

These criteria are largely the same ones the Commerce Department proposed in the NPRM.

Definitions Related to “Connected Software Applications”

The Commerce Department retained the original definition of “connected software application” introduced under Section 3 of Executive Order 14034. The term is defined as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet” [emphasis added].

In relation to “connected software applications,” the Final Rule introduced definitions of “end-point computing devices” and “via the internet.” The Commerce Department defines “end-point computing devices” as devices “that can receive or transmit data and [include] as an integral functionality, the ability to collect, process, or transmit data via the internet.” “Via the internet” is defined as “using internet protocols to transmit data including, but not limited to, transmissions by cable, telephone line, wireless, satellite or other means.”

The ICTS Regulations: A Work in Progress

The rule is effective July 17, 2023. To date, there is no public indication that the Commerce Department has used the ICTS Regulations to review any ICTS Transaction. There is also still no mechanism for companies to seek prior clearance of ICTS Transactions. In the supplementary information to the Final Rule, the Department itself notes that it intends to revisit relevant sections of the ICTS Regulations as it gains more “experience” with ICTS Transactions involving connected software applications.


Ms Stafford Powell advises on all aspects of outbound trade compliance, including compliance planning, risk assessments, licensing, regulatory interpretations, voluntary disclosures, enforcement actions, internal investigations and audits, mergers and acquisitions and other cross-border activities. She develops compliance training, codes of conduct, compliance procedures and policies. She has particular experience in the financial services, technology/IT services, travel/hospitality, telecommunications, and manufacturing sectors.


Alex advises clients on compliance with US export controls, trade and economic sanctions, export controls (Export Administration Regulations (EAR); International Traffic in Arms Regulations (ITAR)) and antiboycott controls. He counsels on and prepares filings to submit to the US Government's Committee on Foreign Investment in the United States (CFIUS) with respect to the acquisition of US enterprises by non-US interests. Moreover, Alex advises US and non-US companies in the context of licensing, enforcement actions, internal investigations, compliance audits, mergers and acquisitions and other cross-border transactions, and the design, implementation, and administration of compliance programs. He has negotiated enforcement settlements related to both US sanctions and the EAR.


Rob assists multinational companies on OFAC sanctions, export controls, and other trade laws in the context of compliance, licensing, internal investigations, mergers and acquisitions, government disclosures, and enforcement actions. He has experience assisting clients navigate sanctions and export control in the following sectors: semiconductor design and manufacturing, telecommunications, pharmaceuticals, consumer goods, and financial services. Rob has also assisted start-ups and medium-sized businesses encountering OFAC sanctions and export controls for the first time. Rob's pro bono practice includes providing sanctions and export control advice to a global NGO providing humanitarian relief in conflict zones. He also advises a global pro-bono law firm in advocacy matters relevant to sanctions and export controls. He has also served on the board of directors of a nonprofit working to improve the mental health environment for university students.