On November 27, the Department of Commerce published a federal register notice to solicit public comments on proposed rules to implement the May 15 Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” (“the EO”). The long-awaited regulations set out a case-by-case process the secretary of commerce will follow to determine whether a particular transaction poses undue risk based on the EO’s requirements and should be prohibited or mitigated.
The US-China Business Council (USCBC) joined a multi-association letter to request an extension of the December 27 deadline. We are planning to submit comments on behalf of members in the form of guiding principles according to the original deadline. Interested members should please provide feedback to Chynna Hawes by Monday, December 16.
Executive Order 13873
President Trump issued EO 13873 on May 15, 2019, under authorities granted by the International Emergency Economic Powers Act (IEEPA) and the National Emergencies Act. The EO gives the secretary of commerce, in consultation with other relevant federal agencies, authority to prohibit or mitigate certain information and communications technology and services (ICTS) transactions that pose an undue risk or unacceptable threat to US national security.
The EO outlines transactions that would be subject to review and should be prohibited or mitigated, including those that:
- Involve any property in which a foreign country or a national has any interest, including through a contract;
- Involve any ICTS “designed, developed, manufactured, or supplied” by entities “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;” and
- Pose an undue risk of catastrophic effects on the security and resiliency of critical infrastructure or the digital economy in the United States, or an unacceptable risk to US national security.
Proposed rule summary
The proposed rule outlines procedures the secretary of commerce (“the secretary”) will use to identify, assess, and address ICTS transactions that pose an undue risk to US critical infrastructure, the digital economy, or national security.
- Identifying “foreign adversaries” not up for comment: The Department of Commerce welcomes public comments on all aspects of the proposed regulation, except the determination of “foreign adversary,” which is at the discretion of the secretary of commerce in consultation with the heads of other executive departments.
- Case-by-case approach to evaluating transactions: The secretary will adopt a case-by-case, fact-specific approach to determine which transactions meet the EO’s standard to be prohibited or mitigated. The proposed rule indicates this approach is intended to allow for a more deliberative, targeted application of authority to prohibit transactions that meet the EO’s criteria without unintentionally restricting transactions that do not pose the same level of risk, or inadvertently limiting innovation. While the EO authorizes the secretary to exempt or prohibit certain “classes” of transactions if they do not pose an undue risk, the proposed rule clarifies that it does not allow for the “categorical” inclusion or exclusion of technologies or users from the prohibitions outlined by the EO.
- Transactions subject to review: The proposed rule clarifies that transactions initiated, pending, or completed after May 15, 2019, regardless of when the contract was signed or when a license was granted, could be subject to review. On-going activities including software updates would count as transactions completed on or after May 15, even if the contract was signed prior; and
- Notification and decision process: Based on initial threat and vulnerability assessments, and available information, the secretary will make a preliminary determination and notify parties of a transaction that an evaluation of a transaction is being conducted. Before a final determination is made, notified parties will have an opportunity to submit an opposition and supporting information, including suggesting measures for mitigation. After completing the evaluation, the secretary will issue a report on its final determination.
- Mitigating vs prohibiting: If a transaction is determined to present an undue or unacceptable risk, the secretary may require measures to mitigate the identified risks, or may prohibit the transaction. Prohibiting the transaction may require parties to immediately stop using the ICTS that poses the risk, even if the ICTS has been installed or was in operation.
- Record keeping: The proposed rule does not mandate record keeping, but if an entity is notified that it is under evaluation for a transaction, it will be required to provide requested information.
- Impact on small entities: The proposed rulemaking acknowledges that small entities or groups that are not easily categorized may be impacted by this proposed rule. The proposed rule defines ICTS and outlines three broad categories of entities that may be impacted, inviting comments.
QUESTIONS FROM COMMERCE
The proposed rulemaking outlines several specific questions Commerce seeks to answer through the comment process:
- Are there instances in which the secretary should consider categories of technologies or classes of persons for exclusions?
- Can undue risks be reliably mitigated? What type of mitigating measures should be taken?
- How should the secretary ensure compliance with mitigating measures?
- How are the terms of “transaction” best interpreted? Transaction refers to the “acquisition, importation, transfer, installation, dealing in, or use of any ICTS.”
- Should Commerce include specific recordkeeping requirements? And what would that look like?